I have a local web socket server running on WSS:// port 9000. In the same server I have apache running as well.
When I try and connect from my remote client directly to port 9000 via WSS like this:
wss://myserver:9000
it works fine. However, I blocked port 9000 on my router and am trying to access it via apache (which is running on SSL).
When I try and access
wss://myserver/
I can see the logs in Apache that it issued a GET but my web socket server does not receive the connection.
I've read through various SO threads and I think I have my ordering correct.
Details:
Apache Version:
Server version: Apache/2.4.7 (Ubuntu)
sudo apache2ctl -M shows proxy_* modules running
proxy_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
Apache configuration: (relevant lines inside VirtualHost)
ProxyPass / wss://localhost:9000/
ProxyPassReverse / wss://localhost:9000/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
Note that both my local web socket server and Apache are configured to use the same certificates
(I'm not sure if I need the Proxy * part, but I saw it in one SO thread)
And here are debug logs:
http://pastebin.com/gqVp3Pz5
Thanks
It seems by default Apache wstunnel does not work when the need is to tunnel SSL end to end. What works is if Apache terminates WSS and then does a WS with the local server.
I found this thread tunneling secure websocket connections with apache that describes how to recompile Apache to allow for end to end WSS tunneling.
I've currently decided to not do apache tunneling and open a firewall port for my event server directly as I don't expect my users to have the inclination to recompile Apache for this.
Related
Currently we have Apache2 and Tomcat8 running on the same server, with MySQL backend. We want to go from 2 tier to 3 tier, that is putting a Apache server in front of Tomcat. Right now we don't need a load-balancer nor reverse proxy. Nor is there a firewall between Apache2 server and Tomcat8 server. Nor is Apache2 serving any static content.
Simply need to log onto the Apache2 server and in the browser type localhost and have it pull up the webapp running on the backend Tomcat8. I have done telnet tests and confirmed that port 8009 is up and running. I've tried to update the workers.properties file, but getting a 503 error.
Let's say our set up is:
Apache2 server is 111.111.11.132
Tomcat8 server is 111.111.11.122
I have probe up at running by:
http://111.111.11.122/probe
In the Apache2 httpd.conf file I have added:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyPass /probe http://111.111.11.122:8080/probe
ProxyPassReverse /probe http://111.111.11.122:8080/probe
I then go to internet explorer on the apache2 server and put in:
http://localhost/probe/*
It challenges me for the probe userid and password and then I get the following error:
The webpage cannot be found
I have couple of IBM HTTP Servers v8.5, IHS1 and IHS2 configured to two managed nodes on a WebSphere cluster that is running DefaultApplication.
I had setup SSL(on default port 443) on these two IHS1 and IHS2 servers and configured plug-in xml to access the applications like snoop. So now, I can access snoop application via the URLs
https://ihs1/snoop and
https://ihs2/snoop
I now want to setup another IBM HTTP server on a another machine, that would have a single URL, say https://loadbalancer , sitting in front of the above two machines, to act as a loadbalancer and distribute the client's requests to the above two URLs. All my application clients must only be able to access the snoop app via https://loadbalancer/snoop
I have started in this direction, through a reverse proxy configuration on this loadbalancer, but no luck.
In httpd.conf, I have uncommented the three lines
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
and the VirtualHost block looks as below:
Listen 0.0.0.0:443
<VirtualHost loadbalancer:443>
SSLEnable
SSLProtocolDisable SSLv2
SSLClientAuth 0
ProxyPass / https://ihs1/
ProxyPass / https://ihs2/
ProxyPreserveHost on
SSLProxyEngine on
</VirtualHost>
KeyFile C:/IBM/HTTPServer/ihsserverkey.kdb
SSLDisable
Any definitive httpd.conf configuration suggestions on the loadbalancer? or is this path completely different?
This is not really an IBM topology. IHS 7.0 through 8.5.5 contains mod_proxy_balancer (in the WebSphereCE/ subdirectory) that would allow you to load-balance two backends this way with mod_proxy, but it would not be supported by IBM.
If both tiers are really necessary, use something in the very front that is either an IP sprayer (layer 3/4) or a standalone HTTP proxy server.
It is also possible to rig a plugin-cfg.xml statically to use IHS+WAS Plugin at the front tier, but it's not so straightforward.
Apologies this question is a mix of Chef and Apache-httpd, but ultimately I believe it's an Apache-httpd configuration issue.
I have a Chef client/node happily hitting a Chef Server w/ SSL.
Chef client/node - /etc/chef/client.rb
chef_server_url 'https://chefserverhostname/organizations/myOrg'
ssl_verify_mode :verify_peer
I'm trying to put a proxy in front of the Chef Server so I can re-point down the road if needed. Apache-httpd is installed fine (on the same box as Chef Server), all firewall and iptables are consistent with my below configuration.
Chef Server - /etc/httpd/conf/httpd.conf
Listen 8443
<VirtualHost *:8443>
ServerAdmin me#email
ServerName chefserverhostname
ServerAlias CDS-PROXY
ProxyPass / https://chefserverhostname:443/
ProxyPassReverse / https://chefserverhostname:443/
RewriteEngine On
</VirtualHost>
I reconfigure the Chef client/node's client.rb to point to https://chefserverhostname:8443/organizations/myOrg, and hope to have the request pass through the proxy. ChefServer/nginx is listening on 443 and I'm assuming that it's taking care of the SSL decrypt, and 8443 is just the 'pass-through'. But when I fire up my Chef client/node I'm getting an SSL error message:
ERROR: SSL Validation failure connecting to host: chefserverhostname - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol
You are using HTTPS but your vhost does not have any configuration to enable mod_ssl or another TLS option. As such, you should be using http://hostname:8443 but this very not recommended.
Chef Server is an appliance at heart and this kind of extra proxy layer is possible but not how things are intended to operate. You should just use the default setup which already includes a fronting nginx proxy for Erchef and friends.
You can check https://github.com/chef-cookbooks/httpd this recipe and configure properly apache ssl and additional modules.
To me is also not ok to drop SSL connection on chef server - base on your current setup.
Since you have nginx on your machine you can extend the configuration there to support reverse proxy. Later on if you remove chefserver/nginx from this machine and you want only to leave proxy, install new nginx and apply the same conf for proxy configuration.
I rather drop apache from your setup.
We are using apache version 2.2.23 in our environment.We have configured apache in such a way that it should load balance between two applications servers for the same home page.
BalancerMember abc:8101
BalancerMember abc:8102 status=+H
we need to know how the apache web server is detecting that the server 8101 is down???
is it a ping or Telnet or something other then this.
Apache HTTPd does not have out of band healthcheck for BalancerMember. It will detect that a given server is down when a proxyfied request to this server fails.
The documentation can be found here : http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
I have a need to run Apache httpd in front of my JBoss so I can leave the JBoss ports in place (8080/8443) but have Apache/80 forward to Jboss/8080 and Apache/443 forward to Jboss/8443.
I have the HTTP forwarding working but I can't get HTTPS forwarding to work.
To get HTTP forwarding to work I simply loaded the correct proxy modules:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
Then added these new directives:
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
If all I want to do is forward port 443 to 8443 to I have to enable SSL? I don't need Apache to load and process a certificate.
You're confusing two things.
If you want port forwarding from port 443 to 8443, don't go via Apache Httpd, just forward the port (for example, via iptables). In this case your JBoss container must be configured to handle the SSL/TLS connection (all the certificate settings).
If you want a reverse proxy from Apache Httpd (listening on port 443) to your JBoss container, you don't need to enable SSL/TLS on your JBoss container (especially on localhost), just proxy the request to Apache Httpd in plain HTTP (or via AJP). For this, you'll need to configure Apache Httpd to handle the SSL/TLS connection.