How do i access server-info via ProxyPass in Apache?

Question

I have a load balancer with 3 web servers (a, b and c) behind it, all running apache and RHEL 8. What I am trying to do is relatively simple - I want to get the apache server-status for the boxes behind the load balancer, via http://loadbalancer/a/server-status, http://loadbalancer/b/server-status etc.

Server-status works fine when accessing these boxes directly using http://ipofbox:8000/server-status

In my httpd.conf for the load balancer I have the following lines.

<VirtualHost *:80>

ProxyRequests off

#Start Proxy balancer block and define cluster
<Proxy balancer://thecluster>

    BalancerMember http://172.31.19.205:8080
    BalancerMember http://172.31.28.85:8080 loadfactor=3
    BalancerMember http://172.31.28.49:8080
    #weighted traffic byte count balancing
    ProxySet lbmethod=bytraffic nofailover=off

</Proxy>

ProxyPass /worksa http://172.31.19.205:8080
ProxyPass /worksb http://172.31.28.85:8080
ProxyPass /worksc http://172.31.28.49:8080

ProxyPass /a http://172.31.19.205:8000
ProxyPass /b http://172.31.28.85:8000
ProxyPass /c http://172.31.28.49:8000

#pass through any other proxy requests
ProxyPass / balancer://thecluster/

#route traffic back through the cluster and act as a load balancer, ensure headers generated from any workers are modified to point to the load balancer, masking the backend web servers
#ProxyPassReverse / balancer://thecluster/

#balancer-manager GUI via port 80
<Location /balancer-manager>
    SetHandler balancer-manager
</Location>

#don't pass requests to the BM through to the cluster
ProxyPass /balancer-manager !

<Location "/~Alice">
    AuthType Digest
    AuthName "private"
    AuthDigestDomain "/~Alice"
    AuthDigestProvider file
    AuthUserFile "/etc/httpd-auth/digest_passwords_file2"
    Require valid-user
</Location>

<Location "/~Bob">
    AuthType Digest
    AuthName "private"
    AuthDigestDomain "/~Bob"
    AuthDigestProvider file
    AuthUserFile "/etc/httpd-auth/digest_passwords_file2"
    Require valid-user
</Location>

</VirtualHost>

<VirtualHost *:8000>
ProxyRequests off

#server-info GUI via port 8000
<Location /server-info>
    SetHandler server-info
</Location>

#server-status GUI via port 8000
<Location /server-status>
    SetHandler server-status
</Location>

<Location "/server-info">
    AuthType Digest
    AuthName "realm"
    AuthDigestDomain "/server-info"
    AuthDigestProvider file
    AuthUserFile /etc/httpd-auth/digest_passwords_file
    Require valid-user
</Location>

<Location "/server-status">
    AuthType Digest
    AuthName "realm"
    AuthDigestDomain "/server-status"
    AuthDigestProvider file
    AuthUserFile /etc/httpd-auth/digest_passwords_file
    Require valid-user
</Location>

</VirtualHost>

EDIT: it seems to be getting through now, but this time I'm getting a 400 bad request. The error log on the backend server serving the request reads:

[auth_digest:error] [pid 9105:tid 139830629422848] [client ***.***.***.***:50720] AH01786: uri mismatch - </a/server-info/> does not match request-uri </server-info/>

It seems when digest authentication is enabled, it fails when accessing from the load balancer. On worksa I have the following:

On worksa I have the following:

<VirtualHost *:8000>

#balancer-manager GUI via port 8000
<Location /balancer-manager>
    SetHandler balancer-manager
</Location>

#Req 4.b
<Location "/server-info">
    SetHandler server-info
    AuthType Digest
    AuthName "realm"
    AuthDigestDomain "/server-info"
    AuthDigestProvider file
    AuthUserFile /etc/httpd-auth/digest_passwords_file
    Require valid-user
</Location>

# Req 4.a, Req 4.b
<Location "/server-status">
    SetHandler server-status
    AuthType Digest
    AuthName "realm"
    AuthDigestDomain "/server-status"
    AuthDigestProvider file
    AuthUserFile /etc/httpd-auth/digest_passwords_file
    Require valid-user
</Location>

</VirtualHost>

Secondly, when trying to access http://loadbalancer/worksa/index.html I get a 403 forbidden, the access log of worksa says as follows

(13)Permission denied: file permissions deny server access: /var/www/html/index.html.

I've used chmod 0644 on index.html and it doesn't seem to help.

In summary, http://loadbalancer/a/server-info asks for credentials then returns 400 bad request, and http://loadbalancer/a/index.html returns 403 forbidden.

Many thanks.

Answer 1

Move the specific ProxyPass directives before the balancer ProxyPass which then matches everything else with /. And remove the trailing slashes.

Here's the first vhost:

<VirtualHost *:80>
    ProxyRequests off

    #Start Proxy balancer block and define cluster
    <Proxy balancer://thecluster>
        BalancerMember http://172.31.27.155:8080
        BalancerMember http://172.31.21.185:8080 loadfactor=3
        BalancerMember http://172.31.28.201:8080

        #weighted traffic byte count balancing
        ProxySet lbmethod=bytraffic nofailover=off
    </Proxy>

    ProxyPass /worksa http://172.31.27.155:8080
    ProxyPass /worksb http://172.31.21.185:8080
    ProxyPass /worksc http://172.31.28.201:8080

    # pass through balancer member
    ProxyPass /a http://172.31.27.155:8000
    ProxyPass /b http://172.31.21.185:8000
    ProxyPass /c http://172.31.28.201:8000

    # pass through any other proxy requests
    ProxyPass / balancer://thecluster/

    #route traffic back through the cluster and act as a load balancer, ensure headers generated from$
    #ProxyPassReverse / balancer://thecluster/
</VirtualHost>

You might need to tweak access control on the backend to prevent a "403 Forbidden":

<Location /server-status>
    SetHandler server-status
    # limit to ip addresses, hosts or whatever you need
    Require ip 172.31
</Location>