2 play framework application with single httpd - apache

I have two different applications developed in Play framework. I am trying to launch both the application in a EC2 instance with apache, ProxyPass and ProxyPassReverse setup.
I have to use two different URL and SSL for each application. I could bring one of the application successfully. The other one is creating the problem. I have installed ELB with SSL incase if we need load balance the traffic by creating two replicated EC2 instances.
Kindly suggest a good way to do it. I have to use this for my Production Setup.

Proxypass can be used for one application means ELB to HTTPD then to PLAY this is for 1 application and the second you should redirect the port in ELB like port 4444 to port 5555

Related

Best practices for setting up a MERN application on AWS

I know this is subjective and opinionated, but I just need something to start off from knowing what the best practices may be.
I've got a MERN application running on localhost with the React script currently running on port 3000 and an Express.js application running on port 3001.
Now I'm about to set it up live on AWS and am wondering if I should create it like:
website.com for the frontend React stuff with nginx routing anything from port 80 to 3000 while it makes calls to api.website.com running on 3001 on the same instance with website.com and `api.website.com having the same IP address.
or
one separate instance for website.com on a different IP address and another instance for api.website.com on a different IP address for API calls? Both are being accessed without having to specify a port.
I'm curious because most of the time I've used APIs, they don't have a separate port, just a subdomain on what I assume was a different IP address and a different instance.
What would be the best way to set this up keeping in mind I want to use SSL?
Serving static applications via SSL is not necessary, but on the other hand, your server application has to be secured. Part of the stack which interacts directly with the database is very crucial and has to be secured against all sorts of vulnerabilities. Only SSL won't do any good unless you follow best practices to secure your node application.
You can use the subdomain for the node application and root domain for the actual site. Also, you can use the 80 port for the website and 443 for your node application by defining different server sections inside your nginx configuration file.
Below are some links where you can find the best practices to follow while deploying node applications on production.
https://www.moveoapps.com/blog/set-node-js-application-production-nginx-reverse-proxy/
https://blog.risingstack.com/node-hero-node-js-security-tutorial/
I would say Nginx exposed to the world, with an SSL certificate and all traffic redirected to port 443.
Everything else bound to 127.0.0.1 and proxied through Nginx. It's simple to set up Nginx to accept requests to api.website.com on port 443 and then proxy them over to 127.0.0.1:3000 or 3001 or whatever.
Then firewall all the other random ports and route absolutely all incoming traffic through Nginx.

How do I force users to access my Play application through SSL?

I have a Play application that I've deployed by running stage within SBT, and then running it from the command line using target/start. I've placed Nginx in front of it and, based on a sub-domain, I have two server blocks--one for port 80, and the other for port 443. The port 80 block just redirects to the https scheme on port 443. This all works great.
To recap:
http://play.mydomain.com/ redirects to
https://play.mydomain.com/ which is a proxy for http://localhost:9000
However, if I just go to http://mydomain.com:9000/, I get access to my Play application directly. There's no SSL, and there's no way I can figure out to keep anyone from accessing it.
What should I do? Should I use Nginx to redirect any access on port 9000 to the URL for the SSL version? Should I firewall port 9000 and only allow local requests on that port? (If so, how would I do that?) Is there some other way of dealing with this that I'm not thinking of?
And how long until the Servlet 3.1 spec is released and I can just deploy the whole thing as a WAR? :-)
You could make your Play application listen only on the local interface (127.0.0.1, for example). That way, nginx can still proxy requests to it but nobody from the outside can access your application directly. No additional firewall setup is necessary.
Looks like you can pass an additional argument to start:
$ start -Dhttp.port=9000 -Dhttp.address=127.0.0.1

Can you have two separate Apache servers running on the same system?

Can you have two separate apache servers running on the same system in parallel, as long as they make use of different ports?
I have a system I need to install JIRA on, but the system is already in-use and running an Apache server for a separate project. The JIRA installer comes with a pre-configured apache tomcat server. If I just installed JIRA, would I run into a problem from the pre-existing apache server?
If you’re asking about running two Apache Tomcat instances, then this is not a problem. Moreover you can share the same CATALINA_HOME between many separate instances of Tomcat, each with own CATALINA_BASE. I’m often running separate Tomcat instance per application on production servers. See this init script for a hint about parameters.
But if you’re asking about running Apache HTTP Server and Apache Tomcat on the same server, then it’s a little bit trickier. Commonly used approach is to use a web server (Apache HTTP, nginx, …) as a reverse proxy in front of Tomcat. Then many applications can run under the same port and IP address. In case of Apache HTTP Server, see mod_proxy_ajp.
Apache HTTPD and Tomcat are 2 different servers. Also, JIRA doesn't run on port 80 so in this case there will not be a conflict for port numbers. If you want to expose your JIRA on port 80, you can use mod_proxy for the Apache HTTPD to relay the requests to the actual port JIRA is running on, so that it is transparent to the user.
So basically: Yes, you can run both Apache HTTPD and Apache Tomcat on the same machine if not using the same port.

How to bind an ip AND ports to subdomains using JBoss (Or Apache Tomcat)

This is my problem:
I have a JBoss server (Running an existing app) and a Apache Tomcat (Running an app created by me) server running on the same server with different ports.
I have two subdomain names which i have routed to the IP of the server.
What i need to do is to bind the subdomain names to the IP, but with different ports.
I saw an easy way to do it with XAMPP and apache, editing the httpd.conf, but i can't find any simular fway to do it with Apache Tomcat or JBoss.
Does anyone have any ideas about this?
I rather have a solution on the question above, but the question below can be accepted as a backup solution:
Since i could not figure that out, i had to at least have a solution to one of the applications (the one running at JBoss).
So i configured JBoss to port 80 instead of 8080.
What happens now if i go to the subdomains is that i get the JBoss welcome window.
How can i change the default JBoss "app" to my app?
Thanks in advance
There's no way to get this:
sub1.domain.com(192.168.0.1) on port 80 --> jboss app
sub2.domain.com(192.168.0.1) on port 80 --> tomcat app
without either adding to or subtracting from your software stack.
Your options are:
use jboss to run your tomcat app
add a reverse-proxy
use an HTTP-aware layer 7 firewall
The first is probably easiest; jboss deploys web applications using tomcat (or, in more recent versions, a fork of tomcat called jbossweb), so you can probably just drop your .war into the deploy directory.
If that's not possible for some reason, I'd use a reverse-proxy. Apache HTTPD with mod_proxy or mod_jk is fairly common. If you go the mod_jk route and you have non-trivial load, I'd review this.
The last I'm not familiar with. I imagine that the spendy Cisco firewalls can do this, and I'm sure it's possible to hack iptables to do it too, but my google-fu failed to find specifics.

How do I configure Apache to forward some URLs to two resin containers?

I have two resin servers - r-server-a and r-server-b. I created two because both have web applications that need to be in the root context path '/' (and using same port '80').
However, both web applications need to see each other (i.e. access the other application's resources & pages). Which is why I thought I'd use an apache server to handle the two.
How do I do that?
What you need is mod_proxy in Apache, in the apache config (like the virtual host config) put:
ProxyPass / http://localhost:8080/<web-app context root>/
ProxyPassReverse / http://localhost:8080/<web-app context root>/
Both using same port means not the same IP. that might be same machine two instances each bound to one NIC or two separate machines. This is not that clear from the question, however, it does not matter for that much.
For several reasons I would pick NGINx as a reversed proxy (instead of apache) and configure it accordingly.
See at tornado's documentation how they do that for tornado (in that case, 4 instances on each server) and copy the concept to your location. Good luck.