There is a task to proxy the connection from http://centerix.ru/wiki/ to http://wiki.centerix.ru/ . Apache stands at centerix.ru, StormServer is on the second.

The task was solved through the settings of the Apache ProxyRequests On and ProxyPass / wiki / http://wiki.centerix.ru/wiki/ .

But another problem arose: Apache sends X-Forwarded-For: 1.2.3.4, X-Forwarded-Host: centerix.ru, X-Forwarded-Server: centerix.ru to the storm. How is the test implemented, after which these headers can be trusted? How to configure Apache if proxying will go in the opposite direction?

It also raises the issue of data security. If we assume that both are Apache servers, then is it possible to create self-signed ssl certificates for them and how so that all communication between servers goes via https protocol?

In principle, I need to understand what options Apache is configured with, after which I can implement similar options on my server.

  • Requesting proxying and issuing a redirect to the client is not suitable? - aleksandr barakin
  • Redirect requires a free port of 80, it is quite expensive. - mikelsv
  • I did not understand your answer, so I assume that you did not understand my question. I suggest, when accessing http://centerix.ru/wiki/somepage return the 302nd code and address http://wiki.centerix.ru/wiki/somepage to the client, which he should address. - aleksandr barakin
  • I understood the question. If I need to free up port 80 on wiki.centerix.ru, and I will launch a server, for example, on port 8080. Then you suggest redirecting users to wiki.cenix.ru:8080/wiki/somepage ? This is a rather clumsy decision. And I would like the user to see the site as something integral, even if he has every directory processed by his server. - mikelsv

3 answers 3

As a result of viewing the author's answers to the leading questions, it turned out that, apparently, a reference to the apache documentation is required.

in particular, allow and deny directives (in apache <2.4 versions) and the require directive replacing them (in apache versions> = 2.4.

note: although it is possible to use allow/deny in newer versions, it is important not to mix these directives with newer require in one section.

clarification-addition about proxying:

apache 2.2 Controlling access to your proxy

apache 2.4 Controlling access to your proxy

    Usually, when reverse proxying, it is assumed that no one else can turn to the backend - and therefore he can trust the headers put in it. You, as I understand it, both servers are visible from the outside.

    You can look at the client's address - and trust the headers only if it is the address of the first server. There is no need to fear address substitution here - simply because if an attacker can change the address of the sender of the packet, then he no longer needs to replace the headers.

    But why do you need proxying at all? Two different addresses on the same page is bad. Put a redirect.

    • Yes, both servers are visible from the outside, so it is more convenient for testing and debugging. Also, I can not put them on the same machine, as they are running under different operating systems. Proxy is required to freely change the address and port of the second server. I am working on this technology and I need to be able to work with it. - mikelsv

    If the second server is required to open the world only when debugging - it makes sense

    1. Move the server to a non-standard port;
    2. Put a robots.txt file in the root, which prohibits indexing of all pages in order to protect against searching for the secret server through your browser (this will have no effect on the main server, because it will not be in the root);
    3. Configuring the network infrastructure to turn on server sharing and shutting it down was pretty easy.
    • About disclosing garbage, we need options for Apache, which block access for all ip addresses except the server address. I know the theory, I need practical knowledge, namely: how to implement it on the Apache. - mikelsv
    • Wait, you need to put this restriction on the side of a samopisny server, and not an Apache ... - Pavel Mayorov
    • In any case, if you need to close the entire web server, you can close it with the system firewall. - Pavel Mayorov
    • I want to see how it is implemented in the Apache, and most likely to do the same, so that at least at the initial stage does not make a mess. The windows firewall is ridiculous, of course. - mikelsv
    • Nothing funny, it exists and works. - Pavel Mayorov