1

I can't seem to get the Apache directive ProxyPassReverseCookieDomain to actually rewrite the domain.

My directive is set as such:

ProxyPassReverseCookieDomain "myinternalproxydomain.com" "thepublicdomain.com"

I use the Network tab in a browser and I can see the Set-Cookie domain is not being altered. I see the Set-Cookie domain as either thepublicdomain.com or .thepublicdomain.com. I have tried adding

ProxyPassReverseCookieDomain "myinternalproxydomain.com" ".thepublicdomain.com"

I have searched and read the documentation, however I am failing to see why the domain of the cookie is not being set.

<VirtualHost *:443>
DocumentRoot /var/www/myinternalproxydomain.com
ServerName myinternalproxydomain.com

SSLEngine on
SSLCertificateFile /etc/ssl/certs/my.crt
SSLCertificateKeyFile /etc/ssl/private/my.key
SSLCACertificateFile /etc/ssl/certs/my.ca-bundle

SSLProxyEngine On
ProxyRequests Off
ProxyHTMLEnable On
ProxyPreserveHost Off
ProxyHTMLInterp On
ProxyHTMLExtended On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass "/" "https://thepublicdomain.com/"
ProxyPassReverse / https://thepublicdomain.com/
ProxyPassReverseCookiePath / /
ProxyPassReverseCookieDomain "myinternalproxydomain.com" "thepublicdomain.com"
ProxyPassReverseCookieDomain "myinternalproxydomain.com" "thepublicdomain.com"
ProxyPassReverseCookieDomain "myinternalproxydomain.com" ".thepublicdomain.com"

DirectorySlash On
ProxyHTMLURLMap "https://thepublicdomain.com" "/"
<Proxy *>
    AddDefaultCharset off
    Order deny,allow
    Deny from all
    Allow from all
    DirectorySlash On
</Proxy>
<Location />
    ProxyHTMLEnable On
    ProxyPassReverse "/"
    ProxyPassReverseCookieDomain "myinternalproxydomain.com" "thepublicdomain.com"
    ProxyPassReverseCookieDomain "myinternalproxydomain.com" ".thepublicdomain.com"
    ProxyHTMLURLMap https://thepublicdomain.com /
    RequestHeader unset Accept-Encoding
</Location>
<Directory "/var/www/myinternalproxydomain.com">
    AllowOverride All
    Order allow,deny
    allow from all
    Options FollowSymLinks
</Directory>
</VirtualHost>

Can anyone enlighten me on where I should look to debug this issue?

mminnie
  • 35
  • 1
  • 2
  • 6

1 Answers1

2

The ProxyPassReverseCookieDomain directive has syntax:

ProxyPassReverseCookieDomain internal-domain public-domain [interpolate]

Just like in this example for ProxyPassReverse, the order is reversed (back-end first):

ProxyPass         "/mirror/foo/" "http://backend.example.com/"
ProxyPassReverse  "/mirror/foo/" "http://backend.example.com/"
ProxyPassReverseCookieDomain  "backend.example.com"  "public.example.com"
ProxyPassReverseCookiePath  "/"  "/mirror/foo"
sam hocevar
  • 103
  • 5
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • My example server domains maybe weren't clear in my question (now edited). I have the correct order of the ProxyPassReverseCookieDomain. – mminnie Jul 08 '18 at 14:37
  • Could you share the whole `VirtualHost` block, please. – Esa Jokinen Jul 08 '18 at 14:38
  • Edited original question to include entire VirtualHost block – mminnie Jul 08 '18 at 16:40
  • Now read my answer again. You currently have the backend last while it should be first. – Esa Jokinen Jul 08 '18 at 17:29
  • Also, remove all the noise. You set same directives multiple times. That way you'll never know what did what. – Esa Jokinen Jul 08 '18 at 17:30
  • I believe the backend `myinternalproxydomain.com` is first. I renamed the servers in my example to be more clear. I look at the `Network` tab in Google Chrome DevTools and see the domain is unchanged for the `SetCookie` – mminnie Jul 13 '18 at 00:13
  • Rename it as many times as you want, but if it comes second in `ProxyPass` it should be first in `ProxyPassReverseCookieDomain`. Have you even once tested with my solution? – Esa Jokinen Jul 13 '18 at 05:11
  • 1
    Thanks for the help Esa. The order _didn't_ change the cookie _until_ I cleaned up and remove the "noise". Once I removed the unnecessary duplicate directives the `ProxyPassReverseCookieDomain` began to work...on at least one of the two cookies. One cookie has the domain `.public.com` and the other has `public.com`. The one with the leading `.` changed and the other did not. My proxy now appears to work regardless of the domain of the unchanged cookie. Thanks for the patience. – mminnie Jul 13 '18 at 15:08