I'm using httpd mod_proxy to set up a CORS proxy, similar in spirit to thingproxy or crossorigin.me. I've gotten as far as
SSLProxyEngine on
<LocationMatch "^/corsproxy/(https?)://([^/]+)/(.*)$"> ProxyPassMatch "$1://$2/$3" Header set Access-Control-Allow-Origin "" Header unset X-Frame-Options
</LocationMatch>This works, in that you can visit and it loads successfully. The problem is, redirects still point directly to example.com, not to the equivalent proxied URL.
That's where ProxyPassMatch comes in, but I don't believe it is able to do regex matches against the target URL, so I can't extract the protocol, hostname, and path, as I did in LocationMatch. Is there a workaround for this? Maybe something I can do with mod_rewrite?
Before the comments show up: yes, I'm aware of the security ramifications, and yes, I'd like to try to do this entirely inside httpd instead of running a tool like the ones I linked to at the beginning of the question, since they introduce external dependencies (in both cases, NodeJS).
1 Answer
I'm not sure what else ProxyPassReverse normally does, but just for redirects I was able to use a Header edit directive:
Header edit Location ^http://(.+)$ "/corsproxy/"
Header edit Location ^https://(.+)$ "/corsproxy/"I played with using a single line instead of two but ran into some strange behavior and it wasn't worth tracking it down. I'd still like to know if there are other edge cases I might not be covering with this approach.
