How to rewrite Location response header in a proxy setup with Apache?

xeonman9000 picture xeonman9000 · Apr 30, 2013 · Viewed 31.7k times · Source

I have a primary proxy which sends requests to a secondary proxy on which OpeenSSO is installed.

If the OpenSSO agent determines that the user is not logged in, it raises a 302 redirect to the authentication server and provides the original (encoded) URL that the user requested as a GET parameter in the redirect location header.

However, the URL in the GET variable is that of the internal (secondary) proxy server, not the original proxy server. Therefore, I would like to edit/rewrite the "Location" response header to give the correct URL.

E.g.

  1. http://a.com/hello/ (Original requested URL)
  2. http://a.com/hello2/ (Secondary proxy with OpenSSO agent)
  3. http://auth.a.com/login/?orig_request=http%3A%2F%2Fa.com%2Fhello2%2F (302 redirect to auth server with requested URL of second proxy server encoded in GET variable)
  4. http://auth.a.com/login/?orig_request=http%3A%2F%2Fa.com%2Fhello%2F (Encoded URL is rewritten to that of the original request)

I have tried pretty much all combinations of headers and rewrites without luck so I'm thinking it may not be possible. The closest I got was this, but the mod_headers edit function does not parse environment variables.

# On the primary proxy.
RewriteEngine On
RewriteRule ^/(.*)$ - [E=orig_request:$1,P]
Header edit Location ^(http://auth\.a\.com/login/\?orig_request=).*$ "$1http%3A%2F%2Fa.com%2F%{orig_request}e"

Answer

BrianV picture BrianV · Mar 5, 2015

ProxyPassReverse

ProxyPassReverse should do this for you:

This directive lets Apache adjust the URL in the Location, Content-Location and URI headers on HTTP redirect responses.

I'm not sure why your reverse proxy isn't behaving this way already, assuming you're using a pair of ProxyPass and ProxyPassReverse directives to define it.

Editing the Location Header

If you want to be able to edit the Location header as you describe, you can do it as of Apache 2.4.7:

For edit there is both a value argument which is a regular expression, and an additional replacement string. As of version 2.4.7 the replacement string may also contain format specifiers.

The "format specifiers" mentioned in the docs include being able to use environment variables, e.g. %{VAR}e.

You might also want to consider modifying your application such that the orig_request URL parameter is relativized, thus potentially eliminating the need for Header edits with environment variables.

Relative Path Location Header

You can also try using a relative path in your Location header, which would eliminate the need to explicitly map one domain to the other. This is officially valid as of RFC 7231 (June 2014), but was was widely supported even before that. You can relativize your Location header using Apache Header edit directives (even prior to version 2.4.7, since it wouldn't require environment variable substitution). That would look something like this:

Header edit Location "(^http[s]?://)([a-zA-Z0-9\.\-]+)(:\d+)?/" "/"