httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mauri <lai...@gmail.com>
Subject Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL redirects
Date Wed, 28 Apr 2010 09:44:43 GMT
Hi Timo.

i don't know ajp protocol, but I have a similar configuration.
this is my configuration that work fine with apache, mod_proxy as frontend
and a tomcat 6 with SSL (8443) as backend.
u don't set the end point (spike/ <http://127.0.0.1:8009/spike/>) but only
the ProxyPass. I'm using another modules, also.
Please check my configuration. I hope it can help you.
Read this tutorial, it's very usefull:
http://www.apachetutor.org/admin/reverseproxies

Cheers,
Mauri

LoadModule ssl_module modules/mod_ssl.so
LoadFile   /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule headers_module    modules/mod_headers.so

AddType application/x-httpd-php .amf
AddType video/x-ms-asf asf asx
AddType audio/x-ms-wma .wma
AddType  application/octet-stream  .doc .xls .pdf
AddType application/x-shockwave-flash  swf

Listen 443
Listen 80
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

NameVirtualHost mydomain.com:443
<VirtualHost mydomain.com:443>
ServerName mydomain.com
ProxyRequests off
ProxyPass / https://10.173.90.167:8443/
ProxyHTMLURLMap https://10.173.90.167:8443 /
<Location />
        ProxyPassReverse https://10.173.90.167:8443/
        ProxyHTMLEnable On
        ProxyHTMLURLMap  /      /
        RequestHeader    unset  Accept-Encoding
</Location>
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/cert/certificate.cer
SSLCertificateKeyFile /etc/httpd/cert/certificate.key
SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>




2010/4/28 Timo Meinen <timomeinen@googlemail.com>

> Hi,
>
> I have a problem with our reverse proxy. I asked this question to the
> tomcat-users mailinglist, too, but no one could help me and I am
> absolutely stuck with this problem. So, I hope some of the httpd
> experts here, may have an idea:
>
> Our configuration is a Apache 2.2 web server, acting as a reverse
> proxy for Tomcat 6. This is the configuration:
>
> ServerName it.localhost.de
> ProxyPass               /       ajp://127.0.0.1:8009/spike/
> ProxyPassReverse        /       ajp://127.0.0.1:8009/spike/
> ProxyPassReverseCookiePath      /spike  /
>
> (This is the configuration in the VirtualHost entry for port 80. There
> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>
> As you can see, the webapp is hosted under ContextPath /spike but
> available through the proxy via /. Everything works fine, until the
> webapp sends an redirect to HTTPS. This is done via SpringSecurity.
> The problem is, that the ProxyPassReverse directive doesn't catch the
> ContextPath and converts it, if it includes the complete address.
> These are the logs from the web browser:
>
> GET http://it.localhost.de/users/65 => 302 =>
> https://it.localhost.de/spike/users/65
>
> 1) Why does the ProxyPassReverse doesn't convert the /spike back to /
> in https://it.localhost.de/spike/users/65? Is it because the Header
> isn't relative? The protocol is still AJP and so the Proxy should know
> how to convert it, right?
> 1a) If so, how could the webapp switch from http to https and vice
> versa, when not able to send the absolute address with a new protocol?
>
> After this, I tried to set additional ProxyPassReverse directives:
>
> ProxyPassReverse    /    https://it.localhost.de/spike/
> ProxyPassReverse    /    http://it.localhost.de/spike/
>
> This time, the /spike/ is converted to /, but the two directives leads
> to an infintive loop of redirects to
> http://it.localhost.de/<REQUEST-URI>.
>
> 2) How can I stop this loop? or better
> 3) How can I configure the ProxyPassReverse correctly?
>
> Thank you very much for any help
> Timo
>
> Here are the debug information from httpd:
>
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
> APR_BUCKET_IS_EOS
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
> to read (max 8186 at 4)
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
> bytes of data
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
> ajp_ilink_received 04
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
> 04
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
> ajp_unmarshal_response: status = 302
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
> ajp_unmarshal_response: Number of headers is = 2
> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
> ajp://127.0.0.1:9091/spike/
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
> ajp_unmarshal_response: Header[0] [Location] =
> [https://it.localhost.de/spike/users/3]
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
> ajp_unmarshal_response: Header[1] [Content-Length] = [0]
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
> ajp_ilink_received 05
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
> 05
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
> response from 127.0.0.1:9091 (127.0.0.1)
> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
> released connection for (127.0.0.1)
> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
> received for child 9 (server it.localhost.de:80)
> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
> canonicalising URL //127.0.0.1:9091/spike/spike/users/3
> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
> for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
> http://it.localhost.de/
>
>
> Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
> [https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
> the response, so that the next request will lead to the
> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message