I Have configured Both Apache and Wildfly to use AJP in order to achieve the Proxy so i can produce Access-logs
Acccess Logs are Enabled from management profile of Wildfly
Port is listening on 8009
Apache has a Virtual Host listening on port 80
configured with the ProxyPass command.
Access Pattern is configured
and the result is receiving logs that have been proxied but not the original client ip is diplayed but only the loopback of 127.0.0.1
So am asking about a way to reveal the client Ip that requests the Apache Server.
syntax is okay and %a does display the 127.0.0.1
Thanks!
I have tried multiple access patterns (%a,%h,{i,xxx}...
I have tried both X-Forward-For ,X-Forwarded-For on Apache PreserveHost On etc..
I have tried tcpdump the port 8009 receiving 0 packets on the monitoring
Related
UPD Provider's fault
I think I have read all the instructions and have done everything I could, but it still doesn't work :(
List of things I have done so far:
in httpd.conf file of the Apache server:
ServerName 192.168.0.102:8080
...
# onlineoffline tag - don't remove
Require all granted
...
Listen 0.0.0.0:8080
Listen [::0]:8080
Then I have the following result:
C:\Users\Sam>netstat -na | find ":8080"
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP [::]:8080 [::]:0 LISTENING
So, I guess, no firewall interruptions..
Then I have forwarded the thing in my TL-WR842ND router as follows:
In DHCP I set static local IP of 192.168.0.102 to my MAC and forwarded port 8080 to that IP. Then I rebooted the router but the port is still closed.
I can access WAMP though localhost:8080, through 192.168.0.102:8080, but cannot access remotely through the public IP. I also tried to set DMZ to 192.168.0.102 but that also had no impact. I called my provider and they said that they allow port forwarding and the problem must be on my side. pls help :(
Turns out, I have a common IP address with multiple other users and I have to pay extra to my provider in order to be able to expose services to the outside. I believe that is called a non-routable IP address.
You can read about it here
I have the following setup:
one public IP
2 different domain names pointing to the same IP above: domain1.com and domain2.com
2 different ssl certificates: one for domain1.com and one for domain2.com
2 physical machines on the same LAN (192.168.1.10 and 192.168.1.20) running Apache2 and debian 8.5
I tested both servers indipendently forwarding the 443 port traffic to either of the machines. They work nicely.
Now, I am forwarding all port 443 requests arriving to the public IP to the first server at 192.168.1.10 and I would like this server to act as a https server for https://domain1.com and redirect the requests for https://domain2.com to address 192.168.1.20
I have tried to configure a reverse proxy in the first machine. It does redirect the requests for domain2 to the machine at 192.168.1.20 BUT it serves the certificate for domain1.
How can I configure reverse proxy as to present the right certificate for each one of my servers?
thank you in advance.
julia
Easiest "solution" (well, workaround) would be to use a single certificate that contains both hostnames. If you cannot do that, then you need to configure Apache SNI, like so: SSL with Virtual Hosts Using SNI
As some suggested I tried to use the Apache2 reverse proxy.
This somehow works but you have to install all the certificates on the machine running Apache2. Thus the trafic on the lan is no longer https which does not satisfy my requirement.
The solution is to use haproxy. This package can be set up as a pass through for https. There are many examples of such applications on the internet. It does exactly what I am asking for: I can host many https servers on a lan behind a nat router with one single public IP. The trafic is sent by haproxy as https to the indicated server on the LAN. If anyone is interested, I will be glad to share my config file solving precisely the problem I set out in my question.
To Robert M:
here is my configuration to be added at the end of the default haproxy.cfg file:
frontend ft_https
mode tcp
option tcplog
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl domain1_com req.ssl_sni -m end domain1.com # all url ending with domain1.com
acl domain2_com req.ssl_sni -i www.domain2.com # exactly www.domain2.com
use_backend b_domain1_com if domain1_com
use_backend b_domain2_com if domain2_com
default_backend b_default
backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:1443
backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.10:1443
backend b_domain2_com
mode tcp
option tcplog
server srv_domain2 192.168.1.20:443
I had to change the https port for apache on the first server to 1443 because both haproxy and apache cannot bind to the same 443 port as they reside on the same machine, but it is transparent to the user.
It seems that it is possible to get Apache server to Proxy and Manage SSL handshake on https requests and service them as 'http' thru another server behind it.
I have configured an apache server for ProxyPass using following configuration
SSLProxyEngine On
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
I am able to get all all traffic to the apache server that is listening to port 8080 direct and serve by the localhost:8081 server so
http://localhost:8080/hi is being correctly served by http://localhost:8081/hi
However the following does not work :
http**s**://localhost:8080/hi to be served by http://localhost:8081/hi
Apache is trying to pass the https:// traffic to the 8081 server, without managing the SSL handshake.
Your Apache listener on port 8080 is an http listener, not an https listener. You can't handle both types of traffic on the same port. If you want to handle SSL traffic, you'll need to set up a new context on another port with SSLEngine On and all the other normal SSL configuration (certificate, key, etc).
This question has one version of this configuration.
Also this post.
Currently, I am running a website which is running on Tomcat which has Apache in front and varnish for caching. Tomcat is running on port 8080 and port 81 is used as varnish back end. I need to implement a feature for which I need to know the IP address of the client's machine visiting the website. I've tried to access the IP address by the header X-FORWARDED-FOR.
When the website is accessed from port 81 (i.e. http://mywebsite.com:81/) I can get the IP address of the client's machine but unfortunately when accessing through default port 80 (i.e. http://mywebsite.com/) it's returning the localhost IP address (127.0.0.1). Can anyone suggest what can be the worked around to get the user's real IP address from port 80 as well?
Your setup, if I understood correctly, is as follows:
Varnish (port 80) -> Apache (port 81) -> Tomcat (port 8080)
And you would like the actual remote IP to show up as REMOTE_ADDR on the Tomcat server.
Varnish appends X-Forwarded-For header by default, so that's already sorted. To get Apache to pass the actual remote IP to Tomcat, you should install reverse proxy add forward module for Apache (mod_rpaf). mod_rpaf does exactly what you're looking for. The appropriate config for Apache would be:
<IfModule !rpaf_module>
LoadModule rpaf_module modules/mod_rpaf-2.0.so
</IfModule>
<IfModule rpaf_module>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
</IfModule>
After enabling the module Tomcat should see the correct REMOTE_ADDR header as well as the HTTP_X_FORWARDED_FOR header.
I have 2 web forms, one coded using Java Servlets on glassfish (port 8080) and another using PHP on apache(port 80). But my office ITdept is refusing to open port 8080 to outside traffic.
How do I set up Apache such that requests coming in for the form with the servlets are directed to port 8080?
Thanks
TX
PS: Im using wamp
Using the ProxyPass directive is how it's normally done.
ProxyPass /url/ http://127.0.0.1:8080/url/