Apache ProxyPass all requests - apache

I have Proxy Pass somewhat working. I am using it like so
ProxyPass /chorus/ http://localhost:7070/
ProxyPassReverse /chorus/ http://localhost:7070/
This chorus folder does not exist and I am accessing through apache port 80 in the browser. Then it redirects to my application running on port 7070 which provides its webpage. The functionality within the webpage does not work though because the javascript starts requesting images and other info as /images/image1.jpg for example or /jsonrpc on apache and isn't going through the proxy. But on port 80 there is no /images because it's part of the :7070 application. If I do like below it will work too, but there are too many folders, I need a way to set everything returned from 7070 to be processed by apache as http:// localhost:7070/image/...
ProxyPass /jsonrpc http://localhost:7070/jsonrpc
ProxyPass /image http://localhost:7070/image
Basically the page for the app loads but the content does not, the app is requesting /jsonrpc which looks something like this (proxied version)
Remote Address:192.168.1.150:80
Request URL:http://192.168.1.150/jsonrpc?tm=1419196786193
Request Method:POST
Status Code:404 Not Found
When in the app directly without proxy it looks like this
Remote Address:192.168.1.150:7070
Request URL:http://192.168.1.150:7070/jsonrpc?tm=1419196894248
Request Method:POST
Status Code:200 OK

it's not really something you can fix within the Proxy module, other than by spelling out all possible paths, which you want to avoid; your alternatives are:
a. change the application and make it proxy aware so that
a1. it produces paths by prefixing it with a configured path
a2. interprets something like a X-Forwarded-Path header
a3. uses the HTML base tag: http://www.w3schools.com/tags/tag_base.asp
b. change the proxy so that your app lives on it's own vhost e.g. chorus.example.org

Related

Shibboleth Errors When Authenticating Through a Reverse Proxy on port 8000

Trying to get shibboleth working on a Docker container, using Apache as a reverse proxy. Problems occur because I am using port 80 for the public Apache instance and port 8000 for the internal instance, which confuses shibboleth:
2017-10-03 07:34:23 ERROR OpenSAML.MessageDecoder.SAML2POST [5]: POST targeted at (https://dashboard.hpc.unimelb.edu.au/Shibboleth.sso/SAML2/POST), but delivered to (https://dashboard.hpc.unimelb.edu.au:8000/Shibboleth.sso/SAML2/POST)
The first URL is the external URL which the end user sees. The second URL is what the docker container sees when it gets the proxied request (with the HTTP host name forwarded).
Note I used "ShibURLScheme https" on the internal apache instance to ensure it believes https is being used, as the reverse proxy ensures all requests are https.
Is there anyway I call tell Shibboleth that this is OK, the URLs really are the same? Maybe by rewriting the URL shibboleth sees or something?
Thanks
There are two things I would check:
Make sure the ServerName directive in your Apache conf file is set to
https://dashboard.hpc.unimelb.edu.au:80. Notice the :80. Omitting
the port number completely may work too. You want Apache and vis-a-vis, shibd to see the ServerName that the client is using. You should also make sure you have a UseCanonicalName On directive as part of this.
This is likely less of a problem, but make sure your sp-metadata given to the IdP is correct. You should add entries for the FQDN(s) that the client sees. Please note that most of that documentation page isn't applicable to your scenario, but adding the correct metadata entries is vital.
It looks like your ServerName in Apache isn't correct, so I'd start there.

How to get original request URI in EL spring-boot page behind httpd proxypass

I have a spring-boot web application with embedded tomcat, running on port 28081, and httpd configured for proxying like this:
ProxyPass / http://localhost:28081/
ProxyPassReverse / http://localhost:28081/
Then in a jsp page I need to pass the full request URL to a silverlight widget;but
${pageContext.request.serverName}:${pageContext.request.serverPort}
will resolve to http://localhost:28081.
So I thought to rely on X-Forwarded-Host, but there are cases when it does contain more than one proxy address, separated by comma. I am not sure it is safe to trust the order of the addresses will be preserved.
Is there a better way to do this, be that in the jsp, in the httpd configuration or in the controller code?
In the controller you can use ServletUriComponentsBuilder: initialize it from the request and it picks out the proxy headers and builds the URI for the origin for you, e.g. String uri = ServletUriComponentsBuilder.fromCurrentRequest().build().toString().
You can use ProxyPreserveHost in your httpd config to keep the original Host header, i.e. your outward domain name, but I can't think of a good way to pass the port.

Apache WebSphere Plugin home page

We currently have Apache/ WAS setup and I want the Apache to handle the static content and it is working as expected.
My question:
We have always used www.xxx.com before and WAS used to handle the page, now we want to WEB server to handle the page and route www.xxx.com to www.xxx.com/index.jsp without the user knowing about it.
We want to user to type in www.xxx.xom in the url and get to the WAS through Apache.
If I get you correctly, you want a reverse proxy for dynamic content of your website. Apache has the mod_proxy that allows you to do that for selective URLs. The ProxyPass directive allows you to specify what URLs are mapped to which HTTP servers. HTTP headers are modified accordingly that the external information can reach the WAS that is hidden behind your Apache. IIRC, WAS can be configured to be aware of the reverse proxy.
Reverse proxy based on a prefix:
ProxyPass /mirror/foo/ http://backend.example.com/
Reverse proxy based on a regex:
ProxyPassMatch ^(/.*\.gif)$ http://backend.example.com$1

Retain original request URL on mod_proxy redirect

I am running a WebApplication on a Servlet Container (port 8080) in an environment that can be accessed from the internet (external) and from company inside (intenal), e.g.
http://external.foo.bar/MyApplication
http://internal.foo.bar/MyApplication
The incomming (external/internal) requests are redirected to the servlet container using an apache http server with mod_proxy. The configuration looks like this:
ProxyPass /MyApplication http://localhost:8080/MyApplication retry=1 acquire=3000 timeout=600 Keepalive=On
ProxyPassReverse /MyApplication http://localhost:8080/MyApplication
I am now facing the problem that some MyApplication responses depend on the original request URL. Concrete: a WSDL document will be provided with a element that has a schemaLocation="<RequestUrl>?xsd=MyApplication.xsd" element.
With my current configuration it always looks like
<xs:import namespace="..." schemaLocation="http://localhost:8080/MyApplication?xsd=MyApplication.xsd"/>
but it should be
External Request: <xs:import namespace="..." schemaLocation="http://external.foo.bar/MyApplication?xsd=MyApplication.xsd"/>
Internal Request: <xs:import namespace="..." schemaLocation="http://internal.foo.bar/MyApplication?xsd=MyApplication.xsd"/>
I suppose this is a common requirement. But as I am no expert in configuration of the apache http server and its modules I would be glad if someone could give some (detailed) help.
Thanks in advance!
If you're running Apache >= 2.0.31 then you might try to set the ProxyPreserveHost directive as described here.
This should pass the original Host header trough mod_proxy into your application, and normally the request URL will be rebuild there (in your Servlet container) using the Host header, so the schema location should be build using the host and path infos from "before" the proxy.
(Posted here too for the sake of completeness)
Here is another alternative if you would like to retain both the original host name and the proxied host name.
If you are using mod_proxy disable ProxyPreserveHost in the Apache configuration. For most proxy servers, including mod_proxy, read the X-Forwarded-Host header in your application. This identifies the original Host header provided by the HTTP request.
You can read about the headers mod_proxy (and possible other standard proxy servers) set here:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
You should be able to do a mod_rewrite in apache to encode the full URL as a query parameter, or perhaps part of the fragment. How easy this might be depends on whether you might use one or the other as part of your incoming queries.
For example, http://external.foo.bar/MyApplication might get rewritten to http://external.foo.bar/MyApplication#rewritemagic=http://external.foo.bar/MyApplication which then gets passed into the ProxyPass and then stripped out.
A bit of a hack, yes, and perhaps a little tricky to get rewrite and proxy to work in the right order and not interfere with each other, but it seems like it should work.

Tomcat serving URLs wrong with mod_proxy and apache

I've set up a host with apache to serve static pages and to use Tomcat to serve my web application (See this question). The static pages are server from
"http://myhost.com"
and the dynamic (tomcat) pages are server from
"http://myhost.com/myapp"
The mod_proxy makes sure the "http://myhost.com/myapp" are forwarded to tomcat server running on "http://myhost.com:8080".
The problem is that now you get the standard Tomcat introduction page on "http://myhost.com/myapp" but if you click on a local link (e.g. 'Status') on the left, it generates an URL
"http://myhost.com/manager/status" while it should generate: "http://myhost.com/myapp/manager/status"
(The same is true for webapps installed under tomcat)
What should be changed in my configuration (apache, tomcat?) to redirect my tomcat links to the right place?
Have you set the ProxyPassReverse setting in your httpd.conf. This will overwrite the HTTP Header an you'll get to the correct request on the side of tomcat.
Your URLs are mapped from:
http://myhost.com/myapp -> http://myhost.com:8080
This means that accessing the above URL will be mapped to the ROOT application in Tomcat. The ROOT application will generate pages that contain links from Tomcat's root context.
In other words, if you go to:
http://myhost.com:8080
you will get a page that contains links to
http://myhost.com:8080/manager/status
This link will work. However when that page is given back to a browser that requested it via Apache, the full URL then looks like: http://myhost.com/manager/status
I assume that you intend to deploy an application called 'myapp' to Tomcat? If that is the case the Tomcat URL for this app will be
http://myhost.com:8080/myapp
Which will also work be mapped correctly when accessed via Apache.
If you absolutely must access Tomcats root application in this way you'll have to rewrite the URLs it outputs in the pages it returns.
I've had the most success with mod_proxy_ajp. It requires mod_proxy, but works over ajp. Using it instead, your conf file looks similar
ProxyPass / ajp://localhost:8009/
See my similar question and also the answer to this question. The only fault in mod_proxy_ajp that I've found is that if I need to restart tomcat I have to force an apache restart too.