We use Apache as a reverse proxy in front of an iPlanet webmail server. This allows us to provide a layer of "insulation" for additional security and to encrypt the webmail sessions.
When you're accessing the webmail server normally, you connect to the URL and it sends back a HTTP redirect with some session info. This redirect header looks something like:
When placed behind an SSL reverse proxy using the normal Apache proxy directives (ProxyPass and ProxyPassReverse) the proxy rewrites the first part of the URL but the rest doesn't match, like so:
One potential solution is to propogate the internal name externally, but this will still cause problems due to the mismatch between http: and https: in the URLs and the bulk of the session, including the logon, will not be encrypted.
Initially, I attempted to get the combination of mod_proxy and mod_rewite to do the job, but was unable to. Eventually I modified the ReverseProxy.pm module to do a global substitution on any Location headers.
The small rewrite patch for ReverseProxy.pm is available for download.
<Location /> SetHandler perl-script PerlHandler Apache::ReverseProxy PerlSetVar ReverseProxyConfig /usr/local/apache/conf/rproxy.conf # Optional configuration items: #PerlSetVar ReverseProxyChain http://proxy.mycompany.com:8888/ #PerlSetVar ReverseProxyNoChain mycompany.com PerlSetVar ReverseProxyRewriteRedirect "http://internal.my.com.au => https://external.my.com.au" </Location>The rproxy.conf file doesn't change from normal. For our example, it will look like:
# Redirect to internal server / http://internal.my.com.au/
This patch and document is Copyright 2001, Darren Tucker.
Permission is given to use, modify or redistribute this patch or document under the same terms as Perl itself.
This patch is based on ReverseProxy.pm by Clinton Wong.
It includes code and ideas from ProxyRewrite.pm by Christan Gilmore.
Page last modified: $Date: 2015/12/01 02:44:46 $