Comments on: How do I return an SSL URL from a non-SSL Apache?

Question: How do I return an SSL URL from a non-SSL Apache?

vacapinta — Tue, 07 Oct 2008 04:28:33 -0800

Help Apache gurus! How do I setup a virtual host when SSL terminates before my Apache server?

Hopefully this is easy since it seems like a common thing...

Here's the setup: Browser -> Load balancer -> Apache Server
The browser connects to the load balancer using https (https://www.example.com). But then the load balancer directs the request to Apache using http (http://host1.company.com). Fine.

Now, how do I use the virtual host directive to have Apache return an https url to the browser? If i just have:

<VirtualHost *:80>
ServerName www.example.com
</VirtualHost>

in httpd.conf then URLs are returned to the client as http URLs which doesnt work. Is this possible? Thanks!

By: devbrain

devbrain — Tue, 07 Oct 2008 05:22:24 -0800

What URLs are being returned? Any relative hrefs will (should!) work just fine as they don't specific http/https or the server name.

If you can't change ALL your absolute hrefs to relative, then you can try to fix the app or check your load balancer (or apache) for an in-line rewrite option to edit the pages on the fly to make the fix.

First question -- what's the app? what's generating the links? Fix that - and if you can't, fix it upstream. Next question -- what's the loadbalancer?

By: devbrain

devbrain — Tue, 07 Oct 2008 05:23:37 -0800

Part #2 .... you'll want ServerAlias host1.company.com, and UseCanonicalName Off within your VirtualHost block.

By: vacapinta

vacapinta — Tue, 07 Oct 2008 05:43:47 -0800

oh cool thanks! Relative does work. Unfortunately absolute doesn't. I can't change the app. (Can't tell you the app without violating confidentiality)
The loadbalancer is F5. I dont know why it hadn't occured to me to rewrite at the load balancer. Thats definitely an option!

Why do I need ServerAlias? Won't Apache accept internal (behind the load balancer) URLs to the physical machine just fine by default?

By: devbrain

devbrain — Tue, 07 Oct 2008 06:43:04 -0800

What happens by default depends on the rest of the config.

If you have a NameVirtualHost on that ip:port pair already, then if you get a request for a host that's not listed as ServerName or ServerAlias, then apache will respond with the first vhost that matches. Which may, or may not be, the one you want.

By: phax

phax — Tue, 07 Oct 2008 06:48:18 -0800

Sounds like a job for mod_proxy and mod_proxy_html.

mod_proxy_html is an output filter to rewrite HTML links in a proxy situation, to ensure that links work for users outside the proxy. It serves the same purpose as Apache's ProxyPassReverse directive does for HTTP headers, and is an essential component of a reverse proxy.

You probably might need to set up an auxiliary virtual host to act as the proxy to rewrite the content, but that shouldn't be a big problem.

There's also one for XML if you're sending different sort of content.