I have a situation where I need to route requests to Apache through an internal Proxy Server before redirecting to an external Site, the setup is something like this:
Browser Request --> Apache --> Internal Proxy Server --> External Site
Without the Proxy Server I accomplished the redirect using a rewrite handled as a Proxy( [P] )
RewriteRule ^/somepath/(.*) http://www.externalsite.com/$1 [P,QSA,L]
I found setting up apache behind a forward proxy which looked like it was what I wanted to setup, and suggested I try the following directives:
ProxyPass /somepath/ http://www.externalsite.com/
ProxyPassReverse /somepath/ http://www.externalsite.com/
ProxyRemote http://www.externalsite.com/ http://internal.proxy.ip.addy:8080
When I set this up I got a 503 and the following Apache log entries:
[Thu Apr 11 07:47:14 2013] [debug] mod_proxy_http.c(1973): proxy: HTTP: serving URL http://www.externalsite.com/somefile.html
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2011): proxy: HTTP: has acquired connection for (www.externalsite.com)
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2067): proxy: connecting http://www.externalsite.com/somefile.html to www.externalsite.com:80
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2193): proxy: connected http://www.externalsite.com/somefile.html to internal.proxy.ip.addy:8080
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2444): proxy: HTTP: fam 2 socket created to connect to www.externalsite.com
[Thu Apr 11 07:47:35 2013] [error] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : proxy: HTTP: attempt to connect to internal.proxy.ip.addy:8080 (www.externalsite.com) failed
Nothing was logged in the proxy server logs, and I know the proxy server works if I set it explicitly in the browser and load that externalsite.com
Any thoughts?
Ended up being a vmware IP address issue when connecting to the proxy... The above directives do seem to correctly proxy apache through to the proxy server.
Related
I have a simple deployment with some webservers connected to an AWS ELB. This ELB in-turn has some application servers behind it.
The webservers are unable to connect to the application server ELB. The httpd error log is full of:
[Thu Dec 22 15:28:05.897273 2016] [proxy:error] [pid 10188] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 54.254.179.37:80 (elblinkhere) failed
[Thu Dec 22 15:28:05.897348 2016] [proxy:error] [pid 10188] AH00959: ap_proxy_connect_backend disabling worker for (elblinkhere) for 60s
[Thu Dec 22 15:28:05.897361 2016] [proxy_http:error] [pid 10188] [client 10.0.0.54:13789] AH01114: HTTP: failed to make connection to backend: elblinkhere
I have tried to check if this is an SELinux issue but that does not seem so.
I have also read a large number of threads on the internet about this and not come across any solutions.
My question(s):
1. What other methods can I use to resolve this?
2. How do I resolve this?
Did you configure your ELB as external and also enabled necessary port for ELB's security group?
I have a jboss cluster with 2 nodes (a and b) + 1 apache working as mod_cluster (apache in a separate server)
If one of the nodeA goes down, mod cluster can't connect to another one.
So, if nodeA crashes, I can't access jboss aplication by http://apache_server/myapp, but I can by http://nodeb/myapp and vice-versa
I dig on google almost all i have found say that is related to sessions but I can't fnd whats is wron with my config. (Mod_cluster as configured with this tool Load Balancer Configuration Tool
NodeA Log
15/05/2016 07:45:22,741 ERROR [org.jgroups.protocols.TCP] (http-/nodeA:8080-90) failed sending message to jbossnodeb:jbossnodeb/web (4148 bytes): java.net.SocketException: Socket closed, cause: null
15/05/2016 07:45:22,790 ERROR [org.jgroups.protocols.TCP] (OOB-6464,shared=tcp) failed sending message to jbossnodeb:jbossnodeb/web (4141 bytes): java.net.SocketException: Broken pipe, cause: null
NodeB Log
15/05/2016 07:45:23,126 ERROR [org.jgroups.protocols.TCP] (OOB-4949,shared=tcp) failed sending message to jbossnodea:jbossnodea/web (79 bytes): java.net.SocketException: Broken pipe, cause: null
15/05/2016 07:45:53,457 WARN [org.jgroups.protocols.TCP] (Timer-1,shared=tcp) null: no physical address for jbossnodea:jbossnodea/web, dropping message
Apache mod_cluster server log
[Sun May 15 07:45:04 2016] [error] (70007)The timeout specified has expired: proxy: read response failed from (null) (nodeA_IP)
[Sun May 15 07:45:34 2016] [error] (70007)The timeout specified has expired: ajp_cping_cpong: apr_socket_recv failed
[Sun May 15 07:45:38 2016] [error] ajp_handle_cping_cpong: ajp_ilink_receive failed
[Sun May 15 07:45:38 2016] [error] (70007)The timeout specified has expired: proxy: AJP: cping/cpong failed to (null) (nodeA_IP)
[Sun May 15 07:45:44 2016] [error] (70007)The timeout specified has expired: ajp_cping_cpong: apr_socket_recv failed
[Sun May 15 07:45:44 2016] [error] (70007)The timeout specified has expired: proxy: dialog to nodeA_IP:8009 (nodeA_IP) failed
[Sun May 15 07:45:44 2016] [error] ajp_read_header: ajp_ilink_receive failed
[Sun May 15 07:45:44 2016] [error] (70007)The timeout specified has expired: proxy: dialog to nodeA_IP:8009 (nodeA_IP) failed
[Sun May 15 07:45:44 2016] [error] (70007)The timeout specified has expired: proxy: dialog to nodeA_IP:8009 (nodeA_IP) failed
[Sun May 15 07:45:45 2016] [error] ajp_read_header: ajp_ilink_receive failed
[Sun May 15 07:45:45 2016] [error] (70007)The timeout specified has expired: proxy: dialog to (null) (nodeA_IP) failed
[Sun May 15 07:45:45 2016] [error] ajp_read_header: ajp_ilink_receive failed
[Sun May 15 07:45:45 2016] [error] (70007)The timeout specified has expired: proxy: dialog to (null) (nodeA_IP) failed
[Sun May 15 07:45:45 2016] [error] ajp_read_header: ajp_ilink_receive failed
[Sun May 15 07:45:45 2016] [error] proxy: CLUSTER: (balancer://clusterjboss). All workers are in error state
Config apache mod_cluster
AdvertiseGroup 225.0.1.107:23364
KeepAliveTimeout 60
ManagerBalancerName clusterjboss
ServerAdvertise On
AdvertiseFrequency 5
EnableMCPMReceive
CreateBalancers 0
AllowDisplay On
ProxyPass / balancer://clusterjboss/ stickysession=JSESSIONID|jsessionid nofailover=On
Visibility
JBoss worker instances must be able to contact your ```EnableMCPMReceive`` VirtualHost
Your JBoss worker instances report their IP address and AJP port to the Apache HTTP Server
Your Apache HTTP Server must be able to contact them back on those reported addresses
ProxyPass
JGroups, Infinispan, Domains, Clustering
mod_cluster, i.e. modcluster subsystem has nothing to do with the aforementioned whatsoever. The subsystem is completely oblivious to the fact that there is some cluster formed or that you have your instances in a domain -- which is also irrelevant to having your instances in a cluster in the first place. Don't bother with JGroups messages while investigating mod_cluster configuration.
Although, if your JGroups cluster is broken...
Infinispan - i.e. distributed or replicated cache of your web session data in this case, relies on JGroups for forming a cluster and for exchanging messages in this cluster. If your instances cannot for a cluster or fail to exchange messages, you might experience a loss of session data on failover.
For example: Apache HTTP Server mod_cluster balacner decides to send request with JSESSIONID yadayadaXXX.worker-1 to worker-2, because worker-1 is down. Due to a network configuration error, worker-1 and worker-2 has never correctly formed a cluster, so worker-2 does not have the session data of worker-1. The result is a web application with a new session created, i.e. your client lost his context, e.g. shopping cart (popular showcase).
ProxyPass
Don't use it unless you have something specific in mind. The whole point of mod_cluster is that it creates all proxy directives in memory, on the fly dynamically as your worker nodes and their web applications come and go. You start fiddling with additional ProxyPass directives if you want to:
react to special error codes from a special web applciation, e.g. to treat HTTP codes that are supposed to mean an error as valid and vice versa
to serve static content directly from the Apache HTTP Server and not from worker nodes - e.g. pictures...
to load balance some contexts to mod_cluster-aware JBoss worker nodes and some contexts to non-mod_cluster servers, e.g. another Apache HTTP Server running Drupal in PHP...
ManagerBalancerName
It is not clear to me why you would need to change it. If you change the default value, you have to also alter balancer="new_value" in your Jboss modcluster subsystem configuration. What is actually does is that it tells mod_cluster in the Apache HTTP Server to create more separate named ProxyPass Balacners internally. One then could use ProxyPass directives to tweak them separately. Do you need to tweak them? According to the rest of your config I am convinced it is not the case. For example, the session stickiness is configured in JBoss nodes in mod_cluster subsystems - worker ndoes report this to the Apache HTTP Server balancer.
HTH, -K-
Possible changes that need to be done in domain.xml:
1. Under < domain-controller>, add < remote host="< ip-address-of-master-node>" port="< port>" security-realm="ManagementRealm"/>
2. Under < servers>, add < server name="slave-node" group="server-group" auto-start="true">
3. Under mod-cluster subsystem, add < mod-cluster-config advertise-socket="modcluster" proxy-list="< ip-address>:< port-in-mod-cluster-config" connector="ajp">
In mod-cluster configuration:
1. Allow from all
2. ManagerBalancerName server-group (exact name as above)
Also, are you using any virtualization/containers? To deal problems with session replication in such cases, you might need to try out "sticky session".
In apache, the module mod_jk not changes IP of hostname when occurs changing of IP on DNS.
Version of apache:
Server version: Apache/2.2.15 (Unix)
Server built: Aug 2 2013 08:02:15
Version mod_jk: 1.2.37
Example:
workers.properties
worker.portalconsultoras_prd.type=ajp13
worker.portalconsultoras_prd.host=hostexample.com.br
worker.portalconsultoras_prd.port=8009
This configuration works fine.
But, when occurs change ip in the host name in DNS, the module md_jk starts fail to connect. Follow below the log of mod_jk:
[Wed Sep 18 12:00:33 2013] [5315:140659824723936] [info] jk_open_socket::jk_connect.c (627): connect to 107.xx.xx.220:8009 failed (errno=115)
[Wed Sep 18 12:00:33 2013] [5315:140659824723936] [info] ajp_connect_to_endpoint::jk_ajp_common.c (995): Failed opening socket to (107.xx.xxx.220:8009) (errno=115)
[Wed Sep 18 12:00:33 2013] [5315:140659824723936] [error] ajp_send_request::jk_ajp_common.c (1630): (portalconsultoras_prd) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=115)
I would like a configuration of apache that avoid this problem.
Looking for the solutions in google, have turn on the "HostnameLookups", but is inefficient.
Thanks!
I am running an Apache on Ubuntu which works pretty fine. However, if I issue 'shutdown -r now' and wait until the server has been booted successfully, the website won't show up in the browser.
Then, if I issue: service apache2 start, it'll show:
[Thu Jun 14 11:08:38 2012] [error] (EAI 2)Name or service not known: Could not resolve host name *.443 -- ignoring!
[Thu Jun 14 11:08:38 2012] [warn] The ScriptAlias directive in /etc/apache2/sites-enabled/default2 at line 18 will probably never match because it overlaps an earlier ScriptAlias.
[Thu Jun 14 11:08:38 2012] [warn] The Alias directive in /etc/apache2/sites-enabled/default2 at line 34 will probably never match because it overlaps an earlier Alias.
[Thu Jun 14 11:08:38 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
(98)Address already in use: make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
Action 'start' failed.
The Apache error log may have more information.
* Starting web server apache2 FAIL
However, when I issue service apache2 stop, it'll show:
[Thu Jun 14 11:09:34 2012] [error] (EAI 2)Name or service not known: Could not resolve host name *.443 -- ignoring!
[Thu Jun 14 11:09:34 2012] [warn] The ScriptAlias directive in /etc/apache2/sites-enabled/default2 at line 18 will probably never match because it overlaps an earlier ScriptAlias.
[Thu Jun 14 11:09:34 2012] [warn] The Alias directive in /etc/apache2/sites-enabled/default2 at line 34 will probably never match because it overlaps an earlier Alias.
[Thu Jun 14 11:09:34 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
* Stopping web server apache2 OK
However, afterwards netstat -tulpn| grep :80 still shows:
tcp6 0 0 :::80 :::* LISTEN 23561/apache2
Anyways, when I just kill the process shown above, e.g., kill -9 23561, I can successfully startup apache2 with service apache2 start and see my website again in the browser. So, for me it looks like, there is another apache2 running that uses a completely different configuration. Btw, I already assured that I have only one apache2 installation.
Can you help me out with this? Many thanks in advance!!! :-)
I have configured Apache2 to use Client Certificate AUthentication using:
SSLVerifyClient require
It works, I can access my site with a valid Client Certificate.
However, when users connect to it without having a ClientCertificate installed, they get a confusing error from the browser.
(Chrome says 'ERR_SSL_PROTOCOL_ERROR', Firefox says 'ssl_error_handshake_failure_alert', Internet explorer only says 'Internet Explorer cannot display the Webpage'.
I want to show the users a custom ErrorDocument when they try to access without a valid Client Certificate.
The problem is that the site doesn't return a http error code, but aborts the request, so I can't use Apaches' 'ErrorDocument'.
last part of ssl_error_log is this:
[Wed Aug 31 11:11:57 2011] [info] [client 192.168.2.156] SSL library error 1 in handshake (server url:443)
[Wed Aug 31 11:11:57 2011] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
[Wed Aug 31 11:11:57 2011] [info] [client 192.168.2.156] Connection closed to child 1 with abortive shutdown (server url:443)
How do I return a valid ErrorDocument for this?
SSLVerifyClient optional
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule ^/ http://localhost:8080/missing_cert.html [P,L]