I am trying to return content with a web service. Behind an apache proxy if fails with "Operation insecure".
I read about adding an apache hook but it won't work for me. Setting the environment variable neither.
This is what I tried: how to make Mojolicious's url_for()->to_abs() return correct scheme (http or https) behind nginx
Maybe or webservice I have to do something else ? Also I use mojolicious lite.
Also the url_for is done in the template file .html.ep. I use it to call the web service from javascript.
I run Mojolicious 7.59 on Ubuntu 18.04. Thank you for you help
I solved it this way: the apache proxy must have some specific settings and also the mojo app must be in reverse proxy mode.
Apache Settings
Apache must know how to proxy the web services and it must tell mojo about the forwarding protocol.
I put all my webservices under the /ws/ and I added it to ProxyPass
My mojo app is at the same host at port 8080 so I proxy to localhost:8080.
It is very important to set the X-Forwarded-Proto
At /etc/apache2/sites-enabled/default-ssl.conf I changed this way:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /ws/ ws://localhost:8080/ws/ keepalive=On
ProxyPass / http://localhost:8080/ keepalive=On
ProxyPassReverse / http://localhost:8081/
RequestHeader set X-Forwarded-Proto "https"
Mojo Proxy
The mojolicious app must know it is in reverse proxy. If you are using hypnotoad it may not be necessary. When I did some tests with morbo I had to run it this way:
MOJO_REVERSE_PROXY=1 morbo script.pl
There is more documentation at https://mojolicious.org/perldoc/Mojolicious/Guides/Cookbook#Reverse-proxy
I would like to run an IPython notebook web server behind an Apache (reverse) proxy so that instead of the URL
https://my.server:XXXX
(where XXXX is some port number) I could use
https://my.server/py0
I am aware that IPython uses websockets and I suspect this is the part that is missing from my setup, but I simply could not find a suitably detailed description on how to configure this. Unfortunately the IPython webserver setup docs don't have much to say regarding proxies apart from this:
When behind a proxy, especially if your system or browser is set to
autodetect the proxy, the notebook web application might fail to
connect to the server’s websockets[...]
So I decided to try it on my own and put the following in /etc/apache2/sites-enabled/default-ssl.conf :
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPass /py0/ https://localhost:10000/
ProxyPassReverse /py0/ https://localhost:10000/
Accessing IPython "directly" over the URL https://my.server:10000 works perfectly as advertised.
The URL https://my.server/py0 (without a trailing slash) returns "404 Not found".
The same with a trailing slash https://my.server/py0/ does "work" in that it forwards to https://my.server/login?next=%2F, which is then "Not found" in its own right -- obviously because the /py0/ part got lost. Maybe I should tell IPython about it but how ??
Perhaps relevant version numbers: Ubuntu 14.04 LTS, Apache 2.4.7.
Perhaps relevant SO question: IPython behind nginx. However, since everything else in my setup is handled by Apache to my full satisfaction, I do not want to run Nginx in addition.
Is there any good soul out there who has successfully configured IPython notebook web servers behind Apache? If yes, then please step forward and share your knowledge :-) Many thanks!
I got this working using the following setup.
IPython
IPython Notebook is listening at http://localhost:8888/ipython. It was necessary to add the /ipython prefix, because IPython uses absolute paths, so it must be the same as the reverse proxied path.
The ipython_notebook_config.py
c = get_config()
c.NotebookApp.ip = 'localhost'
c.NotebookApp.open_browser = False
c.NotebookApp.port = 8888
c.NotebookApp.base_url = '/ipython'
Apache
I enabled
mod_proxy
mod_proxy_http
mod_proxy_wstunnel
In the apache config I added
<Location /ipython>
ProxyPass http://localhost:8888/ipython
ProxyPassReverse http://localhost:8888/ipython
ProxyPassReverseCookieDomain localhost my.server.com
RequestHeader set Origin "http://localhost:8888"
</Location>
<Location /ipython/api/kernels/>
ProxyPass ws://localhost:8888/ipython/api/kernels/
ProxyPassReverse ws://localhost:8888/ipython/api/kernels/
</Location>
to an SSL enabled virtual host definition.
The RequestHeader set Origin "http://localhost:8888" was necessary for the websockets, otherwise you get a 403 Forbidden.
Now IPython is reachable at https://my.server.com/ipython (no trailing /!).
WARNING: This is rather verbose, as I gather you have figured much of this, but for documentation purposes, I laid out enough detail here for someone else to follow.
I put this answer together after implementing this myself with the help from various links. The first from here Websocket origin check fails when used with Apache WS proxy #5525. I repeat much of it here with some changes. Other links are referenced below.
1. Set up iPython:
This is in the post, but rather than do it as the original post suggested, I just followed the general instructions for Running a notebook server. With this done you should be able to test the setup, which will require enabling the port you have this configured for. If this does not work, then any Apache set up will not work.
2. Configure Apache:
Make sure you have the following mods available and enabled.
./configure --enable-proxy --enable-ssl --enable-deflate --enable-proxy-http --enable-proxy-wstunnel --enable-info --enable-rewrite --enable-headers
Added --enable-headers here as they were not installed on mine. Also I used the Apache2 a2enmod command. So sudo a2enmod headers, sudo a2enmod proxy, etc.
If you're running a version of Apache prior to 2.4, you do not have the proxy_wstunnel mod. You can either a patch your version or upgrade. To patch your version, you can follow these instructions. Be sure to copy over both mod_proxy.so and mod_proxy_wstunnel.so. To get the configure script, you need to run ./buildconfig, which has its own dependencies. This is noted in a comment therein.
Within Apache, create a "sites-available/iPython.conf" file. Originally I said to either add to httpd.conf or ports.conf. Adding your own site file is much cleaner and will allow you to enable/disable the configuration when desired.
Listen [ANY PORT HERE] # post has port 8999 here...
...
<VirtualHost *:[ANY PORT HERE]>
SSLProxyEngine On # post did not have this...
ProxyPass / http://127.0.0.1:8888/
ProxyPassReverse / http://127.0.0.1:8888/
# spoof headers to make notepad accept the request as coming from the same origin
Header set Origin "http://127.0.0.1:8888/"
RequestHeader set Origin "http://127.0.0.1:8888/"
LogLevel debug
</VirtualHost>
NOTE 1: The post uses port 8999, but it can be any port you want. You want port 80 here, but you do not need to specify it, so, modifying the above would yield:
<VirtualHost *:80>
... # Everything is the same here...
</VirtualHost>
NOTE 2: Since you are using SSL, you need to add SSLProxyEngine On within the body of the VirtualHost definition. As noted above, the post did not have this specifically.
NOTE 3: Port 8888 is whatever port ipython is running on. Change this based on your configuration.
NOTE 4: If you want to host multiple applications, and this is one of them, rather than having / and :8888/, you will want /ipython and :8888/ipython or whatever you want this to be named. In order to support this, see Running with a different URL prefix.
Enable the new configuration:
sudo a2ensite iPython
If you need to disable:
sudo a2dissite iPython
Reload Apache:
sudo service apache2 reload
My Environment:
Ubuntu 14.04.1
Apache 2.4.7
ipython 2.3.0
EDIT: Updated to reflect the final changes I made to get this working. I also changed the instruction order to what I think makes more sense.
Based on Apache's config of #adam, I'm putting here a full SSL-aware <VirualHost> sections but without the /ipython prefix, and i'm giving also the SSL-options for anyone interested:
<VirtualHost *:80>
ServerAdmin myname#my.place.com
ServerName some.server.com
SSLEngine off
Redirect permanent / https://some.server.com
</VirtualHost>
## From http://stackoverflow.com/questions/23890386/how-to-run-ipython-behind-an-apache-proxy
#
<VirtualHost *:443>
ServerAdmin myname#my.place.com
ServerName some.server.com
SSLEngine on
SSLCertificateFile some_server_com.crt
SSLCertificateKeyFile some_server_com.key
<Location />
ProxyPass http://localhost:8888/
ProxyPassReverse http://localhost:8888/
ProxyPassReverseCookieDomain localhost some.server.com
RequestHeader set Origin "http://localhost:8888"
</Location>
<Location /api/kernels/>
ProxyPass ws://localhost:8888/api/kernels/
ProxyPassReverse ws://localhost:8888/api/kernels/
</Location>
Redirect permanent / https://some.server.com
</VirtualHost>
This works for jupyter and password hash:
<VirtualHost *:443>
ServerName default
ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on
SSLEngine on
SSLProtocol TLSv1
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /home/ubuntu/.certs/mycert.pem
ProxyPass /notebook/terminals/websocket/ wss://localhost:9999/notebook/terminals/websocket/
ProxyPassReverse /notebook/terminals/websocket/ wss://localhost:9999/notebook/terminals/websocket/
ProxyPass /notebook/api/kernels/ wss://127.0.0.1:9999/notebook/api/kernels/
ProxyPassReverse /notebook/api/kernels/ wss://127.0.0.1:9999/notebook/api/kernels/
ProxyPass /notebook https://127.0.0.1:9999/notebook
ProxyPassReverse /notebook https://127.0.0.1:9999/notebook
</VirtualHost>
On newer versions of IPython/Jupyter that have a terminal you also need to add entries for terminals.
<Location /ipython/terminals/websocket/>
ProxyPass ws://localhost:8888/ipython/terminals/websocket/
ProxyPassReverse ws://localhost:8888/ipython/terminals/websocket/
</Location>
I'm using apache version 2.4.18 in a server running Ubuntu 16.04.1 LTS(xenial)
and finally I have my jupyter notebook running through ssl.
I had already configured the standard SSL on my server, so https:// was working. I had also followed this instructions: Running a notebook server to get my cert file and my password in the jupyter_notebook_config.py configuration file. What I was missing was:
c.NotebookApp.allow_origin = '*'
c.NotebookApp.base_url = '/SomeName'
The apache configuration file that worked for me using solutions from several places and part of the answers here was:
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Location "/SomeName">
ProxyPass https://localhost:XXXX/SomeName
ProxyPassReverse https://localhost:XXXX/SomeName
</Location>
<Location "/SomeName/api/kernels">
ProxyPass wss://localhost:XXXX/SomeName/api/kernels
ProxyPassReverse wss://localhost:XXXX/SomeName/api/kernels
</Location>
<Location "/SomeName/terminals/websocket">
ProxyPass wss://localhost:XXXX/SomeName/terminals/websocket
ProxyPassReverse wss://localhost:XXXX/SomeName/terminals/websocket
</Location>
where XXXX is the port you are using, e.g. 8888, and SomeName could be any name you want.
I hope this can help.
What I'm basically trying to accomplish is having my main website running a CMS written in Go. This will be located at www.example.com.
I also have applications written in PHP located in directories, such as www.example.com/clients/
How can I serve example.com/clients using Apache/PHP while serving example.com using Go built-in web server?
Via mod_proxy in Apache2, you can proxy different paths into different destinations at localhost or anywhere else accessible by your server, including within your local network (if your server can access it).
For this you would use ProxyPass (Apache2 Docs for ProxyPass, which is very useful reading) like the example below:
<VirtualHost *:80>
ServerName some.example.host.xyz
DocumentRoot /var/www/your-document-root
Alias /clients/ /var/www/clients/
ProxyPass /clients/ !
ScriptAlias /something-using-cgi/ /var/www/cgi-stuff/
ProxyPass /something-using-cgi/ !
ProxyPreserveHost On
ProxyPass / http://localhost:9876/
ProxyPassReverse / http://localhost:9876/
ProxyPass /elsewhere/ http://elsewhere.example.host.xyz:1234/
ProxyPassReverse /elsewhere/ http://elsewhere.example.host.xyz:1234/
</VirtualHost>
You'll want to be sure that you set your proxy security such that external users can't use your reverse proxy as a forward proxy, too. You can do that via ProxyRequests as described in the official Apache2 docs. The way I did this on a server is to put this in your server-wide config (you should verify on your own that this is secure enough):
# disables forward proxy
ProxyRequests Off
Andrew Gerrand has a good blog post about this for nginx but the principle is the same for Apache.
You want to set up Apache as a reverse proxy for requests coming in for the Go application.
For Apache you want to look at mod_proxy
Using apache2 I want to set up an AJP proxy for a Tomcat server that maps an internal servlet URL to a completely different URL externally. Currently I am using the following configurations:
Apache2 configuration:
<IfModule mod_proxy.c>
ProxyPreserveHost on
ProxyPass /external_name ajp://192.168.1.30:8009/servlet_name
ProxyPassReverse /external_name ajp://192.168.1.30:8009/servlet_name
</IfModule>
Note that external_name and servlet_name are different.
Tomcat 6 configuration:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
This however does not work. Apache seems to forward http requests to Tomcat.
However the URLs and redirects returned by Tomcat are still using the original servlet_name and Apache does not map them to external_name.
Is this possible at all with AJP? If not can it be done using a plain http proxy instead?
Mapping different names between Apache and Tomcat can be quite tricky and depends much on how the web application builds its urls for the response.
Basically your setup is correct, but if your application uses its own servlet_name for redirects and urls ProxyPassReverse won't map them.
If you need this kind of setup have a look at mod_proxy_html (Apache 3rd party module) which will parse and rewrite also the contents, not only the url and response headers as mod_proxy.
( A late answer, but I just ran into this problem myself. )
It appears that ProxyPassReverse using ajp: doesn't work because the headers returned from a redirect don't have an ajp: URL in Location:, they have a http: URL. ProxyPassReverse just causes a rewrite of matching headers, and
that string doesn't match what's being returned.
This should work (provided the Location: field uses that numerical address
and not a host name.)
ProxyPreserveHost on
ProxyPass /external_name ajp://192.168.1.30:8009/servlet_name
ProxyPassReverse /external_name http://192.168.1.30/servlet_name
( You can use 'curl -I' to inspect the redirect headers and debug. )
See this note, or a more involved solution here using mod_proxy_html
for rewriting the URLs in web pages as well.
Additionally to the answer from Steven D. Majewski there is one more problem. If the target application uses the request host name to create a redirect (302 Moved Temporarily), it won't work with multiple host names. One must create multiple configurations for every name, like this:
ProxyPassReverse /external_name http://server.com/servlet_name
ProxyPassReverse /external_name http://server.org/servlet_name
ProxyPassReverse /external_name http://server.co.uk/servlet_name
Actually the ProxyPreserveHost on must solve this issue and replace the HOST header in the incoming requests with the address or IP specified in ProxyPass. Unfortunately it seems to be the ProxyPreserveHost doesn't work with ajp connectors. The tomcat in my configuration still received the host name got from browser instead replacing it with 192.168.1.30. As result the browser based redirects still didn't work for every name.
Following configuration didn't work as well :-(
# NOT WORKING !!!
ProxyPassReverse /external_name http://%{HTTP_HOST}/servlet_name
The workaround was using http instead of ajp.
ProxyPreserveHost on
ProxyPass /external_name ajp://192.168.1.30:8009/servlet_name
ProxyPassReverse /external_name http://192.168.1.30/servlet_name
Did somebody investigate it deeply?
For me, this seemed to cause problems:
ProxyPreserveHost on
ProxyPass /external_name ajp://192.168.1.30:8009/servlet_name
ProxyPassReverse /external_name http://192.168.1.30/servlet_name
While this seemed to work:
ProxyPreserveHost on
ProxyPass /external_name ajp://192.168.1.30:8009/servlet_name
ProxyPassReverse /external_name ajp://192.168.1.30:8009/servlet_name
I don't know why but it just did.
I'm trying to use Apache's mod_proxy with the AJP backend and an ajp-wsgi app server but it doesn't seem to be sending SetEnv variables to the application server.
Configuration snippet:
<Location /script>
ProxyPass ajp://localhost:8009/script
SetEnv FOO "barbobot"
</Location>
How do I pass environment variables from the Apache configuration to my app server?
The trick is to prefix the environment varibles with AJP_, as in
<Location /script>
ProxyPass ajp://localhost:8009/script
SetEnv AJP_FOO "barbobot"
</Location>
See http://marc.info/?l=apache-httpd-dev&m=122059722411298&w=2