Patch for ReverseProxy.pm for rewriting HTTP redirects

Download

Download the patch to ReverseProxy.pm

Background

We use Apache as a reverse proxy in front of an iPlanet webmail server. This allows us to provide a layer of "insulation" for additional security and to encrypt the webmail sessions.

When you're accessing the webmail server normally, you connect to the URL and it sends back a HTTP redirect with some session info. This redirect header looks something like:

Location: http://internal.my.com.au/whatever?host=http://internal.my.com.au

The "host=" is used by the Webmail Javascript interface.

When placed behind an SSL reverse proxy using the normal Apache proxy directives (ProxyPass and ProxyPassReverse) the proxy rewrites the first part of the URL but the rest doesn't match, like so:

Location: https://external.my.com.au/whatever?host=http://internal.my.com.au

One potential solution is to propogate the internal name externally, but this will still cause problems due to the mismatch between http: and https: in the URLs and the bulk of the session, including the logon, will not be encrypted.

Solution

Initially, I attempted to get the combination of mod_proxy and mod_rewite to do the job, but was unable to. Eventually I modified the ReverseProxy.pm module to do a global substitution on any Location headers.

The small rewrite patch for ReverseProxy.pm is available for download.

Configuration

Add a PerlHandler directive to your Apache httpd.conf. The additional configuration is done via the Perl variable ReverseProxyRewriteRedirect which can contain zero or more substitutions. The patch is (well, should be :-) benign if this variable is not set. The section from the Apache httpd.conf will look like: 
<Location />
  SetHandler perl-script
  PerlHandler Apache::ReverseProxy
  PerlSetVar ReverseProxyConfig /usr/local/apache/conf/rproxy.conf


  # Optional configuration items:
  #PerlSetVar ReverseProxyChain http://proxy.mycompany.com:8888/
  #PerlSetVar ReverseProxyNoChain mycompany.com
  PerlSetVar ReverseProxyRewriteRedirect "http://internal.my.com.au => https://external.my.com.au"
</Location>
The rproxy.conf file doesn't change from normal. For our example, it will look like: 
# Redirect to internal server
/ http://internal.my.com.au/

Copyright

This patch and document is Copyright 2001, Darren Tucker.

Permission is given to use, modify or redistribute this patch or document under the same terms as Perl itself.

Acknowledgements

This patch is based on ReverseProxy.pm by Clinton Wong.

It includes code and ideas from ProxyRewrite.pm by Christan Gilmore.

Valid HTML 4.01!

Page last modified: $Date: 2022-05-25 $