I am trying to user mod_proxy to set up the reverse proxy for multiple web application using a single Apache web server (version 2.4).
I have two applications running on two different tomcat servers:
1. http://app.test.com:8080/app
2. http://app.test.com:8090/app
I have enabled the required modules in the httpd.conf file and added the below lines to the same:
> ProxyPass /App1/ http://app.test.com:8080/app
> ProxyPassReverse /App2/ http://app.test.com:8090/app
The issue is when I test this using below URL
http://rp.test.com:80/App1/ and http://rp.test.com:80/App2/,the apache webserver does send me to the apps hosted on tomcats but gives a 404 error on clicking any internal link of the application.
Think I am missing some configuration part here. Any suggestions?
You also need to configure Tomcat connectors behind the proxy. Somethink like this, containing your external server name and port.
<Connector port="8081" ...
proxyName="www.mycompany.com"
proxyPort="80"/>
To adjust the path in the URL, you may use the proxypassreversepath directive, see:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreversecookiepath
ProxyPassReverseCookiePath /App1/ /app/
Related
I am able to reach the GeoServer log-in form on a new server instance using a URL like this: https://sub.domain.tld/geoserver.
However, entering the correct username and password causes Cannot POST /geoserver/j_spring_security_check to be displayed in plain text in the browser window and "http://localhost:8080/geoserver/j_spring_security_check" to appear on the address line (Chrome and Firefox). Logging-in works just fine from http://sub.domain.tld:8080/geoserver and, while logged in that way, the SSL URL will skip the log-in form entirely and open the full GUI -- but none of the example layer previews will work (Cannot GET /geoserver/tiger/wms ...or whatever layer).
I have 3 similar servers set up with earlier software versions that all work perfectly:
CentOS Linux release 7.5.1804 (Core)
Apache 2.4.6
Tomcat 9.0.4.0
JVM 1.8.0_171-b10 (Oracle)
GeoServer 2.15.1 (also 2.14.1)
This latest server is:
CentOS Linux release 7.9.2009 (Core)
Apache 2.4.6
Tomcat 9.0.48.0
JVM 1.8.0_292-b10 (Red Hat)
GeoServer 2.19.1
I closely followed the GeoServer install procedure found here. Apache was already installed and working with a virtual host configuration using certbot and a Let's Encrypt certificate. I added the following to the <VirtualHost *:443> section of the /etc/httpd/sites-available/sub.domain.tld.conf file:
ProxyRequests Off
ProxyPass /geoserver http://localhost:8080/geoserver
ProxyPassReverse /geoserver http://localhost:8080/geoserver
<Location "/geoserver">
Order allow,deny
Allow from all
Header set Access-Control-Allow-Origin "*"
</Location>
I also set "https://sub.domain.tld/geoserver/" as the Proxy Base URL in GeoServer. This is exactly how my working instances are set up.
The newest /opt/tomcat/webapps/geoserver/WEB-INF/web.xml file is slightly different in that it has separate CORS sections to be uncommented for Jetty vs. Tomcat. The Tomcat section and the cross-origin filter-mapping are uncommented. Unlike before, I had to enable the SELinux httpd_can_network_connect process in order to get to the GeoServer log-in form via SSL. Disabling SELinux enforcement, however, does not solve the j_spring_security_check problem.
Sensitive WMS and WFS content must be served via SSL. I am now spinning my wheels on research so any help in resolving this would be greatly appreciated!
I was running into a similar problem trying to reverse proxy a Geoserver docker container using Apache.
After bashing my head for a few days, I found I needed a couple of changes on both ends of the setup.
Apache:
<Location "/geoserver">
ProxyPreserveHost On
ProxyPass http://localhost:8080/geoserver
ProxyPassReverse http://localhost:8080/geoserver
</Location>
The ProxyPreserveHost directive should ensure that sub.domain.tld is what's used rather than localhost.
However, at this point I hit another problem, no matter what I did the login & logout URLs were using http:// and not https://
This required adjusting the server config of Tomcat, specifically the scheme used by the connector.
Tomcat:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
/>
Note the value of scheme is https, normally it's http because it's the http connector. This connector doesn't SSL/TLS encrypt the traffic so it would, under normal circumstances (appropriately), set the protocol to http.
Since we're using a proxy for SSL/TLS encryption we don't need Tomcat to do that work but we still need to tell Tomcat to describe the server name using https instead of the usual http.
Alternatively, you could also look at using the AJP connector which is an entirely different protocol but gets around some of these issues rather neatly and can be more performant.
The issue with this approach is that it requires more Apache mods to be enabled to work as well as some security concerns given how much more powerful AJP can be VS the http connector.
Also, there are some other proxy settings that can be used in Tomcat to possibly remove the need for ProxyPreserveHost in Apache, but this should get you where you're going.
Additional reading:
Tomcat HTTP Connector docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
Tomcat AJP docs: https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
I have an apache web server that acts as a load balancer / gateway for the base url, say http://example.com
In turn, there is routing logic within the apache web server to forward the requests to individual tomcat servers eg app1, app2 via the paths http://example.com/app1, http://example.com/app2.
Here, app1 and app2 are separate tomcat instances and they are separate webapps.
Now there is a need to refer to http://example.com/app1 also as http://example.com/alias1, ie both /app1 and /alias1 must route to the tomcat server corresponding to app1, with only one app1 installed (ie alias1 is not a separate tomcat instance)
Any pointers to documentation for setting up an alias for a tomcat webapp in this fashion would be appreciated.
You can use apahce ReverseProxy technology to "route" request to different tomcats depending on the url: https://httpd.apache.org/docs/current/mod/mod_proxy.html
You can start with something like this:
ProxyPass "/foo/" "http://foo.tamcat.lan:8080/foo/"
ProxyPassReverse "/foo/" "http://foo.tomcat.lan:8080/foo/"
ProxyPass "/bar/" "http://192.168.254.30:8080/"
ProxyPassReverse "/bar/" "http://192.168.254.30:8080/"
and if it's working, you can add a rule (which can be another proxyPass, a rewriteRule with proxy flag or whatever you need/like) for the alias.
Even tho it's not an optimal solution, if you have multiple tomcat servin the same application, you can also load balance the traffic: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
I'm starting from the bitnami jenkins stack. Everything is working perfectly with jenkins.
http://sample:8080/jenkins (works fine)
I'm trying to add additional directories to apache to proxy to nginx:
http://sample:8080/other_tool
I can get to the other_tool homepage, but references to that other tool break down because they are looking for http://sample:8080/relative_url rather than http://sample:8080/other_tool/relative_url
I can pull config settings from the necessary files as needed, but it is on an air-gapped network so wholesale posting would be a challenge
The apache conf looks like:
<Directory /other_tool>
ProxyPass http://localhost:9999
ProxyPassReverse http://localhost:9999
</Directory>
The nginx configuration is a standard "/" with root directory. I'm not as familiar with nginx so I can't recall the exact information off the top of my head. If needed I will provide it.
I could try to switch the jenkins hosting over to nginx, but I'm not sure that simplifies anything.
I can't open more ports on the machine. I can't use a subdomain as that would require additional DNS entries that I do not control.
Ideas or suggestions?
My problem is, that I recently set up a Tomcat7 application container with Apache2.2 Frontend. As the project is still under development I am controlling access by an IP whitelist set up in .htaccess for the domain.
I set up mod_jk via AJP13 to Tomcat, it works absolutely fine, except the fact that .htaccess doesn't block the forward for Tomcat. In other words if you enter www.mydomain.com from a "black" IP, you get forwarded to the error page but if you enter www.mydomain.com/AppContext you slip through Apache into Tomcat
I started messing with urlrewritefilter with Tomcat, but for some reason it didn't work.
I am wondering if there is any way to set up .htaccess or apache instead to block requests forwarded to Tomcat similarly to request for Apache?
Also noticed a dramatic speed decrease when using it like that, us that common when using Apache as a frontend?
.htaccess files will work only when Apache is using a <Directory> based configuration (in httpd.conf). In case of mod_jk, matching requests (as specified by JkMount directive) will simply be forwarded to the AJP connector.
Use <Location> to control access instead:
<Location "/AppContext">
Order Deny,Allow
Deny from all
Allow from .myCompany.local
</Location>
See <Location> Directive> for details.
I faced the same problem and found a solution which may solve your case too.
Use a reverse proxy server like Nginx or Squid to redirect the traffic Apache Tomcat. Both of them can use htpassword for authentication and hence, will serve your need. If you want to use Apache as frontend then backend can be nginx which in turn will redirect to Tomcat after proper authentication. It may have a performance hit, though.
https://www.digitalocean.com/community/tutorials/how-to-set-up-http-authentication-with-nginx-on-ubuntu-12-10
I've read previous posts like "Redirecting https requests to two different weblogic servers using the Weblogic proxy and Apache2". But I have a different situation and I don't think I'm understanding this to well.
I have an Apache 2 server (server1) that will receive http request for my application. Then I have two more servers (server2 and server3) with Web Logic 9.2 runing on ports 7000 (server1) and 8000 (server2).
I want the users to enter appname.domain.com and be redirected between the two web logic servers, always keeping appname.domain.com (this is hidding servername:port from URL).
How can I manage to do that?
Thanks in advance!
Jhon.
Use the Apache HTTP Server plug-in provided by BEA/Oracle to front and load balance request to your application.
I'd use a virtual host here, something like this:
<VirtualHost xxx.xxx.xxx.xxx:80>
DocumentRoot "C:/test/VirtualHost1"
ServerName appname.domain.com
<IfModule mod_weblogic.c>
#... WLS parameter ...
WebLogicCluster 192.168.1.100:7000,192.168.1.200:8000
# Example: MatchExpression *.jsp <some additional parameter>
MatchExpression *.jsp PathPrepend=/test
</IfModule>
</VirtualHost>
This config should balance requests to http://appname.domain.com/
to http://192.168.1.100:7000/test and http://192.168.1.200:8000/test.
Refer to the official documentation for all the details:
Installing and Configuring the Apache HTTP Server Plug-In
Parameters for Web Server Plug-Ins
and also Thread: Installing and Configuring the Apache HTTP Server Plug-In
Install an Webgate on HHTp server incase of Orcle, which will do the reverse proxy and hide the server name.