httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timo Meinen <timomei...@googlemail.com>
Subject [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL redirects
Date Wed, 28 Apr 2010 09:22:00 GMT
Hi,

I have a problem with our reverse proxy. I asked this question to the
tomcat-users mailinglist, too, but no one could help me and I am
absolutely stuck with this problem. So, I hope some of the httpd
experts here, may have an idea:

Our configuration is a Apache 2.2 web server, acting as a reverse
proxy for Tomcat 6. This is the configuration:

ServerName it.localhost.de
ProxyPass               /       ajp://127.0.0.1:8009/spike/
ProxyPassReverse        /       ajp://127.0.0.1:8009/spike/
ProxyPassReverseCookiePath      /spike  /

(This is the configuration in the VirtualHost entry for port 80. There
is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).

As you can see, the webapp is hosted under ContextPath /spike but
available through the proxy via /. Everything works fine, until the
webapp sends an redirect to HTTPS. This is done via SpringSecurity.
The problem is, that the ProxyPassReverse directive doesn't catch the
ContextPath and converts it, if it includes the complete address.
These are the logs from the web browser:

GET http://it.localhost.de/users/65 => 302 =>
https://it.localhost.de/spike/users/65

1) Why does the ProxyPassReverse doesn't convert the /spike back to /
in https://it.localhost.de/spike/users/65? Is it because the Header
isn't relative? The protocol is still AJP and so the Proxy should know
how to convert it, right?
1a) If so, how could the webapp switch from http to https and vice
versa, when not able to send the absolute address with a new protocol?

After this, I tried to set additional ProxyPassReverse directives:

ProxyPassReverse    /    https://it.localhost.de/spike/
ProxyPassReverse    /    http://it.localhost.de/spike/

This time, the /spike/ is converted to /, but the two directives leads
to an infintive loop of redirects to
http://it.localhost.de/<REQUEST-URI>.

2) How can I stop this loop? or better
3) How can I configure the ProxyPassReverse correctly?

Thank you very much for any help
Timo

Here are the debug information from httpd:

[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
APR_BUCKET_IS_EOS
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
to read (max 8186 at 4)
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
bytes of data
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
ajp_ilink_received 04
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got 04
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
ajp_unmarshal_response: status = 302
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
ajp_unmarshal_response: Number of headers is = 2
[Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
ajp://127.0.0.1:9091/spike/
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
ajp_unmarshal_response: Header[0] [Location] =
[https://it.localhost.de/spike/users/3]
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
ajp_unmarshal_response: Header[1] [Content-Length] = [0]
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
ajp_ilink_received 05
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got 05
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
response from 127.0.0.1:9091 (127.0.0.1)
[Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
released connection for (127.0.0.1)
[Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
received for child 9 (server it.localhost.de:80)
[Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
canonicalising URL //127.0.0.1:9091/spike/spike/users/3
[Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
http://it.localhost.de/


Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
[https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
the response, so that the next request will lead to the
doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message