I'm trying to setup Apache as a load balancer for 2 Tomcat instances with session affinity.
The goal is to have the session stick to one server but to have next session (when it's changed by the backend server) to go to the next available server (let's say using round-robin algorithm for easier implementation). When using the "jvmRoute" in Tomcat and an equivalent "route" in Apache the actual value that does the routing is the route name which does not change and all requests are routed always to the same backend server for a single client.
I found out so far that there's an chicken/egg problem when using just the JSESSIONID cookie. Let's consider the following setup:
2 Tomcat servers listening on ports 8009 and 8010 (AJP13)
1 Apache server with the following configuration
<Proxy balancer://hello-cluster>
BalancerMember ajp://127.0.0.1:8009/hello
BalancerMember ajp://127.0.0.1:8010/hello
</Proxy>
ProxyPass /hello balancer://hello-cluster stickysession=JSESSIONID
And here's the scenario:
The first request has no cookie so Apache selects the next available server in the load balancer to handle the request.
The backend Tomcat server sets JSESSIONID but does not note the actual value being returned.
The next request comes in, Apache notes that there's no backend server noted for the given JSESSIONID so it selects the next available, which in this case the other one as served the first request
Tomcat notices that the value of JSESSIONID is invalid so it creates a new one.
Apache does not take a note that the JSESSIONID has changed to pin it down to that backend server.
Back to pt. 3
Is there a way to convince Apache to note the value returned by Tomcat?
maybe if you try with tomcat session replication. I found this interesting post:
http://www.bradchen.com/blog/2012/12/tomcat-auto-failover-using-apache-memcached
.
You could try too with redis:
http://shivganesh.com/2013/08/15/setup-redis-session-store-apache-tomcat-7/
Let me know your experience please.
Related
I'm running in AWS a Ubuntu with a docker server (managed by Portainer) with this two running containers:
1 - NodeRed (Serving my APIs)
2 - Apache (Hosts the site that consumes the APIs from NodeRed above)
I've configured a domain to this server and setted apache to work with SSL. The apache is running ok with my site through HTTPS, but the problem is that the NodeRed (that runs in port 1080) is not configured to run in SSL. This causes a malfunction in my website since that my API endpoints are being running under HTTP and being blocked by the browser due security reasons.
The question is: is there a way to create some kind of "mapping" in apache that receives the request from HTTPS and redirect to the NodeRed in HTTP (the two are running in same server)?
My idea is to create a subdomain like https://api.mysite.com that sends the request for apache and then apache redirects it to my NodeRed. Is that possible?
There is no need to expose the API to the outside world if you don't want to. Since your apache is running correctly and both containers are running on the same host, just use proxy to forward API requests to the API container.
You can achive this by add two lines to your apache config i.e.
ProxyPass /api/ http://127.0.0.1:1080/
ProxyPassReverse /api/ http://127.0.0.1:1080/
Trying to get shibboleth working on a Docker container, using Apache as a reverse proxy. Problems occur because I am using port 80 for the public Apache instance and port 8000 for the internal instance, which confuses shibboleth:
2017-10-03 07:34:23 ERROR OpenSAML.MessageDecoder.SAML2POST [5]: POST targeted at (https://dashboard.hpc.unimelb.edu.au/Shibboleth.sso/SAML2/POST), but delivered to (https://dashboard.hpc.unimelb.edu.au:8000/Shibboleth.sso/SAML2/POST)
The first URL is the external URL which the end user sees. The second URL is what the docker container sees when it gets the proxied request (with the HTTP host name forwarded).
Note I used "ShibURLScheme https" on the internal apache instance to ensure it believes https is being used, as the reverse proxy ensures all requests are https.
Is there anyway I call tell Shibboleth that this is OK, the URLs really are the same? Maybe by rewriting the URL shibboleth sees or something?
Thanks
There are two things I would check:
Make sure the ServerName directive in your Apache conf file is set to
https://dashboard.hpc.unimelb.edu.au:80. Notice the :80. Omitting
the port number completely may work too. You want Apache and vis-a-vis, shibd to see the ServerName that the client is using. You should also make sure you have a UseCanonicalName On directive as part of this.
This is likely less of a problem, but make sure your sp-metadata given to the IdP is correct. You should add entries for the FQDN(s) that the client sees. Please note that most of that documentation page isn't applicable to your scenario, but adding the correct metadata entries is vital.
It looks like your ServerName in Apache isn't correct, so I'd start there.
I am looking for load balancer for my web application that will support master-slave kind of configuration or algorithm support.
For now I am using apache proxy but with round robin LB method.
I am not sure if apache load balancer has master-slave support or any module?
Here is what I want exactly: Forward all request to one back end server and once the master server is down the slave or other server will act as hot stub.
Please suggest if any open source load balancer I can use w.r.t to my above requirement.
You can use nginx with its Upstream module.
Example configuration:
upstream myBackend {
server main.example.com:8080;
server back.example.com:8080 backup;
}
server {
location / {
proxy_pass http://myBackend;
}
}
While the first server (main.example.com) is up, nginx will use it. When it comes down, it will use the second server. You can read in the linked manual page for various other tuning parameters (for example when to mark server as failed). Nginx supports HTTPS for both incoming connections and also for connections to the proxy backend.
EDIT: For Apache it seems to be possible in version 2.4 using the Proxy Balancer. I have not tested this config. For more details see manual for ProxyPass.
ProxyPass "/" "balancer://hotcluster/"
<Proxy "balancer://hotcluster">
BalancerMember "http://1.2.3.4:8000"
# The server below is on hot standby
BalancerMember "http://1.2.3.6:8000" status=+H
</Proxy>
Tomcat in our application is considered back-and side and additionaly we have apache that fronting tomcat server as a reverse proxy and redirect requests to appropriate tomcat instance.
Now we need to set up HTTPS connection between apache proxy and tomcat for specific urls(Login, etc..). Tomcat documentation says that it's possible to achieve this with additional <Connector> within server.xml config.
In order to set up https over login page existing configuration with AJP protocol was replaced with the following:
ProxyPass /app/login/ https://127.0.0.1:6666/app/login/
All other urls specified like below:
ProxyPass /app/anyotherurl/ ajp://127.0.0.1:5555/app/anyotherurl/
With configuration below we expect that secure data (login/password) for login page will be encrypted and all other page will remain unchanged.
After the login apache should use normal ajp protocol because there is no sensetive information any more to protect. But it's not what actually happen in our case because for some reason apache is redirecting us to host specified in ProxyPass, namely to localhost.
This could happen due to the fact that our application while executing login logic on tomcat has two consecutive redirects.
We've tried to set ProxyPreserveHost on within virtual host to fix situation mentioned above, but we are not sure whether it is secure option and this one won't break another pages as well as we are not sure how it will work if tomcat will be located on other machine.
It would be good to know any other solution how such stuff can be applied internally for specific pages.
I've read previous posts like "Redirecting https requests to two different weblogic servers using the Weblogic proxy and Apache2". But I have a different situation and I don't think I'm understanding this to well.
I have an Apache 2 server (server1) that will receive http request for my application. Then I have two more servers (server2 and server3) with Web Logic 9.2 runing on ports 7000 (server1) and 8000 (server2).
I want the users to enter appname.domain.com and be redirected between the two web logic servers, always keeping appname.domain.com (this is hidding servername:port from URL).
How can I manage to do that?
Thanks in advance!
Jhon.
Use the Apache HTTP Server plug-in provided by BEA/Oracle to front and load balance request to your application.
I'd use a virtual host here, something like this:
<VirtualHost xxx.xxx.xxx.xxx:80>
DocumentRoot "C:/test/VirtualHost1"
ServerName appname.domain.com
<IfModule mod_weblogic.c>
#... WLS parameter ...
WebLogicCluster 192.168.1.100:7000,192.168.1.200:8000
# Example: MatchExpression *.jsp <some additional parameter>
MatchExpression *.jsp PathPrepend=/test
</IfModule>
</VirtualHost>
This config should balance requests to http://appname.domain.com/
to http://192.168.1.100:7000/test and http://192.168.1.200:8000/test.
Refer to the official documentation for all the details:
Installing and Configuring the Apache HTTP Server Plug-In
Parameters for Web Server Plug-Ins
and also Thread: Installing and Configuring the Apache HTTP Server Plug-In
Install an Webgate on HHTp server incase of Orcle, which will do the reverse proxy and hide the server name.