I develop a jsp website using tomcat as backend and apache as frontend redirecting with mod_proxy.
First my configs.
apache:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
ProxyPass / https://realdomain.tld:8443/proj1/
ProxyPassReverse / https://realdomain.tld:8443/proj1/
<Location />
Order allow,deny
Allow from all
</Location>
When I reload my jsp webpage, every time i get a new session id. When developing on localhost without apache and mod_proxy everything works and I keep the same session id.
For my webapp it is important to keep the same session during the time.
Any Idea how i can tell apache to keep my session. I guess apache has to redirect the cookie to tomcat right? but how...
Any time you change the context path in the proxy (/ -> proj1) you create a whole heap of problems to solve. Your immediate cookie problem can be solved with the ProxyPassReverseCookiePath directive. I then suspect you'll find the next problem to solve. You'd be better off redeploying your application as the ROOT web application so that your ProxyPass directive is ProxyPass / https://realdomain.tld:8443/
As an aside, it looks like you are proxying to Tomcat's https connector. If you aren't careful you will create security problems for yourself if httpd receives requests over http, proxies them to Tomcat over https and Tomcat treats those requests as being received over a secure channel.
Related
below is my httpd.conf configuration. I have tomcat server as backend server and I am using apache webserver as proxy to my tomcat server.
Below configuration is working fine for all the web pages where session is not required.
When investigated further, I had observed JSESSIONID is changing on every web request meaning, that ID is not getting persisted when request and response are going via Apache http server.
Please note that, when I tried to expose tomcat server directly to web JSESSIONID is persistent and is working as expected. However as security requirement, we need to use tomcat server as backend internal server only.
So I am not sure why apache http server is not liking to handle JSESSIONID properly. Request your help on the same and guide me what I am missing in my configuration.
Note: We don't need any load balancer setup so I am not considering mod_proxy_balancer module at this moment.
<VirtualHost *:443>
ServerName www.external.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
AddOutputFilterByType SUBSTITUTE text/html
ProxyPreserveHost off
ProxyPass / http://localhost:8080/internal/
ProxyPassReverse / http://localhost:8080/internal/
Substitute "s|http://localhost:8080/internal|https://www.external.com|i"
SSLProtocol all
SSLEngine on
SSLCertificateFile C:/keys/site/external_cert.cer
SSLCertificateKeyFile C:/keys/site/www_internal_private.p12.pri.pem
SSLCertificateChainFile C:/keys/site/Intermediate_CA.cer
</VirtualHost>
Apache web server is Apache 2.4 and tomcat engine is Tomcat 8.5
Follow serverfault answer by adding Set-Cookie Header:
In the end I just had to add the following line to my VirtualHost configuration, which changes all cookie paths from /WEBAPP_NAME to / (root):
Header edit Set-Cookie "^(.*; Path=)/WEBAPP_NAME/?(.*)" $1/$2
It is enough to set a hard path to cookies in web.xml:
<session-config>
<cookie-config>
<path>/</path>
</cookie-config>
</session-config>
My configuration is as follows - 1 unix server with two http servers running at the same time:
apache server on ports 80 and 443
Nginx server on port 8200 (www.myserver.com:8200)
The problem is that when I log in to Nginx site I need to authorize there. Doing this over internet with no SSL is not wise... I would like to connect to my apache server with SSL, be transparently redirected to another site and authorize still having encrpyted connection.
Nginx works via http so no ssl there... I would like to have url
https://www.myserver.com/duplicati to be proxied to http://www.myserver.com:8200
Effectively I want to have:
encrypted connection from the web client to www.myserver.com
proxy connection from https://www.myserver.com/duplicati to http://www.myserver.com:8200 (unencrypted), but limited to 1 physical machine which I don't care much about encryption (or actually lack of it)
What I did was the following
What I did was the following Apache config:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /duplicati/ http://127.0.0.1:8200/ngax/
ProxyPassReverse /duplicati/ http://127.0.0.1:8200/ngax/
<Location /duplicati/>
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>
Header edit Location ^http://127.0.0.1:8200/ngax/ https://127.0.0.1:8200/ngax/
still no luck with that config....
It looks like a simple thing to do but after 5h of struggle I need to send my very first post to Stackoverflow community ;-)
Could you kindly help me with it?
I have an app running on localhost:3000. I also have another app that is configured to run on virtualhost local.testserver.com
I want to create an apache reverse proxy that will route all request from local.testserver.com/finance to my app that runs at localhost:3000.
At the same time, I want to be able to access my app when I go to localhost:3000.
Below is the configuration I am using currently. This works for routing request from local.testserver.com/finance to my localhost:3000 app. But whenever I visit localhost:3000 directly it redirects me back to local.testserver.com
<Location /finance >
ProxyPass http://localhost:3000
ProxyPassReverse http://localhost:3000
</Location>
You will need to add the path on the ProxyPassReverse setting to "/finance" so it knows where to reverse requests back.
You may not need the <Location /finance>...</Location> part
ProxyPass "/finance" http://localhost:3000
ProxyPassReverse "/finance" "http://localhost:3000"
Please refer to the documentation to better understand how
ProxyPassReverse works here:
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse
I'm running Railo 3 in Tomcat 6.0.32. The tomcat server is fronted by Apache 2.2.20. Tomcat and Apache are pre built binaries from openCSW. Railo is just the latest build war deployed in tomcat's autodeploy dir webapps.
Everything is working fine when I try to access railo and content on the tomcat server.
It fails however, when railo on tomcat redirects me to itself. Mostly, when a cfm script uses the CGI.script_name, it will be returned wrong.
On the Apache side, the content is available on www.hostname.com. Apache redirects the user to tomcat through AJP on www.hostname.com:8009/railo/content.
A script on tomcat (taken from open OAuth example) is available at:
/opt/csw/share/tomcat6/webapps/railo/content/oauth_test/examples/admin_consumers.cfm
When I access it and try to perform some action, it calls itself with a few parameters, but at that point, railo dumps out an error, complaining that the file can not be found:
Page /content/railo/content/oauth_test/examples/admin_consumers.cfm [/opt/csw/share/tomcat6/webapps/railo/content/railo/content/oauth_test/examples/admin_consumers.cfm] not found
As you can see railo added twice the relative path from tomcat: /railo/content/railo/content
This is my configuration for the virtual host in Apache:
<VirtualHost *:443>
ServerName www.hostname.com
DocumentRoot "/opt/www/hostname/htdocs/"
ProxyRequests Off
<proxy *="">
Order deny,allow
Allow from all
</proxy>
ProxyPass / ajp://www.hostname.com:8009/railo/content/
ProxyPassReverse / http://www.hostname.com:8888/railo/content/
</VirtualHost>
I tried several variant for the ProxyPassReverse directive, but with no luck so far. Based on extensive searches on the web (The Mystery of ProxyPassReverse), I tried this for the proxypassreverse:
ProxyPassReverse / ajp://www.hostname.com:8009/railo/content/
ProxyPassReverse / http://www.hostname.com:8888/railo/content/
ProxyPassReverse / http://localhost:8888/railo/content/
ProxyPassReverse / https://www.hostname.com
The tomcat server also has a virtual host defined like this:
<Host name="www.hostname.com">
<Context path="" docBase="/opt/csw/share/tomcat6/webapps/railo/content" />
</Host>
But everytime, I always get the error from Railo.
Has anyone ever seen this problem with Railo, or CGI, and has an idea how to fix it?
You are specifying "/railo/content" twice. Once in your "docBase" attribute and again in your Proxy attributes. So, requests being proxied through Apache are going to have "railo/content/" twice in their request paths because you have it listed twice: once in Apache, another time in Tomcat.
Try leaving off the /railo/content/ in your ProxyPassReverse attribute:
ProxyPassReverse / http://www.hostname.com:8888/
This will let the Tomcat config add the /railo/content/ bit all by itself.
I am trying to setup a server with multiple web applications which will all be served through apache VirtualHost (apache running on the same server). My main constrain is that each web application must use SSL encryption. After googling for a while and looking other questions on stackoverflow, I wrote the following configuration for the VirtualHost:
<VirtualHost 1.2.3.4:443>
ServerName host.domain.org
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
</VirtualHost>
Even though https://host.domain.org:8443 is accessible, https://host.domain.org is not, which defeats the purpose of my virtual host configuration. Firefox complains that even though it successfully connected to the server, the connection was interrupted. Chrome return an error 107: net::ERR_SSL_PROTOCOL_ERROR.
Finally I should also mention that the virtual host works perfectly fine when I do not use SSL.
How can I make this work ?
Thanks
You don't need to configure SSL in both Apache and Tomcat.
The easiest way to accomplish that is configure SSL just on Apache and proxy to tomcat using http.