0

I inherited an reverse proxy setup that is part of an Apache SSL termination EC2 instance stack (with ALBs and DNS). The Apache server and its configurations are baked from rpm spec files that are built into RPMs that are deployed on the server during its creation or update. I currently have a mapping that routes requests to a domain name or hostname to a private (not on public internet) backend API. I have static assets in S3 that consume this API and my requirement is to also configure routing from a user friendly domain name to this S3 bucket, then, hopefully, make this backend S3 url private.

Swapping the API's backend url with the S3's url, I have been able to route from the public domain to the S3 bucket. However, I am not sure how I can have both routes in place with the same origin or domain name as I have to consume the API from the S3 bucket with certificate verification of the users accessing these resources.

This system is like a black box and I do not currently have access to the logs. In the code below, I have added the S3_URL and /visualizer/ mappings to the original API mapping. The API mapping is working but the S3_URL is not working when combined together.

#!/bin/bash

set -eu -o pipefail

API_URL=$(cat $1 | jq -r '.configuration.API_URL')
echo $API_URL

S3_URL=$(cat $1 | jq -r '.configuration.S3_URL')
echo $S3_URL

cat > /etc/httpd/conf.d/coy-httpd-includes/https_vhost/proxypass.inc <<EOF
ProxyRequests Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyMachineCertificateFile /etc/pki/tls/private/client_crt_rsa.pem

<Proxy *>
    Require all granted
</Proxy>

ProxyPass / ${API_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse / ${API_URL}

ProxyPass /visualizer/ ${S3_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse /visualizer/ ${S3_URL}
EOF

cat > /etc/httpd/conf.d/coy-httpd-includes/http_vhost/elb_health_check_proxypass.inc <<'CONFIG'
RewriteEngine on
RewriteRule / /var/www/cgi-bin/status
<Directory /var/www/cgi-bin>
  Options +ExecCGI
  SetHandler cgi-script
</Directory>
CONFIG
Improve this question

1 Answer 1

Reset to default
0

After hours of searching the internet for a solution and learning a bit more about Apache and similar servers like Nginx, I was able to find a solution.

I added a Location directive that mapped a path on the public reverse proxy's hostname that triggered the proxying of the traffic to the static resources in the S3 buckets URL in the backend such that I can access https://app.test.api.coy.co.uk/visualizer/visualize-graph.html. It still raised another question of how to block directory browsing except for this particular html page.

This is what my apache config looks like after applying the solution: 

#!/bin/bash

set -eu -o pipefail

API_URL=$(cat $1 | jq -r '.configuration.API_URL')
echo $API_URL

S3_URL=$(cat $1 | jq -r '.configuration.S3_URL')
echo $S3_URL

cat > /etc/httpd/conf.d/coy-httpd-includes/https_vhost/proxypass.inc <<EOF
ProxyRequests Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyMachineCertificateFile /etc/pki/tls/private/client_crt_rsa.pem

<Proxy *>
    Require all granted
</Proxy>

ProxyPass / ${API_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
ProxyPassReverse / ${API_URL}

<Location /visualizer/ >
  ProxyPreserveHost Off
  ProxyPass ${S3_URL} retry=\${CLOUD_HTTPS_PROXY_RETRY} keepalive=\${CLOUD_HTTPS_PROXY_KEEPALIVE} nocanon
  ProxyPassReverse ${S3_URL}
</Location>
EOF

cat > /etc/httpd/conf.d/coy-httpd-includes/http_vhost/elb_health_check_proxypass.inc <<'CONFIG'
RewriteEngine on
RewriteRule / /var/www/cgi-bin/status
<Directory /var/www/cgi-bin>
  Options +ExecCGI
  SetHandler cgi-script
</Directory>
CONFIG

These resources helped me in reaching my solution: Getting 404 for S3 static website JS behind Apache proxy, https://www.jamescoyle.net/how-to/116-simple-apache-reverse-proxy-example, and https://serverfault.com/questions/120488/redirect-url-within-apache-virtualhost

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I found a solution for disabling or blocking directory browsing of the directory hosting the entry HTML page of the S3 website by blocking direct access to the S3 bucket and its contents from the internet except through the Apache reverse proxy. I achieved this by changing the bucket's permissions to Private from PublicRead in its definition CloudFormation code and running it to update the bucket's definition. Attempting to browse the directory will result in an S3 AccessDenied error message and code displayed in XML format.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.