Apache reverse proxy: Handle backend 302 redirects internally without exposing redirect URLs to clients

I’m trying to configure Apache as a reverse proxy to handle 302 redirects from my backend servers internally. The goal is to prevent clients from seeing the redirect URLs and keep certain backend services hidden from external access.

My Setup

I have two internal web services running on ports 6666 and 7777 that aren’t accessible from outside. Apache runs on ports 80/443 and acts as a reverse proxy, routing requests for service_one.example.com and service_two.example.com to the respective backend services.

Current Flow

1. Client requests service_one.example.com/page
2. Apache forwards to backend service on port 6666
3. Backend responds with 302 redirect to service_two.example.com/data/auth_key
4. Apache passes 302 back to client
5. Client makes new request to service_two.example.com/data/auth_key
6. Apache forwards to second backend service

The Problem

I need to hide the redirect URL (service_two.example.com/data/auth_key) from clients and keep the second backend service completely internal. The first service can’t handle the request directly because the response from the second service could be large and time-consuming.

Is there a way to configure Apache to intercept 302 responses and handle them internally without sending the redirect back to the client? I need Apache to automatically follow the redirect and return the final response as if it came from the original request.

Try ProxyPassReverse with mod_rewrite rules to catch the 302s. Set up a RewriteRule that grabs the redirect headers before they hit the client, then do an internal redirect to pull from the second backend. You’ll probably need to tweak some headers but it’ll keep everything server-side.

Interesting challenge! You could try mod_substitute or lua scripting with mod_lua. Quick question though - what if that second service throws another redirect? Also, how are you handling session state and cookies between those backends during the internal hops?

Use mod_proxy_html with ProxyErrorOverride - this will accomplish what you need. Configure Apache to catch the 302 response and handle it server-side rather than sending it to the client. Set up a custom error document that triggers an internal subrequest upon receiving a 302 from your backend. Turn on ProxyErrorOverride and direct ErrorDocument 302 to a handler script that retrieves the Location header and processes it internally. The key is to capture the redirect URL from the backend response headers and ensure Apache follows it without exposing it to the client. Additionally, manage header manipulation properly to maintain cookie and auth token integrity between services, preserving the client’s original request while concealing backend complexities.