Apache proxy: Why is one vhost returning Forbidden while the other one works?
Posted
by
Stefan Majewsky
on Super User
See other posts from Super User
or by Stefan Majewsky
Published on 2014-06-04T09:18:09Z
Indexed on
2014/06/04
9:28 UTC
Read the original article
Hit count: 258
I have a Java application that needs to talk to another intranet website using HTTPS in both directions. After fighting with Java's SSL implementations for some time, I gave up on that, and have now set up an Apache that's supposed to act as a bidirectional reverse proxy:
external app ---(HTTPS request)---> Apache ---(local HTTP request)---> Java app
This direction works just fine, however the other direction does not:
Java app ---(local HTTP request)---> Apache ---(HTTPS request)---> external app
This is the configuration for the vhost implementing the second proxy:
Listen 127.0.0.1:8081
<VirtualHost appgateway:8081>
ServerName appgateway.local
SSLProxyEngine on
ProxyPass / https://externalapp.corp:443/
ProxyPassReverse / https://externalapp.corp:443/
ProxyRequests Off
AllowEncodedSlashes On
# we do not need to apply any more restrictions here, because we listened on
# local connections only in the first place (see the Listen directive above)
<Proxy https://externalapp.corp:443/*>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
A curl http://127.0.0.1:8081/
should serve the equivalent of https://externalapp.corp
, but instead results in 403 Forbidden
, with the following message in the Apache error log:
[Wed Jun 04 08:57:19 2014] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /srv/www/htdocs/
This message completely puzzles me: Yes, I have not set up any permissions on the DocumentRoot of this vhost, but everything works fine for the other proxy direction where I haven't. For reference, here's the other vhost:
Listen this_vm_hostname:443
<VirtualHost javaapp:443>
ServerName javaapp.corp
SSLEngine on
SSLProxyEngine on
# not shown: SSLCipherSuite, SSLCertificateFile, SSLCertificateKeyFile
SSLOptions +StdEnvVars
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyRequests Off
AllowEncodedSlashes On
# Local reverse proxy authorization override
<Proxy http://localhost:8080/*>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
© Super User or respective owner