Hi there,
most combinations of directives ProxyRemote and NoProxy seem not to work
correctly in my setup. As I couldn't find anything meaningful on the
Internet, I'm asking this list.
My setup is as follows: (quite complex but typical)
Ubuntu Server 22.04 LTS
Apache httpd 2.4.52 (not the latest but didn't find a bug/fix in recent
change logs)
Apache httpd is (among other things) also used as a proxy for requests
to the Internet (to make some external sites appear being served from
our application's host to work around some XSS/CORS issues). This is
done with some simple RewriteRules, e.g.
RewriteRule "/proxy/external/foo/0815/" "https://foo.com/svc/0815/" [P]
The server is running in intranet 10.0.0.0. All requests to the Internet
have to go through the company's proxy server 10.5.10.20:8080.
Additionally, the httpd must also proxy a local/intranet service that is
running on host 10.5.20.100. Requests to this host MUST NOT go though
the company's proxy, which ONLY serves external/Internet sites.
Important(?) side note: through DNS the server can only resolve
local/intranet names and addresses. The DNS refuses to resolve
external/Internet names and addresses.
According to the docs, configuring ProxyRemote and NoProxy should be
quite simple:
# All requests go through the company's proxy
ProxyRemote "*" "http://10.5.10.20:8080"
# Direct requests to all intranet hosts
NoProxy ".mycompany.local" "10.0.0.0/8"
This configuration works for both Apache Tomcat as well as for e.g. curl
and wget (though http(s)_proxy and no_proxy environment variables).
However, this does not work with Apache httpd. It either doesn't use the
remote proxy at all or sends all requests to the remote proxy.
It seems like NoProxy doesn't work exactly as described in the docs.
If I add the local domain ".mycompany.local" and/or the whole local
subnet "10.0.0.0/8" to NoProxy, the remote proxy is actually never used.
Logs show that in this case Apache httpd tries to directly connect to
the external URL and gives up after a certain time and responds with a
503 Service Unavailable status.
Why is the remote proxy not used here? Is it, because the remote proxy
is located in the same domain and subnet 10.0.0.0/8?
The remote proxy isn't used when I set NoProxy to just "10.5.0.0/16".
One (weird) explanation is that the remote proxy is in the 10.5.0.0
subnet as well. However, typically, the decision of when to use the
remote proxy should not depend the remote proxy's address (but only of
the requested address).
When leaving NoProxy empty, the remote proxy is used and proxying
external services works properly.
There's still the intranet service on host 10.5.20.100 to be reverse
proxied as well. I must at least exclude requests to this host from
being sent to the remote proxy. Setting
NoProxy "10.5.20.0/24" (or "10.5.20", "10.5.20.0")
seems being ignored by httpd, so all requests, including those to
10.5.20.100, are still sent to the remote proxy.
Setting NoProxy to the IP address of the internal service
("10.5.20.100") or to it's hostname ("myintlservice.mycompany.local") is
also ignored. All requests still get forwarded to the remote proxy.
Even with LogLevel proxy:trace5 there are no lines logged that say
anything about the decision of using the configured remote proxy or not.
So, I was left to try and error (for several days).
The documentation is quite clear about NoProxy. However, from my point
of view the NoProxy feature seems not to work properly at all.
I'm I missing something? Since my C/C++ skills are just below
intermediate (and httpd source code is quite "compact"), I'm not able to
help myself by reading the sources or even to spot any bugs there (if any).
My current workaround is to use ProxyRemoteMatch with an expression that
does NOT match any intranet sites:
ProxyRemoteMatch "^https?://(?!(.*\.)?mycompany\.local\b)"
"http://10.5.20.1:8080"
This regular expression is quite "expensive" since it uses a negative
lookahead so, this solution is sub-optimal.
Carsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
most combinations of directives ProxyRemote and NoProxy seem not to work
correctly in my setup. As I couldn't find anything meaningful on the
Internet, I'm asking this list.
My setup is as follows: (quite complex but typical)
Ubuntu Server 22.04 LTS
Apache httpd 2.4.52 (not the latest but didn't find a bug/fix in recent
change logs)
Apache httpd is (among other things) also used as a proxy for requests
to the Internet (to make some external sites appear being served from
our application's host to work around some XSS/CORS issues). This is
done with some simple RewriteRules, e.g.
RewriteRule "/proxy/external/foo/0815/" "https://foo.com/svc/0815/" [P]
The server is running in intranet 10.0.0.0. All requests to the Internet
have to go through the company's proxy server 10.5.10.20:8080.
Additionally, the httpd must also proxy a local/intranet service that is
running on host 10.5.20.100. Requests to this host MUST NOT go though
the company's proxy, which ONLY serves external/Internet sites.
Important(?) side note: through DNS the server can only resolve
local/intranet names and addresses. The DNS refuses to resolve
external/Internet names and addresses.
According to the docs, configuring ProxyRemote and NoProxy should be
quite simple:
# All requests go through the company's proxy
ProxyRemote "*" "http://10.5.10.20:8080"
# Direct requests to all intranet hosts
NoProxy ".mycompany.local" "10.0.0.0/8"
This configuration works for both Apache Tomcat as well as for e.g. curl
and wget (though http(s)_proxy and no_proxy environment variables).
However, this does not work with Apache httpd. It either doesn't use the
remote proxy at all or sends all requests to the remote proxy.
It seems like NoProxy doesn't work exactly as described in the docs.
If I add the local domain ".mycompany.local" and/or the whole local
subnet "10.0.0.0/8" to NoProxy, the remote proxy is actually never used.
Logs show that in this case Apache httpd tries to directly connect to
the external URL and gives up after a certain time and responds with a
503 Service Unavailable status.
Why is the remote proxy not used here? Is it, because the remote proxy
is located in the same domain and subnet 10.0.0.0/8?
The remote proxy isn't used when I set NoProxy to just "10.5.0.0/16".
One (weird) explanation is that the remote proxy is in the 10.5.0.0
subnet as well. However, typically, the decision of when to use the
remote proxy should not depend the remote proxy's address (but only of
the requested address).
When leaving NoProxy empty, the remote proxy is used and proxying
external services works properly.
There's still the intranet service on host 10.5.20.100 to be reverse
proxied as well. I must at least exclude requests to this host from
being sent to the remote proxy. Setting
NoProxy "10.5.20.0/24" (or "10.5.20", "10.5.20.0")
seems being ignored by httpd, so all requests, including those to
10.5.20.100, are still sent to the remote proxy.
Setting NoProxy to the IP address of the internal service
("10.5.20.100") or to it's hostname ("myintlservice.mycompany.local") is
also ignored. All requests still get forwarded to the remote proxy.
Even with LogLevel proxy:trace5 there are no lines logged that say
anything about the decision of using the configured remote proxy or not.
So, I was left to try and error (for several days).
The documentation is quite clear about NoProxy. However, from my point
of view the NoProxy feature seems not to work properly at all.
I'm I missing something? Since my C/C++ skills are just below
intermediate (and httpd source code is quite "compact"), I'm not able to
help myself by reading the sources or even to spot any bugs there (if any).
My current workaround is to use ProxyRemoteMatch with an expression that
does NOT match any intranet sites:
ProxyRemoteMatch "^https?://(?!(.*\.)?mycompany\.local\b)"
"http://10.5.20.1:8080"
This regular expression is quite "expensive" since it uses a negative
lookahead so, this solution is sub-optimal.
Carsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org