httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arunkumar Janarthanan <arunkumar.webad...@gmail.com>
Subject Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL redirects
Date Wed, 28 Apr 2010 11:16:26 GMT
Hi,

Did you try the "sslProxyEngine On", However I have got the specific error
in my Apache log stating have to check this one.

Hope this helps.

Best Regards,
Arun Janarthanan

On Wed, Apr 28, 2010 at 5:44 AM, Mauri <lain80@gmail.com> wrote:

> Hi Timo.
>
> i don't know ajp protocol, but I have a similar configuration.
> this is my configuration that work fine with apache, mod_proxy as frontend
> and a tomcat 6 with SSL (8443) as backend.
> u don't set the end point (spike/ <http://127.0.0.1:8009/spike/>) but only
> the ProxyPass. I'm using another modules, also.
> Please check my configuration. I hope it can help you.
> Read this tutorial, it's very usefull:
> http://www.apachetutor.org/admin/reverseproxies
>
> Cheers,
> Mauri
>
> LoadModule ssl_module modules/mod_ssl.so
> LoadFile   /usr/lib/libxml2.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule xml2enc_module modules/mod_xml2enc.so
> LoadModule headers_module    modules/mod_headers.so
>
> AddType application/x-httpd-php .amf
> AddType video/x-ms-asf asf asx
> AddType audio/x-ms-wma .wma
> AddType  application/octet-stream  .doc .xls .pdf
> AddType application/x-shockwave-flash  swf
>
> Listen 443
> Listen 80
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> SSLPassPhraseDialog  builtin
> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout  300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom  256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> NameVirtualHost mydomain.com:443
> <VirtualHost mydomain.com:443>
> ServerName mydomain.com
> ProxyRequests off
> ProxyPass / https://10.173.90.167:8443/
> ProxyHTMLURLMap https://10.173.90.167:8443 /
> <Location />
>         ProxyPassReverse https://10.173.90.167:8443/
>         ProxyHTMLEnable On
>         ProxyHTMLURLMap  /      /
>         RequestHeader    unset  Accept-Encoding
> </Location>
> SSLEngine on
> SSLProxyEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/httpd/cert/certificate.cer
> SSLCertificateKeyFile /etc/httpd/cert/certificate.key
> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
>          nokeepalive ssl-unclean-shutdown \
>          downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
>
>
>
>
> 2010/4/28 Timo Meinen <timomeinen@googlemail.com>
>
> Hi,
>>
>> I have a problem with our reverse proxy. I asked this question to the
>> tomcat-users mailinglist, too, but no one could help me and I am
>> absolutely stuck with this problem. So, I hope some of the httpd
>> experts here, may have an idea:
>>
>> Our configuration is a Apache 2.2 web server, acting as a reverse
>> proxy for Tomcat 6. This is the configuration:
>>
>> ServerName it.localhost.de
>> ProxyPass               /       ajp://127.0.0.1:8009/spike/
>> ProxyPassReverse        /       ajp://127.0.0.1:8009/spike/
>> ProxyPassReverseCookiePath      /spike  /
>>
>> (This is the configuration in the VirtualHost entry for port 80. There
>> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>>
>> As you can see, the webapp is hosted under ContextPath /spike but
>> available through the proxy via /. Everything works fine, until the
>> webapp sends an redirect to HTTPS. This is done via SpringSecurity.
>> The problem is, that the ProxyPassReverse directive doesn't catch the
>> ContextPath and converts it, if it includes the complete address.
>> These are the logs from the web browser:
>>
>> GET http://it.localhost.de/users/65 => 302 =>
>> https://it.localhost.de/spike/users/65
>>
>> 1) Why does the ProxyPassReverse doesn't convert the /spike back to /
>> in https://it.localhost.de/spike/users/65? Is it because the Header
>> isn't relative? The protocol is still AJP and so the Proxy should know
>> how to convert it, right?
>> 1a) If so, how could the webapp switch from http to https and vice
>> versa, when not able to send the absolute address with a new protocol?
>>
>> After this, I tried to set additional ProxyPassReverse directives:
>>
>> ProxyPassReverse    /    https://it.localhost.de/spike/
>> ProxyPassReverse    /    http://it.localhost.de/spike/
>>
>> This time, the /spike/ is converted to /, but the two directives leads
>> to an infintive loop of redirects to
>> http://it.localhost.de/<REQUEST-URI>.
>>
>> 2) How can I stop this loop? or better
>> 3) How can I configure the ProxyPassReverse correctly?
>>
>> Thank you very much for any help
>> Timo
>>
>> Here are the debug information from httpd:
>>
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
>> APR_BUCKET_IS_EOS
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
>> to read (max 8186 at 4)
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
>> bytes of data
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>> ajp_ilink_received 04
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>> 04
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
>> ajp_unmarshal_response: status = 302
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
>> ajp_unmarshal_response: Number of headers is = 2
>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
>> ajp://127.0.0.1:9091/spike/
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>> ajp_unmarshal_response: Header[0] [Location] =
>> [https://it.localhost.de/spike/users/3]
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>> ajp_unmarshal_response: Header[1] [Content-Length] = [0]
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>> ajp_ilink_received 05
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>> 05
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
>> response from 127.0.0.1:9091 (127.0.0.1)
>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
>> released connection for (127.0.0.1)
>> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
>> received for child 9 (server it.localhost.de:80 <http://it.localhost.de/>
>> )
>> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
>> canonicalising URL //127.0.0.1:9091/spike/spike/users/3
>> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
>> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
>> for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
>> http://it.localhost.de/
>>
>>
>> Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
>> [https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
>> the response, so that the next request will lead to the
>> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message