I have configured an Apache http server with mod_proxy to load balance between two jetty servers (sticky sessions).
Everything works fine and as expected while the two servers are up and running. But if I get one of the servers down and then attempt to make an http post to that server, the Apache balancer redirects the post to the running server but with an empty body, losing the original request.
After the request that triggered the redirect to the running server, all subsequent requests work fine.
Apache configuration:
<Proxy balancer://cluster>
BalancerMember http://localhost:9090 route=node1
BalancerMember http://localhost:9091 route=node2
ProxySet stickysession=JSESSIONID
</Proxy>
ProxyPreserveHost On
ProxyPass "/" "balancer://cluster/"
ProxyPassReverse "/" "balancer://cluster/"
I'm using Apache Server 2.4 and Jetty 9.4.22
Any ideas on why this is happening?
Thanks.
It looks like you hit the bug introduced as a regression in 2.4.41. You can check out the details here: https://bz.apache.org/bugzilla/show_bug.cgi?id=63891
To remedy, you will need to upgrade to 2.4.42 or greater.
Related
below is my httpd.conf configuration. I have tomcat server as backend server and I am using apache webserver as proxy to my tomcat server.
Below configuration is working fine for all the web pages where session is not required.
When investigated further, I had observed JSESSIONID is changing on every web request meaning, that ID is not getting persisted when request and response are going via Apache http server.
Please note that, when I tried to expose tomcat server directly to web JSESSIONID is persistent and is working as expected. However as security requirement, we need to use tomcat server as backend internal server only.
So I am not sure why apache http server is not liking to handle JSESSIONID properly. Request your help on the same and guide me what I am missing in my configuration.
Note: We don't need any load balancer setup so I am not considering mod_proxy_balancer module at this moment.
<VirtualHost *:443>
ServerName www.external.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
AddOutputFilterByType SUBSTITUTE text/html
ProxyPreserveHost off
ProxyPass / http://localhost:8080/internal/
ProxyPassReverse / http://localhost:8080/internal/
Substitute "s|http://localhost:8080/internal|https://www.external.com|i"
SSLProtocol all
SSLEngine on
SSLCertificateFile C:/keys/site/external_cert.cer
SSLCertificateKeyFile C:/keys/site/www_internal_private.p12.pri.pem
SSLCertificateChainFile C:/keys/site/Intermediate_CA.cer
</VirtualHost>
Apache web server is Apache 2.4 and tomcat engine is Tomcat 8.5
Follow serverfault answer by adding Set-Cookie Header:
In the end I just had to add the following line to my VirtualHost configuration, which changes all cookie paths from /WEBAPP_NAME to / (root):
Header edit Set-Cookie "^(.*; Path=)/WEBAPP_NAME/?(.*)" $1/$2
It is enough to set a hard path to cookies in web.xml:
<session-config>
<cookie-config>
<path>/</path>
</cookie-config>
</session-config>
My configuration is as follows - 1 unix server with two http servers running at the same time:
apache server on ports 80 and 443
Nginx server on port 8200 (www.myserver.com:8200)
The problem is that when I log in to Nginx site I need to authorize there. Doing this over internet with no SSL is not wise... I would like to connect to my apache server with SSL, be transparently redirected to another site and authorize still having encrpyted connection.
Nginx works via http so no ssl there... I would like to have url
https://www.myserver.com/duplicati to be proxied to http://www.myserver.com:8200
Effectively I want to have:
encrypted connection from the web client to www.myserver.com
proxy connection from https://www.myserver.com/duplicati to http://www.myserver.com:8200 (unencrypted), but limited to 1 physical machine which I don't care much about encryption (or actually lack of it)
What I did was the following
What I did was the following Apache config:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /duplicati/ http://127.0.0.1:8200/ngax/
ProxyPassReverse /duplicati/ http://127.0.0.1:8200/ngax/
<Location /duplicati/>
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>
Header edit Location ^http://127.0.0.1:8200/ngax/ https://127.0.0.1:8200/ngax/
still no luck with that config....
It looks like a simple thing to do but after 5h of struggle I need to send my very first post to Stackoverflow community ;-)
Could you kindly help me with it?
We have a web application hosted on Tomcat server (clustered), with two Apache web servers sitting in front and F5 load balance5 in front of apache. SSL is configured in F5 load balancer. Now whenever someone accesses our application using the load balancer's secure url, our java web application does not evaluate request.isSecure to be true. Is there any setting I need to do enable this.
In our apache web server we have the following configuration using proxy balancer
ServerName ip:80
ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID nofailover=Off
ProxyPassReverse / balancer://mycluster/
<Proxy balancer://mycluster>
BalancerMember ajp://ipapp1:8009 route=jvm1 loadfactor=1
BalancerMember ajp://ipapp2:8009 route=jvm2 loadfactor=1 status=+H
ProxySet lbmethod=byrequests
</Proxy>
I tried to change the connector details in server.xml of tomcat by adding scheme= "https", secure="true" and proxyPort="443" for 8080 but it did not work.
What am I missing here?
You'd need to check your app to see if it is supported, but typically a header is forwarded communicating the request protocol. Traditionally this was the X-Forwarded-Proto header, but X-... nomenclature has been deprecated. The Forwarded header now supports what was X-Forwarded-For, X-Forwarded-Proto, etc... in one header. There is still wide support for the deprecated method however, so either approach should work pending app support.
X-Forwarded-Proto: https
or
Forwarded: proto=https
The new standards are described in RFC 7239
Maybe I'm a bit late here, but I had the same situation. I added
scheme= "https", secure="true" and proxyPort="443"
on port 8009 , not on port 8080 like the original question. That's because from Apache the request is made via AJP on port 8009.
Also, Apache must have http-ssl.conf enabled from http.conf and it has to be listening on port 443.
I tried this configuration and it worked, the request sent through the Load Balancer in front of the Apache reported the tomcat webapp in https correctly.
I hope this helps who has the same problem, it took me days to understand this.
I'm using apache2 as a local proxy balancer between the web and a jboss machine.
i've used the following configuration:
<Proxy balancer://mycluster>
BalancerMember http://localhost:8080
</Proxy>
ProxyPass /test balancer://mycluster
if i call my machine with www.mymachine.com/test then the call is passed to JBoss, but in the request it seems that it was called with 'localhost'.
how can I make sure the correct server name is passed as well?
Aviad
all i needed to do is to add:
ProxyPreserveHost On
I develop a jsp website using tomcat as backend and apache as frontend redirecting with mod_proxy.
First my configs.
apache:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
ProxyPass / https://realdomain.tld:8443/proj1/
ProxyPassReverse / https://realdomain.tld:8443/proj1/
<Location />
Order allow,deny
Allow from all
</Location>
When I reload my jsp webpage, every time i get a new session id. When developing on localhost without apache and mod_proxy everything works and I keep the same session id.
For my webapp it is important to keep the same session during the time.
Any Idea how i can tell apache to keep my session. I guess apache has to redirect the cookie to tomcat right? but how...
Any time you change the context path in the proxy (/ -> proj1) you create a whole heap of problems to solve. Your immediate cookie problem can be solved with the ProxyPassReverseCookiePath directive. I then suspect you'll find the next problem to solve. You'd be better off redeploying your application as the ROOT web application so that your ProxyPass directive is ProxyPass / https://realdomain.tld:8443/
As an aside, it looks like you are proxying to Tomcat's https connector. If you aren't careful you will create security problems for yourself if httpd receives requests over http, proxies them to Tomcat over https and Tomcat treats those requests as being received over a secure channel.