apache fails to get remote host name

apache-2.4

I have...

<VirtualHost example.com:80>
    ServerAdmin webmaster@localhost
    ServerName example.com

    Redirect permanent / https://example.com/
</VirtualHost>

which immediately goes to...

<IfModule mod_ssl.c>
    <VirtualHost example.com:443>

        ServerAdmin webmaster@localhost
        ServerName example.com
        ServerAlias example.com

        DocumentRoot /home/klyde/ror/exampledev/public

        SSLCertificateFile   /etc/apache2/ssl/certs/123abc.crt
        SSLCertificateChainFile /etc/apache2/ssl/certs/gd_bundle-g2-g1.crt
        SSLCertificateKeyFile /etc/apache2/ssl/private/examplekey.key

        BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLEngine on
        SSLProxyEngine On
        ProxyRequests On

        <Proxy *>
            AddDefaultCharset off
            #Options Indexes FollowSymLinks
            AllowOverride none
            <RequireAny>
                #<RequireAll>
                #   Require all granted
                #</RequireAll>
                <RequireAll>
                    Require host example.com
                </RequireAll>
                <RequireAll>
                    Require local
                    # Require ip 127.0.0.1
                </RequireAll>
            </RequireAny>
        </Proxy>

        ProxyPassReverseCookiePath / /
        ProxyPass /errors/ !

        ProxyPass /websockets ws://127.0.0.1:8675/
        ProxyPassReverse /websockets ws://127.0.0.1:8675/

        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/

    </VirtualHost>
</IfModule>

When I enable...

Require all granted

all works ok. But the site is overrun by phishing. I would like...

Require host example.com

But this results in a log error...

access check of 'example.com' to / failed, reason: unable to get the remote host name

This configuration I've chosen because I want to stop SSL in Apache and ajp to Torquebox. This works fine, except when attempting to secure the site. Of course, Apache with Torquebox may not be entirely desirable, advisable, etc. Suggestions to the contrary are welcome.

Main question - Why the 'remote host name' error. Any ideas?


Solution 1:

Determining the remote host by name only works if the remote IP address has a PTR records, Not all IP addresses do. If you can, use IP addresses in the Require statement.

You can also use basic auth (preferably over https) to restrict access.

You should not need to define a proxy if all you want is proxypass functionality.

If you need to proxy, try restricting your proxy to your domain. 

<Proxy http://www.example.com/*>
    ....
</Proxy>

Related

Dovecot submission protocol keeps getting turned back on after Debian upgrade
OpenDKIM reports "signing table references unknown key" (CentOS 8)
`Access Denied` for some files, when syncing buckets
Is it possible to block or allow SSH connections to a server on Cloudflare
Block requests from bots by pattern in apache with mod_rewrite. mod_rewrite not working
Bash script - check if a variable is located between 2 others variables?
connect to smtp.gmail: Connection refused
fail2ban not banning IPs on Ubuntu 20.04
Permission problems when creating a dir with os.makedirs in Python
Difference between system.gc() and runtime.gc()
Get the mean across multiple Pandas DataFrames
Google Compute Engine: what is the difference between disk snapshot and disk image?