15

Definition from apache.org says:

This directive lets Apache httpd adjust the URL in the Location, Content-Location and URI headers on HTTP redirect responses. This is essential when Apache httpd is used as a reverse proxy (or gateway) to avoid bypassing the reverse proxy because of HTTP redirects on the backend servers which stay behind the reverse proxy.

Only the HTTP response headers specifically mentioned above will be rewritten. Apache httpd will not rewrite other response headers, nor will it by default rewrite URL references inside HTML pages. This means that if the proxied content contains absolute URL references, they will bypass the proxy. To rewrite HTML content to match the proxy, you must load and enable mod_proxy_html.

path is the name of a local virtual path; url is a partial URL for the remote server. These parameters are used the same way as for the ProxyPass directive.

Can someone please explain me how it works. In general what does this directive do?

SnowmanOnFire
  • 163
  • 1
  • 1
  • 6

2 Answers2

14

If the server actually handling a request does a redirect to a different URL on that server, the ProxyPassReverse directive rewrites the URL in terms of the reverse proxy server. For example, as noted in the Apache documentation, if:

 http://reverseproxy.com/mirror/foo/bar

is sent (reverse proxied) to

 http://backend.example.com/bar

for handling, but at the backend server it is determined that the correct URL should have been quux, i.e. that the request must be redirected to

 http://backend.example.com/quux

the ProxyPassReverse directive rewrites the URL (at the reverse proxy) to

 http://reverseproxy.com/mirror/foo/quux

before forwarding the HTTP redirect response to the client. This way the client only knows about the reverse proxy server, but can nonetheless make the required request to the correct URL of http://reverseproxy.com/mirror/foo/quux which will then be reverse proxied to the backend server and handled as normal. In short, it just allows the reverse proxy to return correct URI headers on HTTP redirect responses.

Colt
  • 1,939
  • 6
  • 20
  • 25
  • It's not clear what `does a redirect` actually means. Does it respond with an HTTP redirect response (301/302)? – Chris Stryczynski Aug 12 '19 at 12:14
  • 1
    It will respond with some 3xx code, as "[t]he 3xx (Redirection) class of status code indicates that further action needs to be taken by the user agent in order to fulfill the request." See [RFC 7231 discussing redirection](https://tools.ietf.org/html/rfc7231#section-6.4). The `ProxyPassReverse` directive simply ensures that the 3xx HTTP response includes the correct URI in terms of the reverse proxy server. – Colt Aug 12 '19 at 13:38
5

From the Apache 2.4 Reverse proxy guide:

To ensure that and Location: headers generated from the backend are modified to point to the reverse proxy, instead of back to itself, the ProxyPassReverse directive is most often required:

ProxyPass "/" "http://www.example.com/"

ProxyPassReverse "/" "http://www.example.com/"

If you have a Client and 2 servers, Proxy and Origin, where Origin does the actual work (generating response) and Proxy just proxies request to Origin, a good server architecture is when

  1. Origin does not know about Proxy
  2. and every request goes through Proxy.

If Origin does not know about Proxy it might happen that Origin returns the Client a HTTP Redirect (HTTP 301 or 302) through Proxy, which points directly to itself, Origin. And that is a problem because the browser will directly contact Origin in the next round, leaving out Proxy from then on for every request and this would violate point 2.

As the HTTP redirect responses go back from the Proxy to the Client, the Proxy can/should modify those Redirects so that the Location header is forced to point to Proxy. This way a standalone application running on Origin, unaware of the Proxy, can generate any redirect URL as long as the Proxy is well configured and this way Proxy ensures that all requests obey the two points above and Origin won't accidentally circumvent this path and no modification is necessary to code running on Origin.

This, however cannot solve the problem when Origin deliberately wants to circumvent Proxy as redirects can be generated in HTML code which Apache cannot detect.

karatedog
  • 276
  • 2
  • 10