setting img A web server was built on the internal network (no internet connection). Users must be able to access internal users and external (public) users. A situation where a web server cannot be built in the DMZ area The Varnish Cache server is located in the DMZ area and is connected to the Internet, reading external (Internet) content through the corresponding Varnish Cache and expressing it to the internal service.
When requesting http, all requests work normally
Static files such as css, js, img, etc. are loaded normally when requesting Https.
All dynamic content is responding 403.
I need a hint to see what could be the cause.
Varnish install default.vcl edited setting(img) Hitch install hitch.conf edited setting(img)
Apach setting LoadModule headers_module modules/mod_headers.so Header set Access-Control-Allow-Origin "*" Tomcat setting Cors setting
I want all https requests to work normally.
I'm interpreting this issue as a CORS issue or potentially a mixed content issue. I'm also assuming your backend application has no awareness of the HTTPS connection.
The solution I would suggest is twofold:
vmod_proxy in your VCL to detect the used protocol and set the X-Forwarded-Proto header to inform the backend application about protocol usage== PROXY protocol
The PROXY protocol is a protocol that was invented by HaProxy. It adds a TCP preamble that contains connection information of the original client connection and transfers this across the various nodes in the chain.
See https://www.varnish-software.com/developers/tutorials/proxy-protocol-varnish for a tutorial about the PROXY protocol in Varnish.
See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/#proxy-protocol-settings for a tutorial on how to configure Hitch with PROXY support.
See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/#retrieve-tls-information-with-vmod_proxy for an example on how to detect TLS support in VCL using vmod_proxy.
For your convenience, here's the snippet:
vcl 4.1;
import proxy;
backend default {
.host = "127.0.0.1";
.port = "8080";
}
sub vcl_recv {
if(!req.http.X-Forwarded-Proto) {
if (proxy.is_ssl()) {
set req.http.X-Forwarded-Proto = "https";
} else {
set req.http.X-Forwarded-Proto = "http";
}
}
}
My final assumption is that your backend application understands the X-Forwarded-Proto header and uses it to create https:// URLs rather than http:// when HTTPS is used.
If your application doesn't support X-Forwarded-Proto, you might be able to use the following tricks in Apache:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
This will enable the HTTPS environment variable when X-Forwarded-Proto is set to https. But I'm not 100% sure your application will support this.