6. Apply changes to apache: "apachectl graceful" command
7. Test!

ServerName blog.company.com
ProxyPass / http://blog.company.com/
ProxyPassReverse / http://blog.company.com/
<Proxy *>
allow from all
</Proxy>

ServerName company.com
ProxyPass / http://company.com/
ProxyPassReverse / http://company.com/
<Proxy *>
allow from all
</Proxy>
ServerAlias www.company.com

All the domains involved are correctly resolved in DNS.

I was missing proxy_html.  I installed it with no improvements.  I assume 'headers' was httpd_devel.  I installed again no improvements.

I don't understand 'Create a new apache virtual host '.   As for adding www to it, my www.company.com resolves to a hosted service outside firewall.

As for adding the code, I was only missing,

<Proxy *>
allow from all
</Proxy>

which I added, again no improvement.

In my virtualhost office.company.com I have commented out

#ProxyHTMLURLMap / /

I got an error with it uncommented.  I do not know what should be there.

What I find odd is, as I first mentioned, I created a reverse proxy for 'Nextcloud'.  This worked.  To prevent any conflicts, I removed the configuration for it before trying Domino proxy.  Yet when I go to https://office.company.com, I get to the 'Nextcloud' 'file system'.  It shows the directory 'nextcloud' in the browser.  office.company.com *is* the machine where 'Nextcloud' is.  It is also where the reverse proxy is running.  But it is not mapping to webmail.company.com.  Is this perhaps where I need to use ProxyHTMLURLMap?  If so, how?

Thank you

<VirtualHost office.company.com:443>

   ServerName webmail.company.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://webmail.company.com/
ProxyPassReverse / http//webmail.company.com/
LogLevel debug
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key
DocumentRoot /var/www/html
Errorlog /var/log/domino-error.log
CustomLog /var/log/domino-access_log combined

   SSLProxyEngine on
SetOutputFilter proxy-html
#ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding

</VirtualHost>

If that's not it, I'd recommend eliminating as much as possible to get down to the bottom of what's going on. Check the basics. (Just like hardware troubleshooting by removing everything not absolutely critical to turning it on.)

First, open the browser on your Fedora Apache server. Browse to webmail.company.com. Do you get Domino? If not, then fix the networking/DNS/whatever is needed to make that happen. Without that, nothing else will work.

Second, start with a simple config. Reverse proxying is very simple in how it works. Only six lines between the VirtualHost bracket lines like I gave in my blog example. Don't use SSL yet. Open port 80 on your firewall while testing if needed.

One by one, add in your other parameters/features as needed/desired. Don't forget to re-read your config after each change. Eventually, you'll find your gremlin.

Also, I recommend testing from outside your firewall. Tor browser is good for this.

Thank you.  You did find an error in the config.  I corrected it.  However, there is no improvements.

Your suggestions are very logical.

From the proxy machine (gandalf/office) I *did* connect to https://webmail.company.com.  I got the Domino login screen.

This config *does* get me to Nextcloud.

<VirtualHost gandalf.company.com:443>
   ServerAdmin root@company.com
   DocumentRoot /var/www/html/
   ErrorLog /var/log/httpd/error_log
   CustomLog /var/log/httpd/access_log combined
   LogLevel debug
   SSLEngine On
   # Set the path to SSL certificate
   # Usage: SSLCertificateFile /path/to/cert.pem
   SSLCertificateFile /etc/pki/tls/certs/compay.crt
   SSLCertificateKeyFile /etc/pki/tls/private/company.key
   ProxyPreserveHost On
   ProxyPass / http://nextcloud.company.com/
   ProxyPassReverse / http://nextcloud.company.com/
   ServerName gandalf.company.com:443
</VirtualHost>
 

So I copied it to proxy-ssl-webmail.conf and changed 4 lines.

<VirtualHost office.company.com:443>
   ServerAdmin root@company.com
   DocumentRoot /var/www/html/
   ErrorLog /var/log/httpd/error_log
   CustomLog /var/log/httpd/access_log combined
   LogLevel debug
   SSLEngine On
   # Set the path to SSL certificate
   # Usage: SSLCertificateFile /path/to/cert.pem
   SSLCertificateFile /etc/pki/tls/certs/compay.crt
   SSLCertificateKeyFile /etc/pki/tls/private/company.key
   ProxyPreserveHost On
   ProxyPass / http://webmail.company.com/
   ProxyPassReverse / http://webmail.company.com/
   ServerName office.company.com:443
</VirtualHost>
 

But using https://office.company.com *still* sends me to the nextcloud folder.

Thank you.

I used this reference and got some false hope.

Apache as a reverse proxy for IBM Domino iNotes with home server redirection

I used this config.

ProxyRequests off

SSLSessionCache "shmcb:logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost herc1.company.com:443>

# Site info
ServerName herc1.company.com
ServerAlias herc1.company.com
ServerAdmin root@company.com

# Rewrite engine on
RewriteEngine On
RewriteOptions Inherit

# Enable SSL
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key

# Log filenames
ErrorLog /var/log/httpd/error-inotes-redirect
CustomLog /var/log/httpd/access-inotes-redirect common

LogLevel warn

# The iNotes Specific configurations comes after this line
# Rule 1: Read domino server name from first access to the mail
# directory, save it to the cookie and redirect to the mail server
RewriteCond %{REQUEST_URI} ^/(.*)/mail
RewriteRule /(.*)/mail/(.*) http://$1.company.com/mail/$2 [P,CO=iNotesServer:$1:.company.com]

# Rule 2: If cookie is set, use it to rewrite rules for iNotes generated
# URLs for the server defined in the cookie iNotesServer
RewriteCond %{REQUEST_URI} ^/
RewriteCond %{HTTP_COOKIE} ^.*iNotesServer=([^;]+)
RewriteRule /(.*) http://%1.company.com/$1 [P]

# Rule 3: if no cookie set, on first access on the iNotes iwaredir.nsf
RewriteCond %{REQUEST_URI} ^/
RewriteRule /(.*) http://webmail.company.com/$1 [P]

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

ProxyPassReverse /webmail/mail/ http://webmail.company.com/mail/
ProxyPassReverse / http://webmail.company.com/

</VirtualHost>

On the LAN, I got to the Domino server.  But that is only because it rewrote the url.  It does not truly act as a proxy (all web traffic going through the proxy server).

Outside the firewall, after changing the https port to address (in this case 'herc1' machine) of proxy machine, and using https://office.company.com  I still could not connect to Domino server.

Thank you,

Durwin

when I tried I got to the server.   If you have domlog.nsf you should see the attempt.

You need to try from a outside connection.  I take it you have a common ltpa token from the first server to that mail servers?  Why not do small steps and see if you get to the first server and then open the redirect db manually by taking out the redifre.nsf as the defualt db a but a db that requires authentication.

This is the source for the page I got

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script language="JavaScript" type="text/javascript">
<!-- 
function setFormFocus() {
	document.forms[0].Username.focus(); 
	document.forms[0].Username.select();
}

function getCookieVal (offset) {
  var endstr = document.cookie.indexOf (";", offset);
  if (endstr == -1)
    endstr = document.cookie.length;
  return unescape(document.cookie.substring(offset, endstr));
}

function GetCookie (name) {
  var arg = name + "=";
  var alen = arg.length;
  var clen = document.cookie.length;
  var i = 0;
  while (i < clen) {
    var j = i + alen;
    if (document.cookie.substring(i, j) == arg)
      return getCookieVal (j);
    i = document.cookie.indexOf(" ", i) + 1;
    if (i == 0) break; 
  }
  return null;
}

function SetCookie (name,value,expires,path,domain,secure) {
  document.cookie = name + "=" + escape (value) +
    ((expires) ? "; expires=" + expires.toGMTString() : "") +
    ((path) ? "; path=" + path : "") +
    ((domain) ? "; domain=" + domain : "") +
    ((secure) ? "; secure" : "");
}

function DeleteCookie (name,path,domain) {
  if (GetCookie(name)) {
    document.cookie = name + "=" +
      ((path) ? "; path=" + path : "") +
      ((domain) ? "; domain=" + domain : "") +
      "; expires=Thu, 01-Jan-70 00:00:01 GMT";
  }
}
// -->
</script>
</head>
<body text="#000000" bgcolor="#FFFFFF" onload="setFormFocus();" onload="DeleteCookie (&quot;TRUserName&quot;, &quot;/&quot;)">

<form onsubmit="var expdate = new Date ();
expdate.setTime (expdate.getTime()); // 24 hrs from now 
SetCookie(&quot;TRUserName&quot;, document.forms[0].Username.value, null, &quot;/&quot;);
//SetCookie(&quot;password&quot;, document.forms[0].Password.value);
//msgWindow=window.open(&quot;&quot;,&quot;displayWindow&quot;,&quot;menubar=no&quot;)
//msgWindow.document.write(&quot;&lt;HEAD&gt;&lt;TITLE&gt;Message window&lt;/TITLE&gt;&lt;/HEAD&gt;&quot;)
//msgWindow.document.write(&quot;&lt;CENTER&gt;&lt;BIG&gt;&lt;B&gt;Hello, world!&lt;/B&gt;&lt;/BIG&gt;&lt;/CENTER&gt;&quot;)
//msgWindow.document.write(GetCookie(&quot;TRUserName&quot;))

return true;" method="post" action="/names.nsf?Login" name="_MgtLogin">
<input type="hidden" name="%%ModDate" value="0000000000000000"><div align="center">
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="628" bgcolor="#FFC0B6" colspan="4" valign="middle"><font size="4"> </font><div align="center"><b><font size="6">TeamRoom Login</font></b>
<p>Please enter your Username and Password</div><br>

<p><font size="4"> </font></td></tr>

<tr valign="top"><td width="628" bgcolor="#FFC0B6" colspan="4" valign="middle"><font size="4"> </font></td></tr>

<tr valign="top"><td width="97" bgcolor="#FFC0B6" valign="middle"><img width="1" height="1" src="/icons/ecblank.gif" border="0" alt=""></td><td width="191" bgcolor="#FFC0B6"><div align="right"> Username<font size="4">  </font></div></td><td width="241" bgcolor="#FFC0B6" valign="middle">
<input name="Username" value="" maxlength=256></td><td width="98" bgcolor="#FFC0B6" valign="middle"><font size="4"> </font></td></tr>

<tr valign="top"><td width="97" bgcolor="#FFC0B6" valign="middle"><img width="1" height="1" src="/icons/ecblank.gif" border="0" alt=""></td><td width="191" bgcolor="#FFC0B6"><div align="right">Password<font size="4">  </font></div></td><td width="241" bgcolor="#FFC0B6" valign="middle">
<input name="Password" value="" type="password" maxlength=256></td><td width="98" bgcolor="#FFC0B6" valign="middle"><font size="4"> </font></td></tr>

<tr valign="top"><td width="628" bgcolor="#FFC0B6" colspan="4" valign="middle"><font size="4"> </font></td></tr>

<tr valign="top"><td width="97" bgcolor="#FFC0B6" valign="middle"><font size="4"> </font></td><td width="432" bgcolor="#FFC0B6" colspan="2" valign="middle"><div align="center">
<input type="submit" value="Login"></div></td><td width="98" bgcolor="#FFC0B6" valign="middle"><font size="4"> </font></td></tr>

<tr valign="top"><td width="628" bgcolor="#FFC0B6" colspan="4" valign="middle"><div align="center"><font size="4"> If you forget your password, contact us below.</font><br>
</div><br>
<div align="center">
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="75"><div align="center"><img src="/domcfg.nsf/139cc16bf33ba28c87257233006ff9a0/$Body/0.E86?OpenElement&amp;FieldElemFormat=gif" width="74" height="62"></div></td><td width="182"><div align="center"><font size="2">Management Sciences, Inc.</font><br>
<font size="2">6022 Constitution Ave.  NE</font><br>
<font size="2">Albuquerque, NM  87110</font><br>
<font size="2">Office:   (505) 255-8611</font><br>
<font size="2">Fax:   (505) 268-6696</font><br>
<font size="2">Email:  </font><a href="mailto:support@mgtsciences.com"><u><font size="2" color="#0000FF">Management Sciences, Inc.</font></u></a></div></td><td width="75"><div align="center"><img src="/domcfg.nsf/139cc16bf33ba28c87257233006ff9a0/$Body/0.198E?OpenElement&amp;FieldElemFormat=gif" width="74" height="62"></div></td></tr>
</table>
</div></td></tr>
</table>
</div><br>

<input name="RedirectTo" value="/redirect.nsf/Mailredir?OpenForm" type=hidden></form>
</body>
</html>

Thank you for your reply.  It is not that simple.  I can't leave the firewall pointing to the proxy as there might me someone needing to use webmail.  For my testing, I change the firewall, test (using mobile hotspot), then restore setting. The code you posted is the redirect.nsf.

I do not know about ltpa.  I am just trying to proxy https traffic from proxy machine to Domino server.

I do have one configuration (it is listed here in one of my posts) that does work.  It is Nextcloud.  Accessing it from outside firewall (after changing the firewall to direct https traffic to proxy), it *does* send https traffic to Nextcloud machine which is a third machine.  This occurs without rewriting url.

So I do have a proxy configuration which works when the destination is another Apache server.  The problem is when destination is Domino.

Can Domino 'Internet Site' document be configured to reverse proxy?  Can an Internet site document be configured to route traffic to an Apache server running on a different machine?

Thank you,

Durwin

You are getting to the domino server.  That is what is prompting you for authentication.  As far as ltpa tokens you need a common ltpa token n the DOMINO servers so once you authenticate you wont need to reauthenticate

https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Configuring_single_sign-on_with_an_LTPA_token_on_IBM_WebSphere_and_IBM_Lotus_Domino_platforms

If you try the login server inside do you automatically redirected over to the mail server?  If so ltpa is set up.   Did you enable domlog on the authentication server and see what the url is that you are coming in as?

For this test I redirected firewall ports 80 and 443 to proxy server (172.23.93.248, normally it is directed to mailserver).

Using a browser on laptop connected to mobile hotspot I used https://office.company.com.  Before firewall change this would get me directly to mailserver.   Because of the change, it is being directed to proxy server.

The proxy server should proxy for mailserver.  The browser gets error INET_E_REDIRECT_FAILED.  Domlog shows this.

=============

HTTP Request:    
Server Address:    webmail.company.com
Date:    10/03/2017 01:05:55 PM
    
User Address:    172.23.93.248 (this is the proxy server)
Authenticated User:    -
User Agent:    Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Cookie:    
    
Request:    GET / HTTP/1.1
Status:    302 FOUND (The data requested has a different URL temporarily)
    
Content Length:    0 bytes
Content Type:    
Process Time:    0 ms
Error:    
    
Translated URI:    
Translated Request:    webmail.company.com/
Decoded Query:    
    
Referring URL:    
Decoded Query:    

=================

The Apache configuration for the site is this, where office is the proxy server, and webmail is mailserver on Domino server.

ProxyRequests off

SSLSessionCache "shmcb:logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost office.company.com:443>

# Site info
ServerName office.company.com
ServerAlias office.company.com
ServerAdmin root@company.com

# Rewrite engine on
RewriteEngine On
RewriteOptions Inherit

# Enable SSL
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key

# Log filenames
ErrorLog /var/log/httpd/error-inotes-redirect
CustomLog /var/log/httpd/access-inotes-redirect common

LogLevel warn

# The iNotes Specific configurations comes after this line
# Rule 1: Read domino server name from first access to the mail
# directory, save it to the cookie and redirect to the mail server
RewriteCond %{REQUEST_URI} ^/(.*)/mail
RewriteRule /(.*)/mail/(.*) http://$1.company.com/mail/$2 [P,CO=iNotesServer:$1:.company.com]

# Rule 2: If cookie is set, use it to rewrite rules for iNotes generated
# URLs for the server defined in the cookie iNotesServer
RewriteCond %{REQUEST_URI} ^/
RewriteCond %{HTTP_COOKIE} ^.*iNotesServer=([^;]+)
RewriteRule /(.*) http://%1.company.com/$1 [P]

# Rule 3: if no cookie set, on first access on the iNotes iwaredir.nsf
RewriteCond %{REQUEST_URI} ^/
RewriteRule /(.*) http://webmail.company.com/$1 [P]

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

ProxyPassReverse /webmail/mail/ http://webmail.company.com/mail/
ProxyPassReverse / http://webmail.company.com/

</VirtualHost>

Thank you,

Durwin

I get a teamroom login screen.   What happens when you enter  proper credentials.   Does it then fail on the redirect db?   Does it work when you try it internally and authenticate to the teamroom login and then get sent over to the redirect db?  

I can't leave the firewall directed to the proxy server.  When I am ready to test, I forward the port to proxy server, after test, I forward it back to mailserver.  That is why you get the teamroom login.  My tests lasts only a few minutes at most.