Request Header (Host attribute) lost/Reset from WebSeal to Apache web server - apache

URL (https://xyz.abc.com/cc) when load balancer see /cc it will forward request to WebSeal (Revers Proxy server).
WebSeal add/set (Header Host : xyz.abc.com) and forward request to Apache2 (web server). In web seal we have standard junction (/cc) which will process the request from LB.
When request comes to Apache2 it loosing HOST header value (xyz.abc.com) and reset it to Apache2 server name (xyzapacheweb1)
Now finally request pass from apache2 to Liferay Portal (6.2) and it showing URL (xyzapacheweb1) instead of (xyz.abc.com)
Liferay need HOST name when web server fronting so we have to hard code URL (in property file or in apache2)
We want to remove Hard-Code value and pass dynamic host name so we can use multiple URLs for individual applications.
Note : When we don't have WebSeal in picture it preserve the HOST name. i.e. Apache2 show actual domain name (xyz.abc.com)
Can you please help me to resolve this problem?
Let me know if you need more info.

If you're using mod_proxy to forward from apache to tomcat you're missing the option
ProxyPreserveHost On
This is because of forwarding through http. If you're using ajp this is automatically taken care of for you by the protocol.
I'm not sure of the equivalent option for webseal though, maybe the apache one helps you to find it

I came up with two solutions.
Temporary :
Set custom header attribute in request from WebSeal i.e. domain-host-name. From LB -> WebSeal set the host value to this variable.
Apache web server is able to retrieve this value because it's not default request header. Based on the domain-host-name value Set Header HOST value from Apache webserver for Liferay.
remove web.server.host.name property in Liferay it will automatically get the HOST value (which was set by Apache).
Set xyz.abc.com if domain-host-name is set to xyz.abc.com
SetEnvIf domain-host xyz.abc.com HAVE_MyRequestHeader
RequestHeader set Host xyz.abc.com env=HAVE_MyRequestHeader
Set abc.xyz.com if domain-host-name is set to abc.xyz.com
SetEnvIf domain-host abc.xyz.com HAVE_MyRequestHeader_1
RequestHeader set Host abc.xyz.com env=HAVE_MyRequestHeader_1
This is a temporary solution because here we have to hardcode host name check in Apache. So if there is new URL then you have to configure it in Apache.
Permanent :
WebSeal has Virtual Junction concept. Where webseal can be configure to play virtual hosting role.
Please refer : http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.1/com.ibm.itame.doc_6.1.1/am611_webseal_admin642.htm%23vhost-scenario1?lang=en
Let me know if you are facing similar type issue I can help to resolve it.

Related

httpd proxy any domain

Is it possible to configure a vhost on httpd that accepts any domain received and proxies to the actual website? Like subdomain wildcard but for the domain.
I'm assuming that tools like Squid Proxy can do this just fine, I'm just curious if it can be done with apache.
Sure that is possible, but you don't even need a proxy for that. The apache http server offers the concept of a "default virtual host". Which is exactly what you want: that host is responsible to respond to incoming requests to http hosts that do not have a specific configuration.
The default typically simply is the first of all hosts defined inside an apache http server.
An alternative I personally use is to setup the virtual hosts by just a basic configuration (name, admin and the like), but to include the actual content configuration (DocumentRoot and rewriting stuff) from a separate file). That way you can easily share the same setup between many virtual hosts but still have individual configuration options per domain, subdomain, http host, however you want to call that (there is no difference for the http server anyway, it is all http hosts).

WebSphere reverse proxy plugin - skipping domains

Hoping someone can give me some advice if possible.
We have a Linux box in our DMZ with the WebSphere plugin. This points to a Windows box running WebSphere Application Server.
httpd config only contains the default virtualhost with no ServerAlias specified. There is a redirect set up in the virtualhost in httpd.conf to forward any requests to service.domain.com to service.domain.com/wascontext1. Plugin-cfg.xml is set up with two uri groups, wascontext1 and wascontext2, but only 1 is actively used.
I want to use the Linux box as a reverse proxy for another application totally separate to WAS. It would have a different domain (i.e. dimsim.domain.com) but point to the same IP.
I was going to add another virtualhost for this but am unsure exactly how the WebSphere plugin will behave with it. From what I understand if I set this up and went to dimsim.domain.com/wascontext1 it would serve the WebSphere content as httpd forwards all requests to the plugin.
Is there a way to tell httpd to not send requests to the WebSphere plugin based on domain name or virtualhost? Or would doing a rewrite on any requests to dimsim.domain.com/wascontext be considered ok?
thanks
jc
EDIT: Thanks for the responses! I'll test changing the virtualhost name in plugin-cfg.xml on our second unused context and let you know how it goes.
A solution that doesn't require plugin-cfg.xml changes: If you use an Apache-based HTTP server, you can conditionally set the per-request variable "skipwas" to short-circuit the WAS Plugin processing.
e.g.
SetEnvIf Host ^dimsim\.domain\.com$ skipwas=1
If you look at the plugin-cfg.xml file, in the first part of the file you will find virtualhostgroup section similar to this:
<VirtualHostGroup Name="default_host">
<VirtualHost Name="*:9080"/>
<VirtualHost Name="*:9443"/>
<VirtualHost Name="*:443"/>
<VirtualHost Name="*:80"/>
</VirtualHostGroup>
just change the Name from * to the required domain name e.g. service.domain.com and then plugin will forward only requests for the service.domain.com hostname.
So something like:
<VirtualHost Name="service.domain.com:80"/>
should work for you.
When a request comes into the web server, it is passed to the WebSphere plugin and then plugin examines the request based on its configuration to determine if it should forward to WebSphere or pass back to the web server for further processing.
The "route" clauses in the plugin-cfg.xml are key to determining what will be forwarded and what will not. A request must match all the values in the route to be forwarded. A route contains virtual hosts, uris and clusters. The request must match one a virtual host from the VirtualHostGroup in the route, a URI from the UriGroup in the route and there must be an available server in the ServerCluster value of the route for the request to be sent to WebSphere.
Note-If you manipulate your plugin-cfg.xml for your setup, be aware that plugin is very sensitive about the format of this configuration and incorrect or invalid entries could cause a crash of the webserver. Be sure to backup the file and test before using in production. Also, if you modify your WebSphere configuration, it could overwrite this file and wipe out your changes.
Sorry for the late response.
covener's answer of setting the following does what I need.
SetEnvIf Host ^dimsim\.domain\.com$ skipwas=1

Apache Server add client IP in a custom header before forwarding request

Scenario is such that the Apache Http Server will act as a reverse proxy and sit in front of the main application server. In the application server the client IP address needs to be logged.
My requirement is to capture the client IP address and then add this IP address as a custom request header (e.g. TRUEIP=123.123.123.123) and forward it to the application server.
Please note I have read articles about logging the original client IP to the apache logs. But my requirement to access the IP address and add it to a header.
Also I did try to access the environment variables using "%{h}i" or "%{h}e" but in this case the header value was displayed as "i=18" (without the quotes). In fact the header value was printed the same "i=18" for User-Agent, Referer also.
Please help my out with a solution.
I use Apache 2.4.28 (from apache lounge) on windows 7. The application server used in Oracle OC4J (but I need to do configurations at Apache end only as application can be different in different environments).
Something along the lines of:
RequestHeader set TRUEIP "%{REMOTE_ADDR}s"
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

Multiple protocols for internal communication between apache and tomcat

Tomcat in our application is considered back-and side and additionaly we have apache that fronting tomcat server as a reverse proxy and redirect requests to appropriate tomcat instance.
Now we need to set up HTTPS connection between apache proxy and tomcat for specific urls(Login, etc..). Tomcat documentation says that it's possible to achieve this with additional <Connector> within server.xml config.
In order to set up https over login page existing configuration with AJP protocol was replaced with the following:
ProxyPass /app/login/ https://127.0.0.1:6666/app/login/
All other urls specified like below:
ProxyPass /app/anyotherurl/ ajp://127.0.0.1:5555/app/anyotherurl/
With configuration below we expect that secure data (login/password) for login page will be encrypted and all other page will remain unchanged.
After the login apache should use normal ajp protocol because there is no sensetive information any more to protect. But it's not what actually happen in our case because for some reason apache is redirecting us to host specified in ProxyPass, namely to localhost.
This could happen due to the fact that our application while executing login logic on tomcat has two consecutive redirects.
We've tried to set ProxyPreserveHost on within virtual host to fix situation mentioned above, but we are not sure whether it is secure option and this one won't break another pages as well as we are not sure how it will work if tomcat will be located on other machine.
It would be good to know any other solution how such stuff can be applied internally for specific pages.

How to enable HTTP-based authentication requests only through the external ip?

I have apache server on ubuntu 12.04 with virtual hosts and router forwarded 80 port to one of them. The directory is configured http-authentication. I need to provide authentication for the requests only when a request comes in the "outside", that is, only when the request comes through the external ip, and if I call from inside the network (or from the server at localhost), no authentication is required.
Thanks in advance for your help. Sorry for bad english.
You can use the allow from directive in conjunction with your http authentication directives in your httpd.conf file (or .htaccess file) to specify a range of IP addreses for which http authentication will not be required. See .htaccess / .htpasswd bypass if at a certain IP address for more info. Just specify your range of inside ip addresses in the allow from directive.