| Author |
|
Carlius
Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden
|
 Posted: Tue 16 Sep '14 14:49 Post subject: Can Apache forward requests to different servers ? |
 |
|
We have an Apache acting as a reverse-proxy and listening on the Internet ("Our URL" on port 443).
We would have two ways of accessing this reverse-proxy:
• From a mobile app (authentication would be based on a corporate certificate)
• From any browser (authentication would be a login form)
The question is: can Apache forward requests to either server 1 or server 2, depending on whether a certificate is sent by the client?
If a certificate is sent, then Apache checks it. We know the request comes from the mobile app, so we redirect web requests to Server 1. If there is no certificate, then the request comes from a computer, and we redirect web requests to Server 2.
Thanks so much for your help!
/Carl |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
|
| Back to top |
|
Carlius
Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden
|
| Posted: Tue 16 Sep '14 17:00 Post subject: |
|
|
Thanks for info jraute!
This is good info, however our problem remains  We have the same URL so we need to forward the request based on something else. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Tue 16 Sep '14 17:01 Post subject: |
|
|
Why not using different locations?
server.mydomain.com/data (without clientcertificate)
server.mydomain.com/data_2 (with clientcertificate) |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Wed 17 Sep '14 8:08 Post subject: |
|
|
Another thing would be to identify the device and to "route" the request depending on device-type or browser-type or whatever, but i am not an expert in these things.
There are several examples at http://detectmobilebrowsers.com/ how to do that.
for apache see:
| Code: | RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-) [NC]
RewriteRule ^$ http://yourdomain.com/mobile [R,L] |
|
|
| Back to top |
|
Carlius
Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden
|
| Posted: Wed 17 Sep '14 10:54 Post subject: |
|
|
Thanks so much Jraute for your input!
Good point, but detecting mobile devices through a user-agent is not secure enough for us :/
Regarding virtual folders, we would get an awful lot rewriting issues which we don't know if we can handle, We'll test it, but I'm skeptical that this is best way to do it. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Wed 17 Sep '14 11:36 Post subject: |
|
|
| Carlius wrote: |
Good point, but detecting mobile devices through a user-agent is not secure enough for us :/ |
I agree 100%, but the idea was to use the script in combination with your httpd-vhosts.conf to route the mobile devices to that host, which requires the certificate.
If you are afraid of having mobiles connecting the other host without a certificate, well  you should be afraid of MITM and all the other worst case scenarios first.
But let us ask the experts - Steffen and James Blond ... |
|
| Back to top |
|
Carlius
Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden
|
| Posted: Wed 24 Sep '14 10:51 Post subject: |
|
|
Hi again jraute,
Do you think Steffen or James Blond has seen the question? Is there a way of sending a PM to them? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3058
Location: Hilversum, NL, EU
|
|
| Back to top |
|
Carlius
Joined: 16 Sep 2014
Posts: 5
Location: Stockholm, Sweden
|
| Posted: Wed 24 Sep '14 16:38 Post subject: |
|
|
Okay, I'm sorry to hear it. I don't think we can use an expensive MDM solution.
Thanks for the help anyways, if you by any chance come up with something. Please me know. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Wed 24 Sep '14 21:40 Post subject: |
|
|
Well usually I use a default page for all Clients. That page contains a php script which redirects the client to it specific page. Obviously that first page is on http.
But since it is a custom mobile app, can't you add a query to the url which tells apache that it is a valid Client? |
|
| Back to top |
|
