I realize this question has probably been asked numerous times, but I have not been able to find a good, up-to-date answer. The only guide I have been able to find was from 2005 and was on tomcat 5. It seems a lot of the OS paths have changed.
Our situation is this:
We want to run multiple instances of tomcat 7 on a single server. Each tomcat serves up a different address. For instance, www.oursite.com should be served from a separate tomcat than test.oursite.com. So, for example the base tomcat installtion will sit in /opt/tomcat/ and the instance specific directories (this is what I could make out from that old tutorial) will be in /home/user1/some/path/ and /home/user2/some/path so that everything is seperated nicely.
Can anyone point to a good tutorial, or maybe explain here the steps to set this up? I'm a bit new to apache setups.
Are there any advantages / drawbacks to doing it this way? Would a single tomcat instance be better? We need to be able to bring down sites one at a time without influencing each other. Also, our DNS provider prevents us from setting up stealth redirects, so we have to go through apache to have nice URLs rather than redirecting straight to the tomcats.
Thanks
I believe you have 2 questions here:
How to run multiple tomcat instances in the same server and should
you?
How to configure apache httpd to do virtual host and front
tomcat?
For 1. The following is a very good tutorial on how to run multiple tomcat instances in the same server: http://java.dzone.com/articles/running-multiple-tomcat, but should you? the answer is "it depends". If you have a super powerful box and it is under utilized, you should. It also depends on what type of application you runs for each individual sites. It will definitely help you "bring down sites one at a time without influencing each other". With apache httpd configuration which I will explain in the next section, you can also run the each site on separate machines (physical or vm).
For 2. In you case, you just need to configure apache httpd to do virtual host and use ajp to connect to tomcat.
<VirtualHost *:80>
ServerName www.oursite.com
ProxyPass / ajp://tomcat.oursite.com:8009/www retry=5
ProxyPassReverse / ajp://tomcat.oursite.com:8009/www
</VirtualHost>
<VirtualHost *:80>
ServerName test.oursite.com
ProxyPass / ajp://tomcat.oursite.com:8010/test retry=5
ProxyPassReverse / ajp://tomcat.oursite:8010/test
</VirtualHost>
In the above configuration, you need to configure DNS entries of both www.yoursite.com and test.yoursite.com to point to the same host. It also assume you run both your www and test webapps on different tomcat instances on the same host tomcat.oursite.com, one on ajp port 8009 and the other one on ajp port 8010. You can also change it to a different server of its own. It's very flexible. FYI, following is how to configure ajp in tomcat: http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
I found a problem with the apache mod_proxy_ajp connector in such a configuration, it absolutely won't allow you to use any other port when setting up multiple virtual hosts each with its own tomcat instance.
Having spent some time ruling out port conflicts, tomcat configuration issues, firewall issues I have concluded that ProxyPass and ProxyPassReverse will not work when using any port other than 8009 by default.
The solution is likely to be to switch to mod_jk, which also solves problems seen in mod_proxy_ajp with basic configurations not loading or rewriting urls embedded within tomcat hosted pages without extensive configuration changes if the tomcat instance is rooted to a subdirectory. This doesn't seem to happen with Mod_Jk
Related
I am able to reach the GeoServer log-in form on a new server instance using a URL like this: https://sub.domain.tld/geoserver.
However, entering the correct username and password causes Cannot POST /geoserver/j_spring_security_check to be displayed in plain text in the browser window and "http://localhost:8080/geoserver/j_spring_security_check" to appear on the address line (Chrome and Firefox). Logging-in works just fine from http://sub.domain.tld:8080/geoserver and, while logged in that way, the SSL URL will skip the log-in form entirely and open the full GUI -- but none of the example layer previews will work (Cannot GET /geoserver/tiger/wms ...or whatever layer).
I have 3 similar servers set up with earlier software versions that all work perfectly:
CentOS Linux release 7.5.1804 (Core)
Apache 2.4.6
Tomcat 9.0.4.0
JVM 1.8.0_171-b10 (Oracle)
GeoServer 2.15.1 (also 2.14.1)
This latest server is:
CentOS Linux release 7.9.2009 (Core)
Apache 2.4.6
Tomcat 9.0.48.0
JVM 1.8.0_292-b10 (Red Hat)
GeoServer 2.19.1
I closely followed the GeoServer install procedure found here. Apache was already installed and working with a virtual host configuration using certbot and a Let's Encrypt certificate. I added the following to the <VirtualHost *:443> section of the /etc/httpd/sites-available/sub.domain.tld.conf file:
ProxyRequests Off
ProxyPass /geoserver http://localhost:8080/geoserver
ProxyPassReverse /geoserver http://localhost:8080/geoserver
<Location "/geoserver">
Order allow,deny
Allow from all
Header set Access-Control-Allow-Origin "*"
</Location>
I also set "https://sub.domain.tld/geoserver/" as the Proxy Base URL in GeoServer. This is exactly how my working instances are set up.
The newest /opt/tomcat/webapps/geoserver/WEB-INF/web.xml file is slightly different in that it has separate CORS sections to be uncommented for Jetty vs. Tomcat. The Tomcat section and the cross-origin filter-mapping are uncommented. Unlike before, I had to enable the SELinux httpd_can_network_connect process in order to get to the GeoServer log-in form via SSL. Disabling SELinux enforcement, however, does not solve the j_spring_security_check problem.
Sensitive WMS and WFS content must be served via SSL. I am now spinning my wheels on research so any help in resolving this would be greatly appreciated!
I was running into a similar problem trying to reverse proxy a Geoserver docker container using Apache.
After bashing my head for a few days, I found I needed a couple of changes on both ends of the setup.
Apache:
<Location "/geoserver">
ProxyPreserveHost On
ProxyPass http://localhost:8080/geoserver
ProxyPassReverse http://localhost:8080/geoserver
</Location>
The ProxyPreserveHost directive should ensure that sub.domain.tld is what's used rather than localhost.
However, at this point I hit another problem, no matter what I did the login & logout URLs were using http:// and not https://
This required adjusting the server config of Tomcat, specifically the scheme used by the connector.
Tomcat:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
/>
Note the value of scheme is https, normally it's http because it's the http connector. This connector doesn't SSL/TLS encrypt the traffic so it would, under normal circumstances (appropriately), set the protocol to http.
Since we're using a proxy for SSL/TLS encryption we don't need Tomcat to do that work but we still need to tell Tomcat to describe the server name using https instead of the usual http.
Alternatively, you could also look at using the AJP connector which is an entirely different protocol but gets around some of these issues rather neatly and can be more performant.
The issue with this approach is that it requires more Apache mods to be enabled to work as well as some security concerns given how much more powerful AJP can be VS the http connector.
Also, there are some other proxy settings that can be used in Tomcat to possibly remove the need for ProxyPreserveHost in Apache, but this should get you where you're going.
Additional reading:
Tomcat HTTP Connector docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
Tomcat AJP docs: https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
I'm starting from the bitnami jenkins stack. Everything is working perfectly with jenkins.
http://sample:8080/jenkins (works fine)
I'm trying to add additional directories to apache to proxy to nginx:
http://sample:8080/other_tool
I can get to the other_tool homepage, but references to that other tool break down because they are looking for http://sample:8080/relative_url rather than http://sample:8080/other_tool/relative_url
I can pull config settings from the necessary files as needed, but it is on an air-gapped network so wholesale posting would be a challenge
The apache conf looks like:
<Directory /other_tool>
ProxyPass http://localhost:9999
ProxyPassReverse http://localhost:9999
</Directory>
The nginx configuration is a standard "/" with root directory. I'm not as familiar with nginx so I can't recall the exact information off the top of my head. If needed I will provide it.
I could try to switch the jenkins hosting over to nginx, but I'm not sure that simplifies anything.
I can't open more ports on the machine. I can't use a subdomain as that would require additional DNS entries that I do not control.
Ideas or suggestions?
I have already installed an Apache HTTP server in my RedHat system, now I need to install a Bitnami application package which contains another Apache. So I am wondering how to make them not disturbing each other?
I guess I need to configure different ports for the two HTTP server. But what if one has 8080 and another has 9090, will we visit http://[ServerName]:8080/something.html and http://[ServerName]:9090/something.html? I think this way is quite inconvenient. Am I wrong or any better idea?
My advice would be to do something like this.
Have one Apache instance listen in port 80 and the other one in port 8080 for example. The Apache instance that listens in port 80 can act as a proxy to the other Apache (port 8080) using the ProxyPass and ProxyPassReverse directives.
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
You would need to define prefixes or virtual hosts and inside them add ProxyPass directives.
I don't know to what kind of user those applications are targeted to but the usual end-user is not used to enter ports when browsing the web.
If you like to use the ports, go for it, but I would recommend using Name-based Virtual Host
so you could use different domains or subdomains to each application.
In addition to the example provided by the docs (in where they just point to different folders) in this digitalocean page they document how to make redirects to different urls.
I completely agree with EndermanAPM that usual end-user is not used to enter ports when browsing the web. Therefore, I would only allow port 80 to be accessed by the end-users.
Additional to the current solutions I see another one:
avoid messing up the settings of the Apache servers in order to not end-up with some malfunctions of your websites
leave the Apache servers listen on their designated ports (8080 respectively 9090)
install a dedicated proxy in front of the Apache servers. The proxy would listen on port 80 and would define redirect rules that would parse the request and would redirect it to the proper Apache server. (see the attached picture)
I recommend you HA Proxy. It is a very fast and reliable http and tcp proxy. I've been using it in production for years, in front of application servers, web servers and even database servers. Once you get used with its syntax, it is pretty easy to use.
I am aware that introducing a new component into the equation might add another source of potential issues. But I think that the architecture is cleaner. Besides, the two Apache servers will not be disturbing each other as you requested. You can shut down any one of the two and the other one would properly work further.
I found one documentation here to run multiple node application on single port using proxypass, I understood the concept, it just forward the request to node application port unsing ProxyPass. In that example, they used httpd, and I am using tomcat.
My question is, how can I do same configuration in tomcat?
simply I am expecting tomcat configuration for this httpd configuration.
ProxyPass /node http://host.xyz.com:3000
You really should consider using Apache httpd (or any other frontend) for this purpose. This is the software that handles the requirement best - and tomcat best serves application data.
Also, Apache httpd knows how to handle port 80 or 443, something that needs some extra work with tomcat (if you don't want to run it as root. And you actually don't want to run it as root)
It doesn't require so many extra resources, use the appropriate tool for the job. And, when you use mod_proxy, look up all the related options and understand what they're there for. You probably also want ProxyPreserveHost On, but I'll stop here.
I hope the document will be helpful.
In a server hosting a website address.com (managed with drupal) with an apache2 server (running on port 8080) I would like to install a webservice (tomcat7 / axis2) which runs on the same port 8080. Is there a way do it? There're also svn, trac running on that port. Unfortunately, due to security restrictions, that's the only port accessible externally.
Thank you
You can absolutely expose multiple services on the same port, as long as they all live in distinct URL namespaces. For example, you're already running Trac and svn on port 8080, so obviously you are already doing exactly what you're asking about.
To add Tomcat to the mix, you would typically:
Run Tomcat locally on another port, and then
Use ProxyPass and ProxyPassReverse to expose the Tomcat service via your webserver on port 8080.
For example, if you wanted to make your Tomcat instance visible at http://myserver:8080/tomcat, you might add something like this to your Apache configuration:
ProxyPass /tomcat/ http://localhost:8888/
ProxyPassReverse /tomcat/ http://localhost:8888/
You can read more about these directives here. Note that you may need to perform additional configuration of your Tomcat application to reflect the fact that it is externally visible at /tomcat/.
You can also potentially take advantage of virtual hosting, assuming that you control DNS for this system; in that case, you can have:
http://myserver-trac:8080/
Lead to a different VirtualHost configuration than:
http://myserver-tomcat:8080/
You can read more about name-based virtual hosting here.
When you install the webservice listening on another port (at localhost), you can use Apache as a proxy (using mod_proxy) to access that service.
Maybe usefull: How to rewrite / proxy an Apache URI to an application listening on a specific port / server?