I have a public Apache server which needs to proxy to an internal Apache server (for SVN access). What I’d like to have is:
User ---[HTTPS]---> Web Server ---[HTTP]---> SVN Server
I’m not too familiar with SSL handling, so I’d like some opinions on this approach. Is this an ok model; should I be using SSL everywhere, etc.
My approach works for the most part, but fails when rewriting redirects back to HTTPS. If a user goes to
https://acme.web.mcx/svn (no trailing '/')
they are redirected by the SVN server to
http://acme.web.mcx/svn/ (almost there!)
Here’s my config for the Web Server (Proxying server):
<VirtualHost *:443>
ServerAdmin me@admin.com
ServerAlias *.web.mcx www.web.mcx web.mcx
DocumentRoot /server/web/app/webroot
ErrorLog logs/web-error_log
CustomLog logs/web-access_log common
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.web\.mcx$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?([^.]+)\.web\.mcx$ [NC]
RewriteRule ^/svn(.*) http://db.mcx/svn$1 [P]
ProxyPassReverse /svn http://db.mcx/svn
ProxyPreserveHost on
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyVia On
<Location /svn/>
<Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
Order Deny,Allow
Allow from all
Satisfy Any
</Limit>
</Location>
I keep answering my own questions 🙂
Here’s my ‘works until it breaks’ solution: I changed my VirtualHost setting to always redirect http:// requests for /svn* to https. The client will be redirected twice sometimes (if they don’t use the trailing slash), but that’s ok with me. Redirect one: SVN server redirects client to the proper path with a slash (although forgets about https), redirect two: Web server redirects client back to https.