Issue
I inherited an reverse proxy setup that is part of an Apache SSL termination EC2 instance stack (with ALBs and DNS). The Apache server and its configurations are baked from rpm spec files that are built into RPMs that are deployed on the server during its creation or update. I currently have a mapping that routes requests to a domain name or hostname to a private (not on public internet) backend API. I have static assets in S3 that consume this API and my requirement is to also configure routing from a user friendly domain name to this S3 bucket, then, hopefully, make this backend S3 url private.
Swapping the API's backend url with the S3's url, I have been able to route from the public domain to the S3 bucket. However, I am not sure how I can have both routes in place with the same origin or domain name as I have to consume the API from the S3 bucket with certificate verification of the users accessing these resources.
This system is like a black box and I do not currently have access to the logs. In the code below, I have added the S3_URL and /visualizer/ mappings to the original API mapping. The API mapping is working but the S3_URL is not working when combined together.
#!/bin/bash
set -eu -o pipefail
API_URL=$(cat $1 | jq -r '.configuration.API_URL')
echo $API_URL
S3_URL=$(cat $1 | jq -r '.configuration.S3_URL')
echo $S3_URL
cat > /etc/httpd/conf.d/coy-httpd-includes/https_vhost/proxypass.inc <<EOF
ProxyRequests Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyMachineCertificateFile /etc/pki/tls/private/client_crt_rsa.pem
<Proxy *>
Require all granted
</Proxy>
ProxyPass / ${API_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse / ${API_URL}
ProxyPass /visualizer/ ${S3_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse /visualizer/ ${S3_URL}
EOF
cat > /etc/httpd/conf.d/coy-httpd-includes/http_vhost/elb_health_check_proxypass.inc <<'CONFIG'
RewriteEngine on
RewriteRule / /var/www/cgi-bin/status
<Directory /var/www/cgi-bin>
Options +ExecCGI
SetHandler cgi-script
</Directory>
CONFIG
Solution
After hours of searching the internet for a solution and learning a bit more about Apache and similar servers like Nginx, I was able to find a solution.
I added a Location directive that mapped a path on the public reverse proxy's hostname that triggered the proxying of the traffic to the static resources in the S3 buckets URL in the backend such that I can access https://app.test.api.coy.co.uk/visualizer/visualize-graph.html. It still raised another question of how to block directory browsing except for this particular html page.
This is what my apache config looks like after applying the solution:
#!/bin/bash
set -eu -o pipefail
API_URL=$(cat $1 | jq -r '.configuration.API_URL')
echo $API_URL
S3_URL=$(cat $1 | jq -r '.configuration.S3_URL')
echo $S3_URL
cat > /etc/httpd/conf.d/coy-httpd-includes/https_vhost/proxypass.inc <<EOF
ProxyRequests Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyMachineCertificateFile /etc/pki/tls/private/client_crt_rsa.pem
<Proxy *>
Require all granted
</Proxy>
ProxyPass / ${API_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse / ${API_URL}
<Location /visualizer/ >
ProxyPreserveHost Off
ProxyPass ${S3_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse ${S3_URL}
</Location>
EOF
cat > /etc/httpd/conf.d/coy-httpd-includes/http_vhost/elb_health_check_proxypass.inc <<'CONFIG'
RewriteEngine on
RewriteRule / /var/www/cgi-bin/status
<Directory /var/www/cgi-bin>
Options +ExecCGI
SetHandler cgi-script
</Directory>
CONFIG
These resources helped me in reaching my solution: Getting 404 for S3 static website JS behind Apache proxy, https://www.jamescoyle.net/how-to/116-simple-apache-reverse-proxy-example, and https://serverfault.com/questions/120488/redirect-url-within-apache-virtualhost
Answered By - sage Answer Checked By - Cary Denson (PHPFixing Admin)
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.