On Tue, Oct 7, 2025 at 3:24 PM Bret Stern <[email protected]> wrote:
> Eliyahu, > Appreciate you taking a shot. Here they are: > > <VirtualHost *:80> > SSLProxyEngine on > ServerName postfixadmin.domain.com > ProxyPreserveHost On > > ProxyPass / http://192.168.60.157/ > ProxyPassReverse / http://192.168.60.157/ > > </VirtualHost> > > <VirtualHost *:80> > ServerName mail.domain.com > ProxyPreserveHost On > > ProxyPass / http://192.168.60.157/ > ProxyPassReverse / http://192.168.60.157/ > > </VirtualHost> > > > By the way the WAN side server hosts 3 websites. But the mail.domain.com > and the postfixadmin.domain.com are proxied > to another server on the lan. > > I kind of feel like this setup is a bit corrupted, there's so much info > out there, and who knows what the right way. > > My hunch is taking me to a possible ssl encryption setup, so I'm asking on > letsEncrypt as well. > > If there's anything logs wise you need, I can provide. > > Appreciate your thoughts, > Bret > > > > > > > > > On 10/7/2025 12:07 PM, E.S. Rosenberg wrote: > > > > Op di 7 okt 2025 om 18:34 schreef Bret Stern < > [email protected]>: > >> Ok. So my understanding of ReWrite rules is to modify the url in some >> fashion...per the Apache docs. >> I don't see any reason to do that..so I commented out all the "ReWrite >> directives". Good to get the junk out of >> the puzzle. >> >> After commenting out the ReWrites, I restarted httpd. >> postfixadmin.domain.com is still landing in the >> mail.domain.com DocumentRoot. >> >> Is there some sort of "debug" directive which would help me figure out >> when the DocumentRoot >> is getting set to what and when. >> >> Ideas? >> >> >> >> >> First virt host config for postfixadmin >> <VirtualHost *:80> >> SSLProxyEngine on >> ServerName postfixadmin.domain.com >> ProxyPreserveHost On >> ServerAlias www.postfixadmin.domain.com >> DocumentRoot /var/www/postfixadmin/public >> >> <Directory /var/www/postfixadmin/public> >> Options -Indexes +FollowSymLinks >> AllowOverride All >> </Directory> >> >> ErrorLog /var/log/httpd/postfixadmin-error.log >> CustomLog /var/log/httpd/postfixadmin-access.log combined >> #RewriteEngine on >> #RewriteCond %{SERVER_NAME} =www.postfixadmin.domain.com [OR] >> #RewriteCond %{SERVER_NAME} =postfixadmin.domain.com >> #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >> </VirtualHost> >> >> second virt host config for mail >> <VirtualHost *:80> >> SSLProxyEngine on >> ServerName mail.domain.com >> ProxyPreserveHost On >> ServerAlias www.mail.domain.com >> DocumentRoot /var/www/html >> >> <Directory /var/www/html> >> Options -Indexes +FollowSymLinks >> AllowOverride All >> </Directory> >> >> ErrorLog /var/log/httpd/mail-domain-error.log >> CustomLog /var/log/httpd/mail-domain-access.log combined >> #RewriteEngine on >> #RewriteCond %{SERVER_NAME} =www.mail.domain.com [OR] >> #RewriteCond %{SERVER_NAME} =mail.domain.com >> #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >> </VirtualHost> >> >> >> >> >> >> >> On 10/7/2025 7:29 AM, Frank Gingras wrote: >> >> >> >> On Mon, Oct 6, 2025 at 5:12 PM Bret Stern < >> [email protected]> wrote: >> >>> Frank, >>> >>> I added the original mail.domain.com virt host conf file back and now >>> my postfixadmin stuff has reverted to >>> the wrong DocumentRoot and isn't working. >>> >>> Here are the VirtHost files. The names of the files does not matter >>> correct..they can be www.domain.com.conf or >>> somename.conf, right? >>> >>> First virt host config for postfixadmin >>> <VirtualHost *:80> >>> SSLProxyEngine on >>> ServerName postfixadmin.domain.com >>> ProxyPreserveHost On >>> ServerAlias www.postfixadmin.domain.com >>> DocumentRoot /var/www/postfixadmin/public >>> >>> <Directory /var/www/postfixadmin/public> >>> Options -Indexes +FollowSymLinks >>> AllowOverride All >>> </Directory> >>> >>> ErrorLog /var/log/httpd/postfixadmin-error.log >>> CustomLog /var/log/httpd/postfixadmin-access.log combined >>> RewriteEngine on >>> RewriteCond %{SERVER_NAME} =www.postfixadmin.domain.com [OR] >>> RewriteCond %{SERVER_NAME} =postfixadmin.domain.com >>> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >>> </VirtualHost> >>> >>> second virt host config for mail >>> <VirtualHost *:80> >>> SSLProxyEngine on >>> ServerName mail.domain.com >>> ProxyPreserveHost On >>> ServerAlias www.mail.domain.com >>> DocumentRoot /var/www/html >>> >>> <Directory /var/www/html> >>> Options -Indexes +FollowSymLinks >>> AllowOverride All >>> </Directory> >>> >>> ErrorLog /var/log/httpd/mail-domain-error.log >>> CustomLog /var/log/httpd/mail-domain-access.log combined >>> RewriteEngine on >>> RewriteCond %{SERVER_NAME} =www.mail.domain.com [OR] >>> RewriteCond %{SERVER_NAME} =mail.domain.com >>> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >>> </VirtualHost> >>> >>> >>> >>> >>> >>> >>> This is my httpd -S readout for the internal server. Wondering if >>> anything here is obvious. I don't >>> read this stuff enough to know. So appreciate the eyes. >>> >>> Not sure what's causing the "already loaded" line below. >>> >>> [Mon Oct 06 13:50:40.068370 2025] [so:warn] [pid 10702:tid 10702] >>> AH01574: module proxy_http_module is already loaded, skipping >>> VirtualHost configuration: >>> *:80 is a NameVirtualHost >>> default server mail.domain.com >>> (/etc/httpd/conf.d/mail.domain.com.conf:1) >>> port 80 namevhost mail.domain.com >>> (/etc/httpd/conf.d/mail.domain.com.conf:1) >>> alias www.mail.domain.com >>> port 80 namevhost postfixadmin.domain.com >>> (/etc/httpd/conf.d/postfixadmin.conf:1) >>> alias www.postfixadmin.domain.com >>> *:443 is a NameVirtualHost >>> default server mail.domain.com >>> (/etc/httpd/conf.d/mail.domain.com-le-ssl.conf:3) >>> port 443 namevhost mail.domain.com >>> (/etc/httpd/conf.d/mail.domain.com-le-ssl.conf:3) >>> alias www.mail.domain.com >>> port 443 namevhost postfixadmin.domain.com >>> (/etc/httpd/conf.d/postfixadmin-le-ssl.conf:3) >>> alias www.postfixadmin.domain.com >>> port 443 namevhost 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:40) >>> ServerRoot: "/etc/httpd" >>> Main DocumentRoot: "/var/www/html" >>> Main ErrorLog: "/etc/httpd/logs/error_log" >>> Mutex authdigest-opaque: using_defaults >>> Mutex watchdog-callback: using_defaults >>> Mutex proxy-balancer-shm: using_defaults >>> Mutex rewrite-map: using_defaults >>> Mutex ssl-stapling-refresh: using_defaults >>> Mutex authdigest-client: using_defaults >>> Mutex dav_fs-lockdb: using_defaults >>> Mutex lua-ivm-shm: using_defaults >>> Mutex ssl-stapling: using_defaults >>> Mutex proxy: using_defaults >>> Mutex authn-socache: using_defaults >>> Mutex ssl-cache: using_defaults >>> Mutex default: dir="/etc/httpd/run/" mechanism=default >>> Mutex cache-socache: using_defaults >>> PidFile: "/etc/httpd/run/httpd.pid" >>> Define: DUMP_VHOSTS >>> Define: DUMP_RUN_CFG >>> User: name="apache" id=48 >>> Group: name="apache" id=48 >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On 10/6/2025 9:02 AM, Frank Gingras wrote: >>> >>> >>> >>> On Mon, Oct 6, 2025 at 11:47 AM Bret Stern < >>> [email protected]> wrote: >>> >>>> Thanks for the comment. >>>> >>>> I had to remove one of my virtual hosts to to get this working. >>>> >>>> My virtual host settings were triple checked...but the DocumentRoot >>>> kept reverting to the >>>> wrong virtual host DocRoot. >>>> >>>> If the apache logic is to use the ServerName directive in the [virthost >>>> *:80] as the deciding factor to set the DocRoot, then either there is >>>> another >>>> setting that I'm not aware of or there is a bug in the logic in apache. >>>> When I have more time to >>>> look, maybe it will surface. I have some other http servers in our >>>> environments, so will check those results as well. >>>> >>>> Regardless, all of this is excellent learning experience. >>>> Bret >>>> >>>> >>>> On 10/5/2025 12:08 AM, E.S. Rosenberg wrote: >>>> >>>> Hey Bret, >>>> >>>> Unless I am very much mistaken you need to use the FQDN in the >>>> ProxyPass directive and if you don't want to expose the "real" IP of server >>>> B to the Internet you would need to "override" the public DNS records >>>> either in /etc/hosts or if you have the ability to present a different DNS >>>> view to server A and don't mind that complication that would be another >>>> option. >>>> You could I guess also use some internal FQDN as long as the >>>> virtualhosts on server B know to respond to that too and all the links they >>>> return are relative or rewritten to the domain server A presents. >>>> >>>> HTH, >>>> Eliyahu - אליהו >>>> >>>> Op zo 5 okt 2025 om 09:34 schreef Bret Stern < >>>> [email protected]>: >>>> >>>>> Can someone please comment. >>>>> >>>>> Apache server A is a physical server on my network. I has three >>>>> virtual >>>>> hosts serving three >>>>> different websites. This appears to be working correctly. >>>>> >>>>> Introducing Apache server B >>>>> Apache server A also acts as a reverse proxy to Apache server B which >>>>> is >>>>> another separate server with a static ip, and >>>>> acts as my mail server. >>>>> >>>>> There are two virtual hosts defined on Apache server B, one is >>>>> mail.domain.com and one is postfixadmin.domain.com >>>>> >>>>> My question is can Apache server A route (via reverse proxy) to the >>>>> two >>>>> virtual hosts on Apache server B. >>>>> >>>>> At this point it's close to working, but my postfixadmin.domain.com >>>>> is >>>>> having it's document root directed to >>>>> virtual host mail.domain.com, instead of postfixadmin.domain.com >>>>> >>>>> I've spent hours checking my virt host configurations. Is there some >>>>> other setting outside the virtual host configuration that >>>>> is allowing the DocumentRoot to be hijacked? >>>>> >>>>> Can someone please confirm my setup is possible? >>>>> Regards >>>>> >>>>> >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>>> >>>> >>> You'll need to show the output from the apachectl -S command on all >>> servers get a complete answer, to start. >>> >>> >>> >> The name of the config files are not relevant, indeed. >> >> That being said, your :80 vhosts make no sense. You use SSLProxyEngine >> on, yet you explicitly redirect to https:// in the same vhost. You have >> to decide if you want to proxy or redirect, first. >> >> >> > Hey Bret, > > Unless I am very much mistaken so far you have only shared the config of > the internal server (server B) and not the reverse proxy configs. > Based on what you are describing my suspicion is that your reverse proxy > configuration is wrong/stripping the target hostname and thus you end up on > whatever virtualhost matches by default. > > HTH, > Eliyahu - אליהו > > > You're proxying to http://, so TLS isn't even involved here, nor do you need SSLProxyEngine on. You'll be reaching your internal :80 vhost with the correct Host: header as well. I recommend inspecting your logs to make sure you're reaching the correct vhost Lastly, don't redirect from the backend, either.
