I'm using Wildfly 9.0.1.Final with single-sign-on to secure my backend and frontend with the following configuration:
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on path="/"/>
</host>
</server>
...
In my development environment, everything is working fine. But if I use FORM login in production environment, where the wildfly is behind an apache server, clients only get JSESSIONID but no JSESSIONIDSSO.
The corresponding apache config is:
ProxyPass /user http://localhost:10080/user
ProxyPassReverse /user http://localhost:10080/user
ProxyPass /backend http://localhost:10080/backend
ProxyPassReverse /backend http://localhost:10080/backend
What could be the problem?
This could be happening because of couple of reasons:
The domain name on the cookie will be reflecting the wildfly domain,
which will be different than the actual domain, which is being used
by the client.
and OR
The path which is set on the cookie is different from the path from where the reverse proxy call being made.
In any of the above case the Set-Cookie header will be received by the browser, its just that it will silently discard it.
You can add the following extra configuration in Apache to solve the issue
ProxyPassReverseCookiePath /example.com /
ProxyPassReverseCookieDomain localhost example.com
Please refer to the Apache documentation for more details and check the error logs for Warning regarding cookies
Related
I'm in the process of breaking apart and migrating an apache internal webserver to an IIS web server.
I believe what the snippet of apache web config does below when testing is re-direct any requests coming in from "bobby" to http://localhost:8181/
bobby is a DNS entry on our domain which resolves to 192.168.8.50.
In short, if you place bobby/ into a web browser on our domain without the port specified the below will forward to local host with the correct port.
How can I replicate this in IIS?
<VirtualHost 192.168.8.50:80>
ServerName bobby
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://localhost:8181/
ProxyPassReverse / http://localhost:8181/
</VirtualHost>
Do you mean you want to redirect all the request from the "bobby" to "http://localhost:8181/"?
If this is your requirement , I suggest you could try to use IIS url rewrite module IIS reverse proxy to achieve your requirement.
You could install it from this url.
Then you could add below config settings in the bobby web.config file in system.webServer tag.
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:8181/{R:1}" />
</rule>
</rules>
</rewrite>
I have got apache 2.4, and 1 tomcat (connector port - 8081 and AJP - 8009) server (both on same linux box) on which I have an application folder named 'MyApp' in webapps directory.
Tomcat direct URL is - http://localhost:8081/MyApp/MyApp --> This links loads fine and displays the images, jquery and js works fine.
I am proxying all the requests to tomcat from apache using mod_proxy as mentioned below -
ProxyPass /MyApp ajp://localhost:8009/MyApp/MyApp
ProxyPassReverse /MyApp ajp://localhost:8009/MyApp/MyApp
Now, when I try to access it through web server URL, the URL loads but the images, css, jquery, which are inside the /u01/tomcat/webapps/MyApp directory doesnt work.
If I try to load the direct URL of the image, for example - http://localhost/MyApp/images/logo.jpg it doesnt work,
In the body of the image, I see -
HTTP Status 404 - /MyApp/MyApp/images/incidentReport.jpg
See above line, it is adding one more ''MyApp' to fetch the image
On the other hand, the tomcat URL [ localhost:8081/MyApp/images/logo.jpg ], loads fine.
What could be the issue? The developer of the application has designed it in such a way that it should work with a double 'MyApp' i.e. localhost:8081/MyApp/MyApp
What else do I need to do either on webserver/tomcat in order to make this work?
You need to follow these steps:
Step 1: Before configuring Apache, you should enable the necessary modules.
a2enmod proxy
a2enmod proxy_http
Step 2: Next, you are going to modify the default configuration file 000-default.conf inside /etc/apache2/sites-enabled to set up "proxying" functionality.
<VirtualHost *:*>
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:8081/
ProxyPassReverse / http://0.0.0.0:8081/
ServerName localhost
</VirtualHost>
Step 3: Next, you are going to modify the server.xml file.
<Host name="www.drew-jocham.com" appbase="webapps"
unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="resumesite_log." suffix=".txt"
pattern="common"/>
<Context path="" docBase="/MyApp/MyApp" debug="0" reloadable="true"/>
</Host>
Once you are done with your configuration, you will need to restart the cloud server for the changes to go into effect. Execute the following command to restart Apache: service apache2 restart
And that’s it!
Read more: https://medium.com/#ldclakmal/deploy-a-java-web-application-in-digitalocean-882226dcdbd5
I have two different domains
example1.com
example2.com
Each domain has its own SSL certificate.
What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.
The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm> with one keystore containing both certificates.
Thus, I defined two different <security-realm>. One for each domain.
<security-realm name="RealmExample1">
<server-identities>
<ssl>
<keystore path="example1.jks" keystore-password="secret" />
</ssl>
</server-identities>
...
</security-realm>
<security-realm name="RealmExample2">
<server-identities>
<ssl>
<keystore path="example2.jks" keystore-password="secret2" />
</ssl>
</server-identities>
...
</security-realm>
However, I cannot add two security domains to a single host.
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
<https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
<host name="default-host" alias="localhost">
<filter-ref name="central-basic-auth"/>
</host>
</server>
Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.
The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.
As of now, WildFly unfortunately does not support SNI.
Is there any other possible solution?
While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:
<VirtualHost _default_:443>
ServerName www.firstdomain.com
ProxyPreserveHost on
ProxyPass / http://localhost:8080/
ProxyTimeout 360
</VirtualHost>
in the first virtual host file and:
<VirtualHost _default_:443>
ServerName www.seconddomain.com
ProxyPreserveHost on
ProxyPass / http://localhost:9080/ # if it is a different instance or
ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
ProxyTimeout 360
</VirtualHost>
Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:
Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"
This setup has worked well for me with either Tomcat or Wildfly behind Apache.
Sorry for necroposting, but there is a simpler option - just add several domains to one certificate.
The obvious way with wildcard certificate.
But also Let's Encrypt allows to specify several domains for one certificate. And it works fine, no need to wait for free wildcard certificates
sh /root/.acme.sh/acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d more.yourdomain.com -w /opt/wildfly-10.1.0.Final/welcome-content
I am trying setup TeamCity webserver on a server run Apache Proxy.
I added Add this to my Apache conf file
ProxyPass /TeamCity http://localhost/TeamCity
ProxyPassReverse /TeamCity http://localhost/TeamCity
And
added the Context to my TeamCity conf server.xml file in the Host section
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
docBase="C:\TeamCity\webapps\ROOT"
debug="1"
reloadable="true" > </Context>
Anyone know why I still get ""Method GET not implemented (try POST)"?
What is that actually mean?
I'm not sure how this is going to work.. It looks like you're trying to proxy http://your-server/TeamCity to http://localhost/TeamCity, unless your apache is on a different port..?
I've just implemented the a ProxyPass for my TeamCity install. My <Context> looks like:
<Host ...>
<Context path="/build" docBase="../webapps/ROOT"></Context>
</Host>
..Giving TeamCity the root URL of http://localhost:8111/build - See here for the apache doco on the tag. Without this, TC's Tomcat would redirect you to http://your-server/login.html instead of /build/login.html (results in a 404).
My httpd.conf contains (in the mod-proxy section):
ProxyPass /build http://localhost:8111/build
ProxyPassReverse /build http://localhost:8111/build
Which will proxy the requests and responses through /build to the new TeamCity URL. Works for me!
I have multiple Tomcat servers. In each tomcat I am loading all images. I want to move the images from Tomcat to Apache and access the images from there.
My question is: is there any configuration to get the images in a Java web application from Apache instead of Tomcat?
I don't think so - images are shown by resolving their URL, and in most cases it is relative to the current page.
But you can use mod_proxy (or mod_jk) to use all your tomcats through Apache.
Hide your tomcat servers behind an apache server and then you can do something like this:
<VirtualHost www.example.com:80>
ServerName www.example.com
DocumentRoot /var/www/html
ProxyPass /img !
ProxyPass / ajp://localhost:1234/
</VirtualHost>
Apache will serve /img from /var/www/html/img and other requests will be sent to tomcat. This configuration needs mod_proxy_ajp apache module to be active. Tomcat must listen to AJP requests on the given port, use:
<Connector port="1234" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" URIEncoding="UTF-8" />
And configure tomcat to serve www.example.com or the default virtual host.
<Host
name="www.example.com"
appBase="/path/to/tomcat/apps/www.example.com"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false"
/>
or
<Host
name="localhost"
appBase="/path/to/tomcat/apps/www.example.com"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false"
/>
Deploy your webapp to /path/to/tomcat/apps/www.example.com/ as ROOT.war, this should be enough to have the whole setup up and running.