Solved

Appache Reverse Proxy 404 Errors

Posted on 2011-02-22
8
690 Views
Last Modified: 2012-05-11
We are trying to get the reverse functionality of an apache proxy working on a windows server.  I can reverese proxy to the actuall apache box w/o issue.  However, we are trying to refer to an internal web server.  What happens is that the request seems to hit the internal server (the address bar in the browser changes adding a directory and file to the back of the URL, as it would if you were inside the network).  However, the page returned is a 404 (browser 404 page).  If we look at the access logs it shows the get requrest and the back part of the URL but not the host/domain name.  When we look at the error log, it shows an error trying to retrieve the the file, showing the place it is trying to get the file is from the root of the proxy not the internal server.  Wondering if someone could help.

Sample from Access Log:
x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /Client/ HTTP/1.1" 304 -
x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /login/page HTTP/1.1" 403 215
x.x.x.x - - [22/Feb/2011:14:26:38 -0700] "GET /login/page HTTP/1.1" 404 211

Sample from Error Log:
[Tue Feb 22 14:26:38 2011] [client x.x.x.x] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/login

Most Relevant Part of httpd.conf
ProxyRequests off
ProxyPass /Client/ http://ServerInternal/Client/
ProxyPassReverse /Client/ http://ServerInternal/Client/

Thank You.
0
Comment
Question by:jtmoske
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:BigRat
ID: 34960783
>>x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /login/page HTTP/1.1" 403 215

Comes from the client (browser) and gets lost because it does not start with /Client

The proxypass directive assumes that all URLs starting /client are to be passed forward as /Client to ServerInternal using the http protocol. Whereas

x.x.x.x - - [22/Feb/2011:14:25:09 -0700] "GET /Client/ HTTP/1.1" 304

had the right URL prefix and returned a Not Modified.
0
 

Author Comment

by:jtmoske
ID: 34960933
Thank you BigRat.  Little more help for my understanding.  
When the url is passed to the internal server as is th case in the first line of the sample access log.
The internal server "changes" the page and sends back the /login/page to the origiating browser.  The two get requests in the sample config are not requests that are not typed in the origionating browser by a user they are returned to the browser from the internal server then perhaps requesting again and faling due to the lack of the /client/?
Thanks.
0
 

Author Comment

by:jtmoske
ID: 34960976
Also,
Is there a way document root change or some url rewrite would help?
Thanks.
0
 
LVL 27

Expert Comment

by:BigRat
ID: 34961079
>>The internal server "changes" the page and sends back the /login/page to the origiating browser.  

The proxy Server (in this case Apache) changes the incomming URL and passes it onwards to the other (in this case internal) server. This then replies with some data, which is passed back by Apache to the browser.

The proxy pass reverse directive is there for when the internal server does a redirect. A redirect can lave a location field and this would naturally contain an internal name or address. The reverse changes this to the (in this case Apache) proxy server.

The proxy directive / would pass ALL URLs unchanged to the internal server. This can be dangerous, as all URLs might not be secure. So one uses a portion of the URL, eg: /client. Ideally the external URL should NOT differ from the internal URL. The reason is links in the HTML page can be relative (thats OK) or absolute (that causes problems).

The browser should see no change in the URL, nor should the URL actually change. The proxying should be transparent. The internal server's name and I/P address should be unknown from the outside - that's the point about proxying.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 27

Expert Comment

by:BigRat
ID: 34961118
>>Is there a way document root change or some url rewrite would help

It seems to me that the /Client condition is inappropiate. can you explain just exactly what you are doing?
0
 

Author Comment

by:jtmoske
ID: 34961170
Sure,
We are setting up a reverse proxy to allow access to an internal server running a web based application (a shoretel web client).  The /client is the parameter that they say is required in their documentation for proxypass and proxypassreverse.  I am going to run a test to an internal site that is a static web page to confirm the simplest setup is working.
Thanks.
0
 
LVL 27

Accepted Solution

by:
BigRat earned 250 total points
ID: 34961237
>>The /client is the parameter that they say is required in their documentation for proxypass and proxypassreverse

The way you have configured it, all URLs MUST start with /Client. I suspect that all incomming URLs must be EXTENDED with /Client which would mean :-

ProxyPass    /    http://ServerInternal/Client/
0
 

Author Comment

by:jtmoske
ID: 34961247
I will test that and follow up.
Thank you.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now