Solved

Appache Reverse Proxy 404 Errors

Posted on 2011-02-22
8
695 Views
Last Modified: 2012-05-11
We are trying to get the reverse functionality of an apache proxy working on a windows server.  I can reverese proxy to the actuall apache box w/o issue.  However, we are trying to refer to an internal web server.  What happens is that the request seems to hit the internal server (the address bar in the browser changes adding a directory and file to the back of the URL, as it would if you were inside the network).  However, the page returned is a 404 (browser 404 page).  If we look at the access logs it shows the get requrest and the back part of the URL but not the host/domain name.  When we look at the error log, it shows an error trying to retrieve the the file, showing the place it is trying to get the file is from the root of the proxy not the internal server.  Wondering if someone could help.

Sample from Access Log:
x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /Client/ HTTP/1.1" 304 -
x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /login/page HTTP/1.1" 403 215
x.x.x.x - - [22/Feb/2011:14:26:38 -0700] "GET /login/page HTTP/1.1" 404 211

Sample from Error Log:
[Tue Feb 22 14:26:38 2011] [client x.x.x.x] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/login

Most Relevant Part of httpd.conf
ProxyRequests off
ProxyPass /Client/ http://ServerInternal/Client/
ProxyPassReverse /Client/ http://ServerInternal/Client/

Thank You.
0
Comment
Question by:jtmoske
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:BigRat
ID: 34960783
>>x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /login/page HTTP/1.1" 403 215

Comes from the client (browser) and gets lost because it does not start with /Client

The proxypass directive assumes that all URLs starting /client are to be passed forward as /Client to ServerInternal using the http protocol. Whereas

x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /Client/ HTTP/1.1" 304

had the right URL prefix and returned a Not Modified.
0
 

Author Comment

by:jtmoske
ID: 34960933
Thank you BigRat.  Little more help for my understanding.  
When the url is passed to the internal server as is th case in the first line of the sample access log.
The internal server "changes" the page and sends back the /login/page to the origiating browser.  The two get requests in the sample config are not requests that are not typed in the origionating browser by a user they are returned to the browser from the internal server then perhaps requesting again and faling due to the lack of the /client/?
Thanks.
0
 

Author Comment

by:jtmoske
ID: 34960976
Also,
Is there a way document root change or some url rewrite would help?
Thanks.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 27

Expert Comment

by:BigRat
ID: 34961079
>>The internal server "changes" the page and sends back the /login/page to the origiating browser.  

The proxy Server (in this case Apache) changes the incomming URL and passes it onwards to the other (in this case internal) server. This then replies with some data, which is passed back by Apache to the browser.

The proxy pass reverse directive is there for when the internal server does a redirect. A redirect can lave a location field and this would naturally contain an internal name or address. The reverse changes this to the (in this case Apache) proxy server.

The proxy directive / would pass ALL URLs unchanged to the internal server. This can be dangerous, as all URLs might not be secure. So one uses a portion of the URL, eg: /client. Ideally the external URL should NOT differ from the internal URL. The reason is links in the HTML page can be relative (thats OK) or absolute (that causes problems).

The browser should see no change in the URL, nor should the URL actually change. The proxying should be transparent. The internal server's name and I/P address should be unknown from the outside - that's the point about proxying.
0
 
LVL 27

Expert Comment

by:BigRat
ID: 34961118
>>Is there a way document root change or some url rewrite would help

It seems to me that the /Client condition is inappropiate. can you explain just exactly what you are doing?
0
 

Author Comment

by:jtmoske
ID: 34961170
Sure,
We are setting up a reverse proxy to allow access to an internal server running a web based application (a shoretel web client).  The /client is the parameter that they say is required in their documentation for proxypass and proxypassreverse.  I am going to run a test to an internal site that is a static web page to confirm the simplest setup is working.
Thanks.
0
 
LVL 27

Accepted Solution

by:
BigRat earned 250 total points
ID: 34961237
>>The /client is the parameter that they say is required in their documentation for proxypass and proxypassreverse

The way you have configured it, all URLs MUST start with /Client. I suspect that all incomming URLs must be EXTENDED with /Client which would mean :-

ProxyPass    /    http://ServerInternal/Client/
0
 

Author Comment

by:jtmoske
ID: 34961247
I will test that and follow up.
Thank you.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question