logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Can Apache forward requests to different servers ?
Author
Carlius



Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden

PostPosted: Tue 16 Sep '14 14:49    Post subject: Can Apache forward requests to different servers ? Reply with quote

We have an Apache acting as a reverse-proxy and listening on the Internet ("Our URL" on port 443).

We would have two ways of accessing this reverse-proxy:
• From a mobile app (authentication would be based on a corporate certificate)
• From any browser (authentication would be a login form)



The question is: can Apache forward requests to either server 1 or server 2, depending on whether a certificate is sent by the client?

If a certificate is sent, then Apache checks it. We know the request comes from the mobile app, so we redirect web requests to Server 1. If there is no certificate, then the request comes from a computer, and we redirect web requests to Server 2.


Thanks so much for your help!
/Carl
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Tue 16 Sep '14 16:43    Post subject: Reply with quote

Have a look at
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#arbitraryclients
and
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#certauthenticate

That's not a solution out of the box, but you will find the useful definitions.

Greets
JR
Back to top
Carlius



Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden

PostPosted: Tue 16 Sep '14 17:00    Post subject: Reply with quote

Thanks for info jraute!

This is good info, however our problem remains Sad We have the same URL so we need to forward the request based on something else.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Tue 16 Sep '14 17:01    Post subject: Reply with quote

Why not using different locations?
server.mydomain.com/data (without clientcertificate)
server.mydomain.com/data_2 (with clientcertificate)
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 17 Sep '14 8:08    Post subject: Reply with quote

Another thing would be to identify the device and to "route" the request depending on device-type or browser-type or whatever, but i am not an expert in these things.

There are several examples at http://detectmobilebrowsers.com/ how to do that.
for apache see:

Code:
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} (android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-) [NC]
RewriteRule ^$ http://yourdomain.com/mobile [R,L]
Back to top
Carlius



Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden

PostPosted: Wed 17 Sep '14 10:54    Post subject: Reply with quote

Thanks so much Jraute for your input!

Good point, but detecting mobile devices through a user-agent is not secure enough for us :/

Regarding virtual folders, we would get an awful lot rewriting issues which we don't know if we can handle, We'll test it, but I'm skeptical that this is best way to do it.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 17 Sep '14 11:36    Post subject: Reply with quote

Carlius wrote:

Good point, but detecting mobile devices through a user-agent is not secure enough for us :/


I agree 100%, but the idea was to use the script in combination with your httpd-vhosts.conf to route the mobile devices to that host, which requires the certificate.

If you are afraid of having mobiles connecting the other host without a certificate, well Wink you should be afraid of MITM and all the other worst case scenarios first.

But let us ask the experts - Steffen and James Blond ...
Back to top
Carlius



Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden

PostPosted: Wed 24 Sep '14 10:51    Post subject: Reply with quote

Hi again jraute,

Do you think Steffen or James Blond has seen the question? Is there a way of sending a PM to them?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Wed 24 Sep '14 11:23    Post subject: Reply with quote

Carlius wrote:

Good point, but detecting mobile devices through a user-agent is not secure enough for us :/

Agree. I have no answer.

I know Enterprise solutions for secure dealing with mobile devices, like http://www1.good.com/secure-mobility-solution/mobile-identity-and-access-management.html
Back to top
Carlius



Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden

PostPosted: Wed 24 Sep '14 16:38    Post subject: Reply with quote

Okay, I'm sorry to hear it. I don't think we can use an expensive MDM solution.

Thanks for the help anyways, if you by any chance come up with something. Please me know.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Sep '14 21:40    Post subject: Reply with quote

Well usually I use a default page for all Clients. That page contains a php script which redirects the client to it specific page. Obviously that first page is on http.
But since it is a custom mobile app, can't you add a query to the url which tells apache that it is a valid Client?
Back to top


Reply to topic   Topic: Can Apache forward requests to different servers ? View previous topic :: View next topic
Post new topic   Forum Index -> Apache