Please help with reverse proxy (custom HTTPD configuration)

[marson]

Hello

Our client develop an application in NodeJS it is started on port 3001 and he ask me how to publish it on port 80 / 443 so I write something like this in custom httpd configuration on the domain that they want to publish it:

Alias /.well-known "/var/www/html/.well-known"

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/.well-known/(.*)
RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

ProxyPass /.well-known !
ProxyPass "/" "http://localhost:3001/"
ProxyPassReverse "/" "http://localhost:3001/"

and he confirmed that the app is working OK, however now he wants to limit access to this app only for certain IP addresses + allow to proxy it internally and here I am totally loss. Is it even doable? I tried put something like this in custom HTTPD configuration

Alias /.well-known "/var/www/html/.well-known"

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/.well-known/(.*)
RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

<Location />
ProxyPass /.well-known !
Require all denied
Require ip 185.85.85.1
Require ip 185.85.85.2
Require ip 185.85.85.3
Require ip 185.85.85.4
Require ip 127.0.0.1
ProxyPass / http://localhost:3001/
ProxyPassReverse / localhost:3001/
</Location>

IPs are fake for demonstration my concept.

However this code doesn't work I am getting the following message when I tried to save changes:

AH00526: Syntax error on line 121 of /usr/local/directadmin/data/users/admin/httpd.conf:
ProxyPass|ProxyPassMatch can not have a path when defined in a location.

can anyone help me what I am doing wrong or if my understanding is correct?

 

[Ohm J]

if you using "nginx_apache" mode

in custom HTTPD configuration GUI page.
try set this 3 token.

|?PROXY_IP=127.0.0.1|
|?PORT_8080=3001|
|?PORT_8081=3001|

 

[marson]

No it is pure apache

I think I found the solution for everyone else in the future:

Alias /.well-known "/var/www/html/.well-known"

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/.well-known/(.*)
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

<Location />
Require all denied
Require ip 185.85.85.1
Require ip 185.85.85.2
Require ip 185.85.85.3
Require ip 185.85.85.4
Require ip 127.0.0.1
</Location>

ProxyPass /.well-known !
ProxyPass / http://mydomain.com:3001/
ProxyPassReverse / http://mydomain.com:3001/

 

[marson]

Hello again - I thought I solved the problem, however not entirely.

The domain that I am blocking is a backend of the site let's call this domain https://api2.mysite.com and it is accessible from the IPs I specified but it seems it is not working from localhost. What I mean is that on the same server it is a frontend site hosted at https://mysite.com and the frontend needs to connect to https://api2.mysite.com but it doesn't in the frontent I am getting the following error on chrome console:

GET https://api2.mysite.com/api/config 504 (Gateway Timeout)

I tried to modify above code in the custom HTTPD configuration of api2.mysite.com domain to look like this:

Alias /.well-known "/var/www/html/.well-known"

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/.well-known/(.*)
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

<Location />
Require all denied
Require ip 185.85.85.1
Require ip 185.85.85.2
Require ip 185.85.85.3
Require ip 185.85.85.4
Require ip 185.111.111.222
Require local
Require host mysite.com
Require ip 127.0.0.1
</Location>

ProxyPass /.well-known !
ProxyPass / http://api2.mysite.com:3001/
ProxyPassReverse / http://api2.mysite.com:3001/

Where 185.111.111.222 is the external IP of the server (fake ofcourse)

and still not working, can anybody give me a hint?

P.S if I remove the location section entirely all works OK.

 

[Ohm J]

did you trying allow your server ips ( Apache Server ). because I don't know how you call from local ( same server ).

if you call from the same server like.

curl https://api2.mysite.com/api/config

it will filter by your server ips not localhost(127.0.0.1)

if you want to call by 127.0.0.1, it should call this way

curl https://api2.mysite.com/api/config --resolve api2.mysite.com:443:127.0.0.1

so apache can filter as 127.0.0.1

 

[zEitEr]

Hello,

and still not working, can anybody give me a hint?

You might need to open outgoing connections to TCP:3001 in a firewall.

 

[marson]

did you trying allow your server ips ( Apache Server ). because I don't know how you call from local ( same server ).

Client said that he connect to api.mysite.com to mysite.com by using angular / javascript, I tried to invoke api2.mysite.com by curl locally and it seems to work.

You might need to open outgoing connections to TCP:3001 in a firewall.

I don't want to open 3001 port, I want to use application on reverse proxy on port 443 and don't open port to world. Also it seems not needed because when I deleted <location> setions from the custom httpd it seems to work OK without opening port 3001

 

[Ohm J]

Sorry, maybe I'm misunderstanding your issued. because you told

but it seems it is not working from localhost

I think, you have problem on same server with hosting. but from last your reply, look like client use to connect via browser javascript that serve directly to their customer ( maybe I don't know about angular). that's why allow IPs doesn't work because it serve directly to customer, not from their backend script.

 

[marson]

I think, you have problem on same server with hosting. but from last your reply, look like client use to connect via browser javascript that serve directly to their customer ( maybe I don't know about angular). that's why allow IPs doesn't work because it serve directly to customer, not from their backend script.

it seems you are right, when I added my external IP to require IP section in backend's virtualhost the frontend started working, from my IP so my question is - Am I able to force to proxy the backend to frontend by server IP and not my real IP or this should be done inside an app (that work on port 3001)

 

[Ohm J]

yes, it don't need at all, it should done in your Web Appplication ( :3001 ). not from Apache.