Accessing my tomcat webapp over SSL (https) has been working for years, but recently something strange started happening, possibly related to using docker container tomcat:8-jdk8 (which is v 8.5.75) instead of tomcat:8.5.41-jdk8 (which is no longer available). When I try to access my tomcat app through Apache's reverse proxy, over SSL (https://example.com/myapp), the main wire framework HTML page loads, but all of the js and css assets get 404s because they are missing the app dir in the base url, so nothing visible actually loads on the page. For example, the html requests https://example.com/assets/ex.js instead of https://example.com/myapp/assets/ex.js (note myapp/).
However, I can access the app and everything is working 100% when accessed without Apache/SSL (http://example.com:8080/myapp).
Most strange of all, if I access the app without SSL (http://example.com:8080/myapp), and then in the same tab, change the url to the SSL path (https://example.com/myapp), then everything loads fine and functions properly. At that point, I can even Empty Cache and Hard Reload, and everything still loads fine over SSL. I checked the headers of all network requests, and everything is loading over SSL. This same behavior occurs in Chrome, Firefox, and Safari. However, in Chrome and Safari, if I visit any other website in that tab and then try to load my app over SSL, it fails; in Firefox, the same tab will keep loading my app regardless of interceding website visits.
The Apache config looks like this:
<VirtualHost *:80>
Servername example.com
## The following email address is setup in /etc/postfix/localusers
ServerAdmin webmaster#localhost
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com%{REQUEST_URI} [R=301,QSA,L]
## R=redirect, QSA=keep any query string, L=last rule to evaluate, stop.
</VirtualHost>
<VirtualHost *:443>
Servername example.com
UseCanonicalName On
ProxyPass /myapp http://127.0.0.1:8080/myapp/
ProxyPassReverse /myapp http://127.0.0.1:8080/myapp/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyDepth 2
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/example_ssl-error.log
CustomLog ${APACHE_LOG_DIR}/example_ssl-access.log combined
</VirtualHost>
The tomcat config is the default config that comes in the tomcat docker container. I do not have a META-INF/ directory in my project.
Question 1: why does tomcat provide the correct URLs over Apache/SSL only after the browser first visits tomcat directly without Apache/SSL?
Question 2: How can I get this app to load over SSL all the time (by always including the app name in the base url)?
Source and target paths in your redirects are inconsistent. Remove the last / in the target path.
ProxyPass /myapp http://127.0.0.1:8080/myapp
ProxyPassReverse /myapp http://127.0.0.1:8080/myapp
The mapping with moreover / caused a double // in the path, which I guess caused problems down the road with processing the path in generation of the page.
Related
We are running a multi-host apache2 environment for several years. Out of a sudden apache no seems to require https.
Some trivial websites are cofigured without certificates on port 80 (and with self signed or let's-encrypt certificates on port 443).
With the recent automatic renewal of a let's-encrypt certificate I got an error message related to problems to retrieve the acme-challenge via http.
It seems to be related to a recent change of the default configuration of apache2 under Debian 4.19.x .
However I did not find any option in apache2 to undo the enforcement for SSL.
Here is my configuration for on of the respective vhost's (the problem exists also for another host):
<VirtualHost *:80 >
ServerName www.antXXX.XX
ServerAlias antXXX.XX *.antXXX.XX
ServerAdmin webmaster#...
DocumentRoot /data/www/htdocsantXXX
ErrorDocument 503 /ausserBetrieb.html
<Directory /data/www/htdocsantXXX>
Options FollowSymLinks MultiViews
<RequireAll>
require all granted
</RequireAll>
RedirectMatch ^/$ /index.html
</Directory>
ErrorLog /var/log/apache2/antXXX/errorantXXX.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/antXXX/accessantXXX.log combined
ServerSignature On
</VirtualHost>
<VirtualHost *:443>
ServerName www.antXXX.XX
ServerAlias antXXX.XX *.antXXX.XX
ServerAdmin webmaster#...
DocumentRoot /data/www/htdocsantXXX
...
</VirtualHost>
I was not able to find the respective option in the basic configuration of apache nor the error document that contains the HTML-Text for "This site is configured to require an SSL (https) connection...".
I know that there is the http-option Upgrade-Insecure-Requests: 1 . However the problem also exists, when retrieving the web document locally with curl -v http://www.antXXX.XX .
How can I undo the https-requirement for the respective vhosts?
Thank you for you support
Wallenstein
Oh sorry. Finally I have found the culprit.
I have recently experimented with the yubikey authorization in the module authn-yubikey .
Its activation seemed to enforce https. At least I found the respecitive HTML-code via the strings-command.
After disabling this module http-access was available again.
Wallenstein
I know, I know, Apache is not the best tool to use as HTTP proxy, however I need it on my server.
Here's my virtual host configuration:
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName my.public.domain
Redirect / https://my.public.domain/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:50001/
ProxyPassReverse / http://127.0.0.1:50001/
ServerName my.public.domain
ErrorLog ${APACHE_LOG_DIR}my-app-error.log
CustomLog ${APACHE_LOG_DIR}my-app-access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-cert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cert/privkey.pem
</VirtualHost>
In UseUrls method i have http://localhost:50001 configured as main URL, and this is redirected by Apache to HTTPS #443.
It works as charm, however I see this in logs:
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
In my configuration Apache handles https traffic, BTW, I can't communicate my app with Apache locally over HTTPS, it just doesn't work. I also think it's pointless to encrypt local internal traffic.
Unfortunately my solution requires some hacking to work 100% properly - I need to provide my public site URL in my app configuration - otherwise the app doesn't know what it's external address is. I mean - I build some links manually, because this is the core of my question - I don't know where the framework would keep such information. For example NavigationManager thinks my site URL is "http://localhost:50001", so if I need absolute URL in my app I can't use NavigationManager directly, I need to "manually" create the URL in app.
Links generated by Identity have "http" instead of "https", but it works because apache redirects everything to https.
Is there a way (and HOW) to do it more properly - a mean to officially tell the AspNET.Core it has specific external URL?
Where you have ServerName my.public.domain, use the following:
For port 80:
ServerName http://my.public.domain:80
For port 443:
ServerName https://my.public.domain:443
I have asked this question in OTRS forum but their primary focus is the functionality of OTRS and not really the interaction with an apache proxy.
I have an internal server running OTRS (Perl based support ticket system).
I have a reverse proxy in my DMZ that performs proxy and SSL offload for internal web pages/applications. My proxy server is Ubuntu 18 with Apache2. It mostly works except that for OTRS I get weird page errors. It used to not be bad but since update from OTRS 5 to OTRS6 it is so bad that we cannot we https except to log in.
If I use https it throws a message that "OTRS has detected possible network issues" and says to reload the page or wait till the browser establishes connection on it's own. If I wait just a bit I get a new message that states "the connection has been re-established after a temporary connection loss. Due to this elements on this page could have stopped working correctly" it goes on to say that you need to reload the page. But it just keeps cycling through these message in a flapping error.
I also get additional slash marks (/) each time I move to a new ticket.
Like so: https://myotrs.mydomain.com/otrs////////////index.pl?
The slash mark addition happens on both http and https through the proxy. It only happens on the OTRS site, not on my others handled by the same proxy.
Here is sample of my proxy vhost file.
<VirtualHost *:443>
ServerName help.mydomain.com
ServerAlias help.mydomain.net
ServerAdmin it#mydomain.com
ErrorLog /var/log/apache2/proxiedhosts-ssl_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access-ssl.log combined
ProxyRequests off
ProxyPass / http://helpdesk.mydomain.local/
<Location /otrs>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
<Location /otrs-web>
ProxyPassReverse http://helpdesk.mydomain.local/otrs-web/
</Location>
# Use mod_proxy_html to rewrite URLs
SetOutputFilter proxy-html
# commented out
https://help.mydomain.com/otrs/
https://help.mydomain.com/otrs-web/
# Disable compressed communication between Apache and target server
RequestHeader unset Accept-Encoding
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Allows the proxying of an SSL connection
SSLProxyEngine On
# certificate
SSLCertificateFile /etc/ssl/certs/help.mydomain.com/help.mydomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/SHA2_mydomain.key
</VirtualHost>
I have checked out your config file, and i suggest you try to change
<Location /otrs>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
to
<Location /otrs/>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
In the original config file, if you browse https://myotrs.mydomain.com/otrs/index.pl you will be redirect to https://myotrs.mydomain.com/otrs//index.pl. And then, if you click the page, you will be redirect to https://myotrs.mydomain.com/otrs///index.pl. Then you are stuck in the circulation.
I have an httpd server configured and working. The server returns "It works" and I can see the SSL is installed correctly.
The next step I undertook was configuring the reverse proxy, so that the users requests are redirected and I can have more customers' apps under one subdomain. The httpd configuration (shown below) I use is not mine, I am just attempting to reconfigure it to work for me. But with no big success up to now. There are directives that may be incorrect, but I have not tried commenting anything out.
#Apache is listening on port 443
Listen 443
SSLSessionCache shmcb:c:/Apache24/logs/shmcb_cache(512000)
SSLSessionCacheTimeout 300
Mutex default ssl-cache
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
#ProxyPreserveHost On
SSLProxyEngine On
ServerName XXXX.sk
ServerAdmin admin
# Logs
ErrorLog /var/log/rsk_error_log
TransferLog /var/log/rsk_access_log
# Server Certificate and Private Key:
SSLCertificateFile /ssl/certificate.crt
SSLCertificateKeyFile /ssl/private.key
SSLCertificateChainFile /ssl/chain.crt
#Include conf/extra/proxy-443-to-8890.conf
ProxyPass /customer http://172.17.0.4:8080
ProxyPassReverse /customer http://172.17.0.4:8080
</VirtualHost>
Now when I type XXXX.sk/customer I receive a response which is a login screen, but it is incorrectly rendered, the CSS is not used at all. There are many errors appearing. When I log in, no response is returned and the URL is corrupted.
Can any of you, using httpd in a reverse proxy mode, please share your configs, at least a part of them?
The default webroot in base-component is mapping to / in url. All of resources like css, js etc is using "/" to build url, So Although the proxying is
ProxyPass /customer http://172.17.0.4:8080
The actual js location is still
/lib/jquery/jquery-ui.min.css
not
/customer/lib/jquery/jquery-ui.min.css
To make it work, the reverse proxy would need more messy location proxy_pass configurations.
So using additional path to proxy the webroot is not suggested.
I recently moved my website over from AWS to an Ubuntu server on Digital Ocean. I did this with a number of other websites - couple of Wordpress blogs, a simple static site, and this one, which is also a simple static site.
All of the other websites are fine, but for this one I'm getting the error 400 Bad Request (nginx) intermittently, even though I'm using Apache as the web server.
The Apache config is in /etc/apache2/sites-available/www.mysite.com.conf and looks like this:
<VirtualHost *:80>
ServerName www.mysite.com
ServerAlias mysite.com
ServerAdmin hi#me.ie
DocumentRoot /var/www/html/www.mysite.com
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The website is a single page static site (index.html) that lives in /var/www/html/www.mysite.com/
The DNS is:
A - # - 12.345.67.89 (not real)
CNAME - www - mysite.com
I see nothing at all in the logs (/var/log/apache2/*.log) when the 400 occurs, and all the normal stuff when it loads successfully. There appears to be no pattern as to when it works or doesn't - www or no www, browser, sometimes when I refresh lots of times it loads, sometimes it loads partially with the assets/images not loading (giving a 400).
Turns out unbeknownst to me there was a domain redirect in place, in addition to the A record. Seems to be the cause of the strange behaviour.