Hello Guys,
Let me firstly explain the situation. I have two servers, where I need to access via reverse proxy. 1st server is acting as SSO and doing an authentication of all other servers which is under his management.
I have configured reverse proxy, running under Debian OS with Apache. There is very simple configuration which works. Connecting from public IP to RP which will forward this traffic into private ranges without noticing client.
But currently I need to implement an SSO server as the authentication server and it means, that all servers which are under SSO management will redirect the traffic into SSO.
Problem is, that customer is access all servers from public domain and SSO is in internal domain, what causing an issues, because customer should not have our DNS records in the table and we cant mix public and internal entries in our security zone.
My idea is to perform a redirect + rewrite as per the condition, but i dont know how. I red almost whole internet, but I’m total newbie in this apache word.
Let me describe the situation on example:
- Customer is accessing https://example.public.com
- Customer reach the server via RP
- Server do redirection into https://example_server.private.com/SSO/…=https://example.public.com
- Connection lost
My question is: Is it possible just to rewrite an url from example_server.private.com into something other with remained path ?
Like: https://example_server.public.com/SSO/…=https://example.public.com
After the authentication server send back the traffic into example.public.com
How Apache will handle that? Would you, please, provide also an exaple of configuration?
Also all the rewrite rules should be applied in 1 virtual host just to prevent redirection into private domain.
I guess it should existing a solution. But not sure, if this approach will remain the session open or it’s closed and result will be same…
My current config :
<VirtualHost *:443>
ServerName example.public.com
ProxyPass / https://1.2.3.4/
ProxyPassReverse / https://1.2.3.4/
ProxyPreserveHost On
DocumentRoot /var/www/default
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerName Off
SSLProxyCheckPeerCN Off
ErrorLog "/var/log/apache2/proxy-error-prime-proxy-full.log"
CustomLog "/var/log/apache2/proxy-access-prime-proxy-full.log" common
</VirtualHost>
Thank you a lot :)
Peter
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya,
Here is a suggestion on how this could be achieved but it would still need to be fully tested,
It sounds like you are dealing with a Single Sign-On (SSO) flow that includes a redirection to an internal domain which the client cannot resolve, and you would like to modify that redirect so that it points to a public domain instead.
If the redirect is initiated by the server that is behind the reverse proxy, then Apache’s mod_proxy module alone cannot solve your issue because the redirection is part of the HTTP payload, and mod_proxy does not modify the HTTP payload, it only passes it along.
Instead, you can use Apache’s mod_substitute module in combination with mod_proxy to rewrite the redirection URL in the HTTP payload.
Here is an example of how to do it:
<VirtualHost *:443>
ServerName example.public.com
# Enable the substitute module for the response bodies
SetOutputFilter SUBSTITUTE
# Replace the internal domain with the public one in the Location header
Substitute "s|example_server.private.com|example_server.public.com|n"
ProxyPass / https://1.2.3.4/
ProxyPassReverse / https://1.2.3.4/
ProxyPreserveHost On
DocumentRoot /var/www/default
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerName Off
SSLProxyCheckPeerCN Off
ErrorLog "/var/log/apache2/proxy-error-prime-proxy-full.log"
CustomLog "/var/log/apache2/proxy-access-prime-proxy-full.log" common
</VirtualHost>
his configuration will replace any occurrence of example_server.private.com with example_server.public.com in the HTTP response bodies.
Note: Apache mod_substitute is not the most performant module, especially for large payloads. Use with caution in production environments and always test your configuration thoroughly before applying it.
Remember to enable the module with a2enmod substitute and restart Apache with systemctl restart apache2 or the equivalent command on your system.
If the above solution doesn’t work for you or your use case is more complex, you might need to use a more sophisticated reverse proxy such as Nginx or a full-featured API Gateway that supports response rewriting out of the box.
As always, carefully consider the security implications of any configuration changes you make. Modifying HTTP payloads on-the-fly can potentially expose sensitive information if not done carefully.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.