| View previous topic :: View next topic |
| Author |
Message |
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3477
|
 Posted: Thu Sep 14, 2023 8:46 pm Post subject: |
 |
|
Do you have a reason to use apache in particular?
I personally like haproxy because it makes SNI easy. Used it for terminating ssl in front of apache with mod_vhost working as low maintenance shared hosting.
Anyway, show us your host config and the example for something else you're trying to implement and we will see. It might be a simple mistake |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
| Posted: Fri Sep 15, 2023 8:07 am Post subject: |
|
|
| Code: | <VirtualHost *:80>
...
ProxyPreserveHost On
ProxyPass /gogs http://127.0.0.1:3000
ProxyPassReverse /gogs http://127.0.0.1:3000
ProxyPass /znc http://127.0.0.1:3002
ProxyPassReverse /znc http://127.0.0.1:3002
</VirtualHost> |
Added 3002, 127.0.0.1, ipv4, ipv6 and /znc/ to the general znc config with the webadmin config (as described at https://wiki.znc.in/Reverse_Proxy)
But if I access ip/znc it ends in an redirect loop since znc responds with "Location: /znc"
If I only set the settings in the vhost without the additional prefix value in znc webadmin, all the
paths are wrong. Also the webadmin auth does not work.
Why apache, well I'm used to it and it is currently installed. I'm open to changes since I do not have anything special which needs apache, but I'm curious to find out why and learn.
_________________
Forum Guidelines
PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire
Last edited by Banana on Fri Sep 15, 2023 11:49 am; edited 1 time in total |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3477
|
| Posted: Fri Sep 15, 2023 10:41 am Post subject: |
|
|
| Quote: | | But if I know access ip/znc it ends in an redirect loop since znc responds with "Location: /znc" |
Ok, so your znc expects its URI to star with /znc, but your proxy definition strips it from the path.
I think you just need to fix your proxy destination:
| Code: | ProxyPass /znc http://127.0.0.1:3002/znc/
ProxyPassReverse /znc http://127.0.0.1:3002/znc/
# or ProxyPassReverse / http://127.0.0.1:3002/
# or ProxyPassReverse <your domain> http://127.0.0.1:3002/
# or even no reverse proxy at all if the app generates correct links inside response body |
ProxyPass needs to forward the URI properly, and ProxyPassReverse may or may not need to fix URLs within the response body, depending on the app.
| Quote: | If I only set the settings in the vhost without the additional prefix value in znc webadmin, all the
paths are wrong. Also the webadmin auth does not work. |
It's been a while since I played with apache, but shouldn't your destinations end with "/"? It can be sensitive to weird things sometimes.
If you dont set prefix in znc, which paths are wrong in what way?
Also, apache's docs actually quote all 4 strings. It's probably not a big deal in your case, but there might be some reason behind it.
| Code: | ProxyPass "/znc/" "http://127.0.0.1:3002/"
ProxyPassReverse "/znc/" "http://127.0.0.1:3002/"
# or maybe a relative path would work better:
# ProxyPassReverse "/znc/" "/" |
You're essentially trying to do a hostile takeover here, if the proxy target attempts to cooperate, it might confuse the proxy. Don't e.g. set your website's domain inside znc. |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3477
|
| Posted: Fri Sep 15, 2023 12:41 pm Post subject: |
|
|
Nginx is not apache, I think rewriting links in the response body is apache's unique feature (via ProxyPassReverse).
I never really used nginx, but I think that guide relied on znc providing the correct paths for user agent to use, without nginx's intervention. In case of apache translating requests and responses instead of just passing them through, znc can have different paths on both ends of the connection.
Anyway, glad it works. |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
| Posted: Fri Sep 15, 2023 5:07 pm Post subject: |
|
|
I don't think you could call it rewriting links in the responce body.
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#forwardreverse
| Quote: | Apache HTTP Server can be configured in both a forward and reverse proxy (also known as gateway) mode.
An ordinary forward proxy is an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target. The proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites. |
Anyway thx for the input. I think it pushed me into the right direction to solve it.
_________________
Forum Guidelines
PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
| Posted: Mon Sep 18, 2023 6:04 am Post subject: |
|
|
Additional information for everyone reading this:
Using apache as shown here and described at the ZNC wiki does only work for the webadmin part (this was not clear for my from the official wiki).
Proxy znc and irc itself should only work with nginx or other.
_________________
Forum Guidelines
PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3477
|
| Posted: Mon Sep 18, 2023 9:42 am Post subject: |
|
|
Do you happen to know why it doesn't work with apache?
I had a hunch it might have something to do with HTTP Upgrade header, and found this https://stackoverflow.com/questions/60475454/apache2-cant-set-headers-connection-and-upgrade
It's not uncommon for apps running inside a web browser to change protocol from http to a regular TCP pipe after connecting to the web server, and it seems apache is picky about those headers. I wonder if it's applicable to your case. |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3477
|
| Posted: Tue Sep 19, 2023 9:39 am Post subject: |
|
|
Ok, so at this point I just don't understand how it is supposed to work. I mean, no http proxy understand IRC protocol, it is there to forward http traffic to another server.
Sometimes modifying headers, sometimes doing client authentication (e.g. checking client's certificates and adding a header with result), sometimes doing SSL termination, but it is still http traffic.
Inspecting the traffic with tcpdump could provide more insight, but I suppose you already got your problem solved with nginx, right?
Are you still interested in investigating it more? |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1842
Location: Germany
|
| Posted: Tue Sep 19, 2023 12:31 pm Post subject: |
|
|
I've worked around it for now. But maybe in the future I will investigate it a bit more and try ngnix. The example at the znc wiki page tells also there is a difference needed: "Nginx has a directive separate from http called stream for protocols other than HTTP. We can utilize this to allow nginx to act as a reverse proxy for ZNC"
I've moved to a firewall firendly port and thus needed no more proxy for it.
_________________
Forum Guidelines
PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire |
|
| Back to top |
|
|
|
Gentoo Chat
