I am running into trouble using mod_rewrite and need help.
I have a reverse proxy in a DMZ which accepts requests from external clients asking for subdomains sub1.example.c开发者_如何学JAVAom
and sub2.example.com
and forwards them (transparently) to a single machine within an internal corporate network, internal.example.com
. Specifically:
http://sub1.example.com
→http://internal.example.com
https://sub1.example.com
→https://internal.example.com
http://sub2.example.com
→http://internal.example.com
https://sub2.example.com
→https://internal.example.com
While I do not have control over the proxy in the DMZ performing the redirections, I do have complete control of internal.example.com
which hosts Apache 2.2 and listens on 80
and 443
with mod_rewrite
loaded.
I need to configure this Apache instance to perform a redirect of any of the four above subdomain addresses (sub1
or sub2
on either HTTP or HTTPS) to the fourth address https://sub2.example.com
(4). To achieve this, I currently use the following in httpd.conf
:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://sub2.example.com/$1 [R=301,L]
This works in redirecting clients that request addresses (1) and (3) (i.e., the HTTP address of either subdomain) to the right target (4), but has no effect in rewriting access to address (2). To redirect (2) to (4), I've added the following into the VirtualHost
element configuring the SSL environment:
RewriteEngine On
RewriteCond %{SERVER_NAME} =sub1.example.com
RewriteRule ^/?(.*) https://sub2.example.com/$1 [R=301,L]
This is now triggered if the client requested sub1.example.com
via HTTPS (confirmed via mod_rewrite logging). However, while redirections now work correctly when testing from machines behind the DMZ (internal and on the same network as internal.example.com
), they fail to work on any network external to it, where:
- The HTTP address for either subdomain (1 and 3) fail to load entirely
- The HTTPS address for either subdomain (2 and 4) produce an error in client browsers which report that too many redirects have been performed.
Can anyone suggest where I've gone wrong, or perhaps a more appropriate configuration for my circumstances? Thanks in advance!
While I have not used my solution for problems exactly like yours I suspect there is a simpler & cleaner way than using re-writes. (NOTE: The below assumes that internal DNS recognizes your one server as the IP to resolve all of the subdomains to. If this is not the case then this change should likely be made... I don't know what would happen if it did not, but I've also never set up reverse proxy...)
Try the following: -In httpd.conf @ the end verify that the following line appears:
NameVirtualHost *:80
-Finally add a VirtualHost for each* of the subdomains such as the following:
<VirtualHost *:80>
ServerName sub1.example.com
ServerAlias sub1
DocumentRoot "X:/path/to/website/for/internal.example.com"
</VirtualHost>
*IMPORTANT NOTE: you may be able to use only ONE virtual host entry. To do this try the following:
<VirtualHost *:80>
ServerName internal.example.com
ServerAlias sub1.example.com
ServerAlias sub2.example.com
ServerAlias sub3.example.com
DocumentRoot "X:/path/to/website/for/internal.example.com"
</VirtualHost>
VERY IMPORTANT NOTE: This may not work in quite the same way with SSL (port 443). I wouldn't know as I have not yet done much with virtual hosts & SSL. In order to properly setup SSL using this method read the following: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2 (summary, sometimes doing the above, [that is doing everything the same but with port 443 instead of 80], will work but, depending on some factors, you may also just want to do a NamedVirtualHost 192.168.1.1:443 and possibly other configuration changes as described in the article).
Hope this helps!
The problem is that the redirection triggers a new request from the client browser. So he asks for sub2.example.com
and the DMZ reverse proxy does not understand that.
Maybe it could work with no [R=...]
but I'm not even sure of that, since it may still trigger a request. And of course, it's no more a redirection.
Since the reverse proxy is your front interface, you need him to understand sub2.xxx
or it won't work.
精彩评论