Ok. You are making me think now.
So a request comes in to the WAN side apache server, the server matches
the fqdn to one of the vhost config files.
If it finds a match, then it forwards the request to the backend proxied
server.
I thought all along that when the request came in the proxy was passed
onto the backend server intact with the
fqdn to the ip address in the ProxyPass directive
So you think ProxyPass / http://postfixadmin.domain.com/
<http://192.168.60.157/> will work
Then wouldn't I need to update the hosts file on the WAN side so the WAN
side server knows who the fqdn is?
On 10/7/2025 12:30 PM, E.S. Rosenberg wrote:
Op di 7 okt 2025 om 22:24 schreef Bret Stern
<[email protected]>:
Eliyahu,
Appreciate you taking a shot. Here they are:
<VirtualHost *:80>
SSLProxyEngine on
ServerName postfixadmin.domain.com <http://postfixadmin.domain.com>
ProxyPreserveHost On
ProxyPass / http://192.168.60.157/
ProxyPassReverse / http://192.168.60.157/
</VirtualHost>
<VirtualHost *:80>
ServerName mail.domain.com <http://mail.domain.com>
ProxyPreserveHost On
ProxyPass / http://192.168.60.157/
ProxyPassReverse / http://192.168.60.157/
</VirtualHost>
By the way the WAN side server hosts 3 websites. But the
mail.domain.com <http://mail.domain.com> and the
postfixadmin.domain.com <http://postfixadmin.domain.com> are proxied
to another server on the lan.
I kind of feel like this setup is a bit corrupted, there's so much
info out there, and who knows what the right way.
My hunch is taking me to a possible ssl encryption setup, so I'm
asking on letsEncrypt as well.
If there's anything logs wise you need, I can provide.
Appreciate your thoughts,
Bret
On 10/7/2025 12:07 PM, E.S. Rosenberg wrote:
Op di 7 okt 2025 om 18:34 schreef Bret Stern
<[email protected]>:
Ok. So my understanding of ReWrite rules is to modify the url
in some fashion...per the Apache docs.
I don't see any reason to do that..so I commented out all the
"ReWrite directives". Good to get the junk out of
the puzzle.
After commenting out the ReWrites, I restarted httpd.
postfixadmin.domain.com <http://postfixadmin.domain.com> is
still landing in the
mail.domain.com <http://mail.domain.com> DocumentRoot.
Is there some sort of "debug" directive which would help me
figure out when the DocumentRoot
is getting set to what and when.
Ideas?
First virt host config for postfixadmin
<VirtualHost *:80>
SSLProxyEngine on
ServerName postfixadmin.domain.com
<http://postfixadmin.domain.com>
ProxyPreserveHost On
ServerAlias www.postfixadmin.domain.com
<http://www.postfixadmin.domain.com>
DocumentRoot /var/www/postfixadmin/public
<Directory /var/www/postfixadmin/public>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/postfixadmin-error.log
CustomLog /var/log/httpd/postfixadmin-access.log combined
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.postfixadmin.domain.com
<http://www.postfixadmin.domain.com> [OR]
#RewriteCond %{SERVER_NAME} =postfixadmin.domain.com
<http://postfixadmin.domain.com>
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
[END,NE,R=permanent]
</VirtualHost>
second virt host config for mail
<VirtualHost *:80>
SSLProxyEngine on
ServerName mail.domain.com <http://mail.domain.com>
ProxyPreserveHost On
ServerAlias www.mail.domain.com <http://www.mail.domain.com>
DocumentRoot /var/www/html
<Directory /var/www/html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/mail-domain-error.log
CustomLog /var/log/httpd/mail-domain-access.log combined
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.mail.domain.com
<http://www.mail.domain.com> [OR]
#RewriteCond %{SERVER_NAME} =mail.domain.com
<http://mail.domain.com>
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
[END,NE,R=permanent]
</VirtualHost>
On 10/7/2025 7:29 AM, Frank Gingras wrote:
On Mon, Oct 6, 2025 at 5:12 PM Bret Stern
<[email protected]> wrote:
Frank,
I added the original mail.domain.com
<http://mail.domain.com> virt host conf file back and
now my postfixadmin stuff has reverted to
the wrong DocumentRoot and isn't working.
Here are the VirtHost files. The names of the files does
not matter correct..they can be www.domain.com.conf
<http://www.domain.com.conf> or
somename.conf, right?
First virt host config for postfixadmin
<VirtualHost *:80>
SSLProxyEngine on
ServerName postfixadmin.domain.com
<http://postfixadmin.domain.com>
ProxyPreserveHost On
ServerAlias www.postfixadmin.domain.com
<http://www.postfixadmin.domain.com>
DocumentRoot /var/www/postfixadmin/public
<Directory /var/www/postfixadmin/public>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/postfixadmin-error.log
CustomLog /var/log/httpd/postfixadmin-access.log
combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.postfixadmin.domain.com
<http://www.postfixadmin.domain.com> [OR]
RewriteCond %{SERVER_NAME} =postfixadmin.domain.com
<http://postfixadmin.domain.com>
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
[END,NE,R=permanent]
</VirtualHost>
second virt host config for mail
<VirtualHost *:80>
SSLProxyEngine on
ServerName mail.domain.com <http://mail.domain.com>
ProxyPreserveHost On
ServerAlias www.mail.domain.com
<http://www.mail.domain.com>
DocumentRoot /var/www/html
<Directory /var/www/html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/mail-domain-error.log
CustomLog /var/log/httpd/mail-domain-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mail.domain.com
<http://www.mail.domain.com> [OR]
RewriteCond %{SERVER_NAME} =mail.domain.com
<http://mail.domain.com>
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
[END,NE,R=permanent]
</VirtualHost>
This is my httpd -S readout for the internal server.
Wondering if anything here is obvious. I don't
read this stuff enough to know. So appreciate the eyes.
Not sure what's causing the "already loaded" line below.
[Mon Oct 06 13:50:40.068370 2025] [so:warn] [pid
10702:tid 10702] AH01574: module proxy_http_module is
already loaded, skipping
VirtualHost configuration:
*:80 is a NameVirtualHost
default server mail.domain.com
<http://mail.domain.com>
(/etc/httpd/conf.d/mail.domain.com.conf:1)
port 80 namevhost mail.domain.com
<http://mail.domain.com>
(/etc/httpd/conf.d/mail.domain.com.conf:1)
alias www.mail.domain.com
<http://www.mail.domain.com>
port 80 namevhost postfixadmin.domain.com
<http://postfixadmin.domain.com>
(/etc/httpd/conf.d/postfixadmin.conf:1)
alias www.postfixadmin.domain.com
<http://www.postfixadmin.domain.com>
*:443 is a NameVirtualHost
default server mail.domain.com
<http://mail.domain.com>
(/etc/httpd/conf.d/mail.domain.com-le-ssl.conf:3)
port 443 namevhost mail.domain.com
<http://mail.domain.com>
(/etc/httpd/conf.d/mail.domain.com-le-ssl.conf:3)
alias www.mail.domain.com
<http://www.mail.domain.com>
port 443 namevhost postfixadmin.domain.com
<http://postfixadmin.domain.com>
(/etc/httpd/conf.d/postfixadmin-le-ssl.conf:3)
alias www.postfixadmin.domain.com
<http://www.postfixadmin.domain.com>
port 443 namevhost 127.0.0.1
(/etc/httpd/conf.d/ssl.conf:40)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex dav_fs-lockdb: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
On 10/6/2025 9:02 AM, Frank Gingras wrote:
On Mon, Oct 6, 2025 at 11:47 AM Bret Stern
<[email protected]> wrote:
Thanks for the comment.
I had to remove one of my virtual hosts to to get
this working.
My virtual host settings were triple checked...but
the DocumentRoot kept reverting to the
wrong virtual host DocRoot.
If the apache logic is to use the ServerName
directive in the [virthost *:80] as the deciding
factor to set the DocRoot, then either there is another
setting that I'm not aware of or there is a bug in
the logic in apache. When I have more time to
look, maybe it will surface. I have some other http
servers in our environments, so will check those
results as well.
Regardless, all of this is excellent learning
experience.
Bret
On 10/5/2025 12:08 AM, E.S. Rosenberg wrote:
Hey Bret,
Unless I am very much mistaken you need to use the
FQDN in the ProxyPass directive and if you don't
want to expose the "real" IP of server B to the
Internet you would need to "override" the public
DNS records either in /etc/hosts or if you have
the ability to present a different DNS view to
server A and don't mind that complication that
would be another option.
You could I guess also use some internal FQDN as
long as the virtualhosts on server B know to
respond to that too and all the links they return
are relative or rewritten to the domain server A
presents.
HTH,
Eliyahu - אליהו
Op zo 5 okt 2025 om 09:34 schreef Bret Stern
<[email protected]>:
Can someone please comment.
Apache server A is a physical server on my
network. I has three virtual
hosts serving three
different websites. This appears to be working
correctly.
Introducing Apache server B
Apache server A also acts as a reverse proxy
to Apache server B which is
another separate server with a static ip, and
acts as my mail server.
There are two virtual hosts defined on Apache
server B, one is
mail.domain.com <http://mail.domain.com> and
one is postfixadmin.domain.com
<http://postfixadmin.domain.com>
My question is can Apache server A route (via
reverse proxy) to the two
virtual hosts on Apache server B.
At this point it's close to working, but my
postfixadmin.domain.com
<http://postfixadmin.domain.com> is
having it's document root directed to
virtual host mail.domain.com
<http://mail.domain.com>, instead of
postfixadmin.domain.com
<http://postfixadmin.domain.com>
I've spent hours checking my virt host
configurations. Is there some
other setting outside the virtual host
configuration that
is allowing the DocumentRoot to be hijacked?
Can someone please confirm my setup is possible?
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]
For additional commands, e-mail:
[email protected]
You'll need to show the output from the apachectl -S
command on all servers get a complete answer, to start.
The name of the config files are not relevant, indeed.
That being said, your :80 vhosts make no sense. You use
SSLProxyEngine on, yet you explicitly redirect to https://
in the same vhost. You have to decide if you want to proxy
or redirect, first.
Hey Bret,
Unless I am very much mistaken so far you have only shared the
config of the internal server (server B) and not the reverse
proxy configs.
Based on what you are describing my suspicion is that your
reverse proxy configuration is wrong/stripping the target
hostname and thus you end up on whatever virtualhost matches by
default.
HTH,
Eliyahu - אליהו
Hey Bret,
As I suspected you are forwarding to the internal IP address, thus the
internal server sees a request for http://IP/ <http://IP/> and has no
way to select a virtual host.
You can either do what I suggested in my original reply to maintain
the hostname or what you can also do is add/strip headers on the
reverse proxy.
HTH,
Eliyahu - אליהו
