Not propperly routing in reversed proxy Laravel App - laravel

I have configurated an Apache Server which uses reverse proxy to show a web app developed in laravel and mounted in another apache web server. Let's say that the domain is myapp.app
Which works properly, but when I click to a subdomain, let's say myapp.app/register the browser returns myapp.appregister/.
At the moment I've configurated my webserver as it follows:
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine On
ServerName myapp.app
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location "/">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Ssl on
RequestHeader set X-Url-Scheme https
</Location>
ProxyPreserveHost on
ProxyPass / http://172.31.0.234/
ProxyPassReverse / http://172.31.0.234/
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.redes-erdica.tech
SSLCertificateFile /***.pem
SSLCertificateKeyFile /***.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName myapp.app
Redirect permanent / https://myapp.app/
</VirtualHost>
</IfModule>
And the config file for the inner apache server has no other configurations besides the location of the laravel Project. Some curious event that happens is that if I type manually myapp.app/register it sends me where it should be, so why the browser sends me in a wrong direct when I click in the register button?
In addition, the app in localserver works properly.

You need to modify the main configuration file located on the /etc/apache2 folder, you need to change the value of the section AllowOveride that points to the folder on which your aplication lives and change it like this:
<Directory [your_app_folder]
Options ...
AllowOverride All
Require ...
</Directory>

Related

Laravel routes behind reverse proxy generating wrong url

Let me explain my situation. I have a server that host five sites in www/html folder using the Apache 2 server but all of them run on PHP 5.4. I was asked to upload a system on this server, but it uses PHP 7+. The system is dockerized, so it contains their own container running php 7. So, I was thinking in use a reverse proxy to redirect the requests to docker container. Ok, I managed to do it. My container is running and I can access the system in production. But the system is broken, the static files and the routes are not being well formed.
This image shows the error in console. I just hid the IPs.
https://i.stack.imgur.com/5dvVe.png
This my Apache configuration in sites-available folder. I just added the Location tag to redirect for my container.
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
LimitRequestLine 16382
LimitRequestFieldSize 16382
Timeout 12000
AddDefaultCharset ISO-8859-1
SetEnv no-gzip 1
<Directory /var/www/html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
<Location "/educar">
ProxyPreserveHost On
ProxyPass "http://localhost:8001/educar"
ProxyPassReverse "http://localhost:8001/educar"
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
This is my first question here, so I just apologized for any mistake.

Apache Multi-Site configuration with SSL - httpd-vhosts.conf , hosts table and .htaccess

My setting is done and it works. Is it the correct way?
I have a Windows server and I installed XAMPP on it. Different domain would point to different IP address to the server. Also, every site runs https on this server. I go through a lot of tutorials and set up self-signed cert to each site.
Then, I configed the server with below setting.
These config works but I am not sure is it secure enough. I afraid that I missed something important.
I need the site to be reachable by below URL:
http://sitea.com (Will redirect to https://sitea.com)
http://www.sitea.com (Will also redirect to https://sitea.com)
https://sitea.com (This great)
https://www.sitea.com (Will force to use non-www version due to program needed- https://sitea.com)
My configuration is listed below. May I ask if it is good enough or if I missed something?
C:\xampp\apache\conf\extra\httpd-vhosts.conf:
<VirtualHost 192.168.242.121:80>
ServerName sitea.com
ServerAlias www.sitea.com
Redirect permanent / https://sitea.com/
</VirtualHost>
<VirtualHost 192.168.242.121:443>
DocumentRoot "S:/websites/sitea/"
ServerName sitea.com
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]
SSLEngine on
SSLCertificateFile "ssl/sitea.com/server.crt"
SSLCertificateKeyFile "ssl/sitea.com/server.key"
AccessFileName .htaccess
ErrorLog "S:/websites/sitea/logs/error.log"
CustomLog "S:/websites/sitea/logs/access.log" common
<Directory S:/websites/sitea/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.242.120:80>
ServerName siteb.com
ServerAlias www.siteb.com
Redirect permanent / https://siteb.com/
</VirtualHost>
<VirtualHost 192.168.242.120:443>
DocumentRoot "S:/websites/siteb/"
ServerName siteb.com
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]
SSLEngine on
SSLCertificateFile "ssl/siteb.com/server.crt"
SSLCertificateKeyFile "ssl/siteb.com/server.key"
AccessFileName .htaccess
ErrorLog "S:/websites/siteb/logs/error.log"
CustomLog "S:/websites/siteb/logs/access.log" common
<Directory S:/websites/siteb/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
C:\Windows\System32\drivers\etc\hosts:
192.168.242.121 sitea.com www.sitea.com
192.168.242.120 siteb.com www.siteb.com
Thank you!
Enabling HTTPS on a website does not stop website vulnerabilities, it only secures data which is being transferred between the website server and client i.e. someone can not eaves drop on what the server and client are saying to each other. If a website has a vulnerability people will still be able to exploit it.
In your Apache configuration it looks like some of your apache configurations can be bypassed by accessing your website directly i.e. type it's IP address into a web browser. This would allow someone to bypass your mandated HTTPS for example. You should set up a redirect rule if you want to prevent against this.

Laravel api on apache2 ubuntu server 404 not found

I have a locally created laravel RESTFUL API and I deployed it on my ec2 ubuntu server using git.
I've set it like my main website.. /var/www/api.myapp.com/public_html/myapp-be and for its config I have this /etc/apache2/sites-available/api.myapp.com.conf.
Almost all blogs and tutorials that I found about deploying laravel on apache2 ubuntu server were almost the same and I've followed them all. However, when I test my API on postman with https://api.myapp.com/api/somefunctionhere it says 404 not found, The requested URL was not found on this server. Apache/2.4.29 (Ubuntu) Server at api.myapp.com port 443.
But when I test my local api on postman, it works fine, thus, I confirm that nothing is wrong with my laravel.
My config looks like this
<VirtualHost *:80>
<Directory /var/www/api.myapp.com/public_html/myapp-be/public/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
ServerAdmin developer#myapp.com
ServerName api.myapp.com
Redirect permanent / https://api.myapp.com/
ServerAlias api.myapp.com
DocumentRoot /var/www/api.myapp.com/public_html/myapp-be/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/error.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =api.myapp.com [OR]
RewriteCond %{SERVER_NAME} =api.myapp.com
RewriteRule ^ https://${SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
<Directory /var/www/api.myapp.com/public_html/myapp-be/public/>
AllowOverride All
</Directory>
ServerName api.myapp.com
DocumentRoot /var/www/api.myapp.com/public_html/myapp-be/public
</VirtualHost>
Is there a spot that I missed here? Obviously I missed a spot but I've been looking for it for almost 3hours already and still wont work.
Any idea guys? Thanks!
UPDATE: I tried adding /public to the prefix and it worked, I don't even know why it worked - https://api.myapp.com/public/api/somefunctionhere

Laravel route getting ruined when trying to reach HTTP request

Currently I have successfully setup my Laravel Passport API
Using Laravel 5.8.
I have this httpd-vhosts.conf config for my api
PORT: 80
<VirtualHost *:80>
ServerName <sub-domain>.<domain>.com
ServerAlias <sub-domain>.<domain>.com
Redirect permanent / https://<sub-domain>.<domain>.com
</VirtualHost>
PORT: 443
<VirtualHost *:443>
DocumentRoot "/opt/lampp/htdocs/api_tk/public"
<Directory "/opt/lampp/htdocs/api_tk/public">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ServerName <sub-domain>.<domain>.com
ServerAlias <sub-domain>.<domain>.com
ErrorLog "logs/API-error_log"
CustomLog "logs/API-access_log" common
ProxyPreserveHost On
ProxyRequests Off
ProxyPassMatch /fingerprint http://localhost:5000
ProxyPassReverse /fingerprint http://localhost:5000
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-FOrwarded-Port 443
SSLEngine on
SSLCertificateFile "/opt/lampp/htdocs/ssl_key/svs-file.crt"
SSLCertificateKeyFile "/opt/lampp/htdocs/ssl_key/private_new.key"
SSLCACertificateFile "/opt/lampp/htdocs/ssl_key/svs-bundle-file.crt"
</VirtualHost>
443 is working fine I can see my HTTPS SSL Lock sign on my browser
But
When I try to do HTTP request
Laravel API always getting ruined.
I have route like this
https://..com/api/login
and this is working fine
But when I tried to do HTTP request like this
http://<sub-domain>.<domain>.com/api/login
it always end up to
https://<sub-domain>.<domain>.comapi/login
Where the slash is missing. This is because of the redirect permanent on my PORT 80 config.
I have this route for my api. (api.php)
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
Route::post('/timekeeping','Auth\Api\AuthController#timekeeping');
Route::post('/login','Auth\Api\AuthController#login');
Route::middleware('auth:api')->group(function () {
Route::post('/timekeeping_app','Auth\Api\AuthController#timekeeping_app');
Route::post('/logout','Auth\Api\AuthController#logout');
Route::post('/register','Auth\Api\AuthController#register');
Route::post('/show_dtr_list','Auth\Api\AuthController#show_dtr_list');
Route::post('/update','Auth\Api\AuthController#update');
Route::post('/delete','Auth\Api\AuthController#delete');
Route::post('/search_user','Auth\Api\AuthController#search_user');
Route::get('/current_time','Auth\Api\AuthController#current_time');
});
How can I prevent this?
UPDATE
Tried to do edit my vhosts config like this
Redirect permanent "/" "https://<sub-domain>.<domain>.com/"
And
Redirect permanent / https://<sub-domain>.<domain>.com\/
But this gives me an output like this
try do add slash under your apache virtual host settings:
<VirtualHost *:80>
ServerName <sub-domain>.<domain>.com
ServerAlias <sub-domain>.<domain>.com
# fix below
Redirect permanent / https://<sub-domain>.<domain>.com/
</VirtualHost>

Https routes change to http after login

I'm using latest version of Laravel (5.3 at this time) and I have a simple app, nothing fancy, no JS framework.
I use Cloudflare (free) to have HTTPS.
I can access my app with https, but right after I login, I'm redirect to the non-https version.
Is there a way to tell Laravel to redirect to https, not http, after login?
Here is my LoginController setting for information.
protected $redirectTo = '/people';
I'd recommend you to make web server rewrite all HTTP requests to HTTPS. Here's an example of VH config for Apache:
<VirtualHost some.app:80>
ServerName some.app
Redirect permanent / https://some.app
</VirtualHost>
<VirtualHost some.app:443>
DocumentRoot "/home/project/public"
ServerName some.app
ServerAlias some.app
SSLEngine on
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
<Directory "/home/project/public">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

Resources