Apache proxy: Why is one vhost returning Forbidden while the other one works?

Posted by Stefan Majewsky on Super User See other posts from Super User or by Stefan Majewsky
Published on 2014-06-04T09:18:09Z Indexed on 2014/06/04 9:28 UTC
Read the original article Hit count: 258

Filed under:
|
|
|

I have a Java application that needs to talk to another intranet website using HTTPS in both directions. After fighting with Java's SSL implementations for some time, I gave up on that, and have now set up an Apache that's supposed to act as a bidirectional reverse proxy:

external app ---(HTTPS request)---> Apache ---(local HTTP request)---> Java app

This direction works just fine, however the other direction does not:

Java app ---(local HTTP request)---> Apache ---(HTTPS request)---> external app

This is the configuration for the vhost implementing the second proxy:

Listen 127.0.0.1:8081

<VirtualHost appgateway:8081>
   ServerName appgateway.local

   SSLProxyEngine on
   ProxyPass        / https://externalapp.corp:443/
   ProxyPassReverse / https://externalapp.corp:443/
   ProxyRequests Off
   AllowEncodedSlashes On

   # we do not need to apply any more restrictions here, because we listened on
   # local connections only in the first place (see the Listen directive above)
   <Proxy https://externalapp.corp:443/*>
      Order deny,allow
      Allow from all
   </Proxy>
</VirtualHost>

A curl http://127.0.0.1:8081/ should serve the equivalent of https://externalapp.corp, but instead results in 403 Forbidden, with the following message in the Apache error log:

[Wed Jun 04 08:57:19 2014] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /srv/www/htdocs/

This message completely puzzles me: Yes, I have not set up any permissions on the DocumentRoot of this vhost, but everything works fine for the other proxy direction where I haven't. For reference, here's the other vhost:

Listen this_vm_hostname:443

<VirtualHost javaapp:443>
   ServerName javaapp.corp

   SSLEngine on
   SSLProxyEngine on
   # not shown: SSLCipherSuite, SSLCertificateFile, SSLCertificateKeyFile
   SSLOptions +StdEnvVars

   ProxyPass        / http://localhost:8080/
   ProxyPassReverse / http://localhost:8080/
   ProxyRequests Off
   AllowEncodedSlashes On

   # Local reverse proxy authorization override
   <Proxy http://localhost:8080/*>
      Order deny,allow
      Allow from all
   </Proxy>
</VirtualHost>

© Super User or respective owner

Related posts about apache

Related posts about proxy