I installed gitlab-ce on my v-server running Ubuntu 16.04 with apache as webserver. The installation of gitlab under git.example.com worked and I was able to setup my user via http.
I'm running my example.com website, a nextcloud instance under cloud.example.com and gitlab under git.example.com on this server and I decided to use letsencrypt.
The installation of letsencrypt for example.com and cloud.example.com works fine. I used the Gitlab Recipes for configuration, but it doesn't work properly. When I try to access gitlab under http://git.example.com the redirection to https://git.example.com does work but the https part redirects me to http://example.com and I have no idea why.
This is the server response
Request URL:https://git.example.com/
Request Method:GET
Status Code:302 Found
Remote Address:*:443
Referrer Policy:no-referrer-when-downgrade
HTTP/1.1 302 Found
Date: Sat, 03 Mar 2018 10:36:24 GMT
Server: Apache/2.4.18 (Ubuntu)
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Location: http://example.com
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: bdfffb7e-1c89-4308-be13-5c35a64f31f3
X-Runtime: 0.010298
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Content-Length: 90
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
And these are my apache config files:
<VirtualHost git.example.com:80>
ServerName git.example.com
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public/
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_NAME} =git.example.com
RewriteCond %{REQUEST_URI} !^/.well-known/.*
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
SSL
<IfModule mod_ssl.c>
<VirtualHost git.example.com:443>
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateFile /etc/letsencrypt/live/git.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/git.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName git.example.com
ServerSignature Off
ProxyPreserveHost On
ProxyPass / https://localhost:8181/
ProxyPassReverse / https://git.example.com:8181/
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# Apache 2.2
Order allow,deny
Allow from all
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://git.example.com/
</Location>
<Directory /opt/gitlab/embedded/service/gitlab-rails/public/>
Require all granted
</Directory>
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public/
RewriteEngine on
# Apache equivalent of nginx try files
RewriteCond %{DOCUMENT_ROOT}/{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.* [OR]
RewriteCond %{REQUEST_URI} !/\.well-known/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
RequestHeader set Host "git.example.com"
RequestHeader set X-Forwarded-Ssl on
# RequestHeader set X-Forwarded-For %<span class="pl-s1"><span class="p1- pse">{</span>REMOTE_ADDR<span class="ps1-pse">}</span></span>e
RequestHeader set X_FORWARDED_PROTO 'https'
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule>
In production.log I found this
Started GET "/" for 93.200.218.17 at 2018-03-03 11:34:31 +0100
Processing by RootController#index as HTML
Redirected to http://example.com
Filter chain halted as :redirect_unlogged_user rendered or redirected
Completed 302 Found in 4ms (ActiveRecord: 0.0ms)
But searching for this didn't help me so far. I guess there's some kind of loop where apache decides to root to domain.net but I couldn't find the source of it.
If anyone has an idea where to look for the error or can see what's wrong with my configuration I'd be grateful.
Answer to
curl -v http://127.0.0.1:8181
was:
> GET / HTTP/1.1
> Host: 127.0.0.1:8181
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-Type: text/html; charset=utf-8
< Date: Mon, 05 Mar 2018 09:58:40 GMT
< Location: http://example.com
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Request-Id: 17cb8d7d-918f-4d72-95ca-f6262e7537b2
< X-Runtime: 0.015595
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Content-Length: 90
<
* Connection #0 to host 127.0.0.1 left intact
Update 1
I checked what's redirecting on the Port 8181 but I only got this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gitlab-wo 312 git 3u IPv4 188680 0t0 TCP localhost:8181 (LISTEN)
So I believe that there is some configuration error in Gitlab itself
Solution I found a hint at https://serverfault.com/questions/721698/gitlab-redirects-to-other-page and that really was the problem...
The settings of gitlab itself were wrong. THe Sign-in restrictions got http://git.example.com so I had to login with the direct link git.example.com/users/sign_in and change my settings. Now it's working.
Thanks to Dusan Bajic.
Addition
What also was a problem was, that the settings for "Home page URL" was set to my main domain. I had to change that to https://git.example.com. A simple setting I just forgot
Related
I've tried different apache configurations but somehow couldn't crack this.
I'm forcefully redirecting all URLs from http to https using Redirect permanent / https://jenkins.example.net/
However, there is a problem as one of the source URLs has /redirect string appended in the end. I learnt that apache CANNOT redirect a redirect. Since, the source URL has redirect string in the URL, it's not redirecting again to https and resulting as a 404 page.
This is my virtualhost configuration.
<VirtualHost *:80>
ServerName jenkins.example.net
# Redirects traffic to https
RewriteEngine On
RewriteRule ^(.*)/redirect /$1 [L,NC]
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
<VirtualHost *:443>
proxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ServerName jenkins.example.net
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
I tried above RewriteRule to strip off /redirect from the URL but it's not working.
Any help would be highly appreciated..
Additional details (debug output of curl)::
[root#rhel-7 ~]# curl -v http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:52:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved here.</p>
</body></html>
* Connection #0 to host jenkins.example.net left intact
curl -vL debug output::
[root#rhel-7 ~]# curl -vL http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:58:15 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host jenkins.example.net left intact
* Issue another request to this URL: 'https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect'
* Found bundle for host jenkins.example.net: 0x986fd0
* About to connect() to jenkins.example.net port 443 (#1)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:*
* start date: Jul 16 06:42:46 2019 GMT
* expire date: Jul 15 06:42:46 2021 GMT
* common name: jenkins.example.net
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root#rhel-7 ~]# echo $?
60
Probably your branch contains /, so your url is STUFOP%2Fdeploy_toolchain. Apache encode such url and the final is STUFOP%252Fdeploy_toolchain.
try this configuration for non secure virtualhost:
<VirtualHost *:80>
ServerName jenkins.example.net
# this prevent encoding
AllowEncodedSlashes on
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
This configuration should avoid encoding and, according to Redirect Request to SSL Apache wiki page, all request are redirected to secure virtualhost.
In secure virtualhost, try this configuration:
<VirtualHost *:443>
ServerName jenkins.example.net
AllowEncodedSlashes on
proxyRequests Off
ProxyPreserveHost On
ProxyPassMatch "^/(.*)/redirect$" "http://127.0.0.1:8080/$1"
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
This configuration should avoid encoding and use ProxyPassMatch to manipulate url.
Here is some useful link that I've used: %2F slash encoding issues, encode URL wihthin URL - apache mod-proxy (ProxyPass), %2F slash encoding issues #399, htaccess howto rewrite an encoded slash in url
I am assuming that your https redirect happening first and then on https the /redirect becomes a 404.
Easiest fix would be to add RewriteRule ^(.*)/redirect /$1 [L,NC] to the <VirtualHost *:443> block, just to make sure that such a url goes back to home
This question already has an answer here:
Enabling http/2 in Apache 2.4 does not work
(1 answer)
Closed 4 years ago.
HTTP/2 does not seem to be running after what seems to be a proper installation.
I am running CentOS 7.
I installed the latest version of Apache, version httpd-2.4.35-5.el7.x86_64, and have been trying to get HTTP/2 working.
For this, I see that we need to have http2_module running. That is active and running. I believe to have confirmed this by running the command httpd -M. http2_module (shared) is listed under those modules.
The next thing I know to do is add in Protocols h2 h2c http/1.1 above the <VirtualHost ...> tag. I have done that as well.
Finally, I have CURLed my URL, and I am still getting HTTP/1.1.
CURL command: curl -vsko /dev/null --http2 https://www.thehomepainter.com
Brief response from the CURL:
GET / HTTP/1.1
Host: www.thehomepainter.com
User-Agent: curl/7.64.0
Accept: /
< HTTP/1.1 200 OK
Partial from httpd.conf
Protocols h2 h2c http/1.1
<VirtualHost *:443>
SSLEngine on
ServerAdmin ### omitted ###
ServerName thehomepainter.com
ServerAlias www.thehomepainter.com
DocumentRoot /var/www/html/
Options -Indexes
ProxyRequests off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass "/" "http://localhost:3000/"
ProxyPassReverse "/" "http://localhost:3000/"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile ### omitted ###
SSLCertificateKeyFile ### omitted ###
SSLCertificateChainFile ### omitted ###
# i have tried this here as well
# Protocols h2 h2c http/1.1
</VirtualHost>
Protocols h2 h2c http/1.1
<VirtualHost *:80>
ServerAdmin support#thedesignguis.com
ServerName thehomepainter.com
ServerAlias www.thehomepainter.com
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =thehomepainter.com [OR]
RewriteCond %{SERVER_NAME} =www.thehomepainter.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
# i have tried this here as well
# Protocols h2 h2c http/1.1
</VirtualHost>
So the expected result is for HTTP/2 to work. However, it is not and I have no idea why.
After scraping through the error log I finally found the issue.
[http2:warn] [pid 7155] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
To solve, I edited /etc/httpd/conf.modules.d/00-mpm.conf
Comment out this line:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
And uncomment the bottom line:
LoadModule mpm_event_module modules/mod_mpm_event.so
Restart apache and then it works.
I had to reinstall the whole Ubuntu 14 to 16.04.3 to be able to upgrade PHP to 7.0. Now there is Ubuntu 16 on the machine, but my website is broken. It was using Apache and mod_rewrite.
/etc/apache2/sites-available/000-default.conf
...
<VirtualHost *:80>
ServerName api.example.com
ServerAdmin janos#example.com
DocumentRoot /var/www/api.example.com
<Directory "/var/www/api.example.com">
Options -Indexes
</Directory>
ErrorLog ${APACHE_LOG_DIR}/api.example.com.error.log
CustomLog ${APACHE_LOG_DIR}/api.example.com.access.log combined
</VirtualHost>
...
On the server:
janos#example:/var/www/api.example.com$ ls -l .htaccess dir
-rw-rw-r-- 1 janos janos 65 okt 31 09:10 .htaccess
dir:
total 4
-rw-rw-r-- 1 janos janos 6 okt 31 09:09 hello.txt
janos#example:/var/www/api.example.com$ cat .htaccess
RewriteEngine On
RewriteRule "^test.txt$" "dir/hello.txt"
janos#example:/var/www/api.example.com$ sudo service apache2 restart
janos#example:/var/www/api.example.com$ sudo a2enmod rewrite
Module rewrite already enabled
On my client:
mymachine:Downloads janos$ curl -Is http://api.example.com/test.txt|grep HTTP
HTTP/1.1 404 Not Found
mymachine:Downloads janos$ curl -Is http://api.example.com/dir|grep HTTP
HTTP/1.1 301 Moved Permanently
mymachine:Downloads janos$ curl -Is http://api.example.com/dir/|grep HTTP
HTTP/1.1 403 Forbidden
mymachine:Downloads janos$ curl -Is http://api.example.com/dir/hello.txt|grep HTTP
HTTP/1.1 200 OK
mymachine:Downloads janos$
What am I missing?
My mistake was: I didn't allowed user defined htaccess files to change the mod_rewrite and other rules. The correct config part is:
<Directory "/var/www/api.example.com">
Options -Indexes
# it's working now with this following 1 line added:
AllowOverride all
</Directory>
On the client side, I am trying to establish the wss connection:
var ws = new WebSocket("wss://wsserver.com/test")
and it returns an error:
WebSocket connection to 'wss://wsserver.com/test' failed: Error during WebSocket handshake: Unexpected response code: 400
The full headers are:
Request Headers
GET wss://wsserver.com/test HTTP/1.1
Host: wsserver.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: https://website.net
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Sec-WebSocket-Key: Tj9AJ5TKglNf5LoHsQTpvQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://website.net
Connection:close
Content-Length:18
Content-Type:text/plain; charset=utf-8
Date:Fri, 21 Apr 2017 21:03:45 GMT
Server:Apache/2.4.18 (Ubuntu)
Vary:Origin
X-Content-Type-Options:nosniff
The server side is running on go at port 8888 behind an Apache reverse proxy. This is the Apache configuration:
<VirtualHost *:443>
ServerName website.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass "/" "wss://localhost:8888/"
mod_proxy and mod_proxy_wstunnel are installed.
Is there something missing here? It seems like the request goes through but no connection is established.
I ended up solving this problem by using this configuration for the virtual host, which filters requests using the HTTP headers:
<VirtualHost *:443>
ServerName website.com
RewriteEngine On
# When Upgrade:websocket header is present, redirect to ws
# Using NC flag (case-insensitive) as some browsers will pass Websocket
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/ws/(.*) wss://localhost:8888/ws/$1 [P,L]
# All other requests go to http
ProxyPass "/" "http://localhost:8888/"
I'm leaving this as a reference in case it helps others
In order to place a secure reverse proxy server in front of an insecure websocket server, you could do this:
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:aNULL:eNULL:EXPORT:DES:RC4:!MD5:!PSK:!SRP:!CAMELLIA
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCertificateChainFile /path/to/chain
ServerName website.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8888/$1 [P,L]
</VirtualHost>
This will take a request inbound for wss://website.com:443, and reverse proxy it to ws://localhost:8888.
If the websocket server is also secure, you can simply change
ws://localhost:8888 to
wss://website.com:8888
This is my setup of virtualhost that worked for me, I have .netcore app on docker with SignalR as a websocket service.
On 5000 my .netcore app is running, and on /chatHub my signalR listens.
Will be helpful for future comers with same problem.
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine On
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:5000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:5000/$1 [P,L]
ProxyPass "/" "http://localhost:5000/"
ProxyPassReverse "/" "http://localhost:5000/"
ProxyPass "/chatHub" "ws://localhost:5000/chatHub"
ProxyPassReverse "/chatHub" "ws://localhost:5000/chatHub"
ServerName site.com
SSLCertificateFile /etc/letsencrypt/live/site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Source: http://shyammakwana.me/server/websockets-with-apache-reverse-proxy-with-ssl.html
# pimgeek's Comment:
I think instead of
RewriteRule ^/nodered/comms wss://localhost:1880/nodered/comms [P,L]
you could have utilized $1 as follow:
RewriteRule ^/nodered/comms$ wss://localhost:1880/$1 [P,L]
Also, this should work aswell:
RewriteRule ^/nodered/comms$ wss://localhost:1880$1 [P,L]
Notice the not needed / after the port, since $1 includes already a / at the beginning
In my case, I needed to activate "SSLProxyEngine on" to make the whole thing works...
I ended up with this 2 lines solution on Debian / Apache 2.4 (used port is 4321)
SSLProxyEngine on
ProxyPass /wss wss://127.0.0.1:4321/
We have the following configuration, one apache HTTP server which proxies AJP requests to an application on another as in the Proxy balancer configuration below.
The problem we have is the application only understands one HOST http header, i.e exampledomain.com, but we require www.exampledomain.com to be rewritten to exampledomain.com however still show the www.exampledomain.com address.
We also have HTTP proxies in between the browser and hitting the Apache server, and do not want this content to be cached!
The following is our configuration:
<Proxy balancer://ajp-cluster>
Order deny,allow
Allow from all
BalancerMember ajp://10.10.10.11:8009
</Proxy>
<VirtualHost *:80>
ServerName exampledomain.com
ServerAlias exampledomain.com *.exampledomain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.exampledomain.com
RewriteRule ^/(.*)$ http://exampledomain.com/$1 [L,R=301,E=nocache:1]
## Set the response header if the "nocache" environment variable is set
## in the RewriteRule above.
Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache
## Set Expires too ...
Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache
ProxyPass / balancer://ajp-cluster/
ProxyPassReverse / balancer://ajp-cluster/
</VirtualHost>