Return-Path: 
 <users-return-215927-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 82180 invoked from network); 19 Aug 2010 19:56:57 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 19 Aug 2010 19:56:57 -0000
Received: (qmail 94244 invoked by uid 500); 19 Aug 2010 19:56:53 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 94139 invoked by uid 500); 19 Aug 2010 19:56:52 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 94130 invoked by uid 99); 19 Aug 2010 19:56:52 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Aug 2010 19:56:52 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=10.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of linux@cgi-net.ch designates
 82.195.224.42 as permitted sender)
Received: from [82.195.224.42] (HELO mxo42.mail.genotec.ch) (82.195.224.42)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Aug 2010 19:56:46 +0000
Received: from mxo42.mail.genotec.ch (localhost [127.0.0.1])
	by dkgate.mx.genotec.ch (Postfix) with ESMTP id C254D5A957B
	for <users@tomcat.apache.org>; Thu, 19 Aug 2010 21:56:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=genotec.ch; h=mime-version
	:date:from:to:subject:in-reply-to:references:message-id
	:content-transfer-encoding:content-type; s=dkim; bh=6evleT4Mo6Rv
	VYAAalirBtLiLh4=; b=qBAZvtyhANcSZtwdp9nXt2UJY6E65Km7HlhbBkASEJaT
	51PLULl6dIeWXDW8qzNPmxVTK9YykQOF8mH6OsRHlt/ih4Wz0fqSN3H8a6fQk+Uj
	IsocXHpfkMxZwlD2IS4WeU8yzPiZ2rE7hZo2IKw7KndBQHYdOAp7h6dj1yEAbgg=
Received: from mxo42.mail.genotec.ch (localhost [127.0.0.1])
	by avgate.mx.genotec.ch (Postfix) with ESMTP id 9B2A35A955C
	for <users@tomcat.apache.org>; Thu, 19 Aug 2010 21:56:25 +0200 (CEST)
Received: from webmail.genotec.ch (wmc-bsd-224-061.genotec.ch [82.195.224.61])
	by mxo42.mail.genotec.ch (Postfix) with ESMTP id 74C0D5A9557
	for <users@tomcat.apache.org>; Thu, 19 Aug 2010 21:56:25 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 19 Aug 2010 21:56:25 +0200
From: <linux@cgi-net.ch>
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Apache reverse proxy to tomcat application server
In-Reply-To: <bfb24dd2d2bfb33d5a4854ac0834f8e1@localhost>
References: <8fe79e68627e1dab3152678878a719f2@localhost>
 <4C6D7EB5.5010307@kippdata.de> <0de2e6bfba297c3600277f55ab605390@localhost>
 <4C6D85D9.6070904@kippdata.de> <bfb24dd2d2bfb33d5a4854ac0834f8e1@localhost>
Message-ID: <17e7134f6938f3a2948bf4499c8a6a40@localhost>
X-Sender: linux@cgi-net.ch
User-Agent: RoundCube Webmail/0.2.1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
X-GIC-MailScanner-Outbound: ClamAV using ClamSMTP
X-Virus-Checked: Checked by ClamAV on apache.org

On Thu, 19 Aug 2010 21:35:40 +0200, <linux@cgi-net.ch> wrote:
> On Thu, 19 Aug 2010 21:28:25 +0200, Rainer Jung
<rainer.jung@kippdata.de>
> wrote:
>> On 19.08.2010 21:17, linux@cgi-net.ch wrote:
>>> On Thu, 19 Aug 2010 20:57:57 +0200, Rainer
> Jung<rainer.jung@kippdata.de>
>>> wrote:
>>>> On 19.08.2010 20:27, linux@cgi-net.ch wrote:
>>>>> Hi List,
>>>>>
>>>>> I'm running mod_jk on a apache 2.2.14 connecting to a second host,
>>>>> running
>>>>> tomcat 5 server with a third party application.
>>>>> This application is configured to display some company internal
>>>>> information when accessing the page directly without any
> subdirectory:
>>>>> like: http://<servername>/
>>>>> A second application part is located under address
>>>>> http://<servername>/application ->   please note, this is not a
>>> directory,
>>>>> this is a servlet-mapping made by tomcat (and we can't change the
>>> tomcat
>>>>> setup as we would loose support for it)
>>>>>
>>>>> My problem is now, that I only what to grant access to
>>>>> http://<servername>/application for external customers through the
>>> apache
>>>>> mod_jk setup.
>>>>> But of some reason do I have trouble implementing this.
>>>>
>>>> How did you try to achive that?
>>>>
>>>> JkMount /application|/* worker1
>>> I tried it with JkMount /application worker1 and with JkMount
>>> /application* worker1
>>>
>>> Quick question, you've written JkMOunt /application|/, what does the |
>>> stand for?
>> 
>> JkMount /application|/* worker1
>> 
>> is a short syntax for the two rules
>> 
>> JkMount /application worker1
>> JkMount /application/* worker1
> Thanks for that hint, might be useful for further work
> 
>> 
>>>> Is the application deployed on Tomcat using the same context name
>>>> "/application"?
>>> Yes
>> 
>> Good.
>> 
>>>> What was the exact result, when you tried that?
>>> Well it displays the login page, but the formatting of the does not
> work,
>>> and when I hit the submit button, nothing is happening.
>>> Do you think that it is possible that /application does require / to
be
>>> access able as well (both application coming from the same vendor and
> are
>>> related to each other)
>> 
>> Aaaah!
>> 
>> Yes it is quote possible that the page contains links to other content 
>> that does not reside under /application. Those could be CSS (style 
>> sheets) responsible for correct rendering and JS (JavaScript files) 
>> responsible for actions when pressing buttons. You can look at the 
>> source code of the login page or use some browser plugin that shows you

>> all links referenced in the page. Some browsers might show you the info

>> out of the box.
> OK, I'll need to check that - please note that this will require some
> time.
You were right, there were *.js files, which the application is/was
sharing between / and /application
With JkMount /*.js worker1 everything is working now - except some
pictures, but this is fine (can do the same for them too)

> 
>> 
>>>>> The stuff only works if I configure mod_jk to JkMount /* - but with
>>> that,
>>>>> also the page ttp://<servername>/ is access-able.
>>>>> I've also tried it with Rewrite rules (to make sure everything else
>>> than
>>>>> http://<servername/application is redirected to this address), etc.
> but
>>>>> nothing was/is working.
>>>>
>>>> Rewriting will not be necessary as long as the context name on Tomcat
> is
>>>
>>>> "/application".
>>>>
>>>>> Please find below some information about my setup:
>>>>>
>>>>> ###
>>>>> ### setup information
>>>>> ###
>>>>> mod_jk version: 1.2.30
>>>>> mod_jk httpd configuration (that's how it is working but it will
> allow
>>>>> access to any application, served by the tomcat server):
>>>>> # Some URL Redirecting is required
>>>>> RewriteEngine On
>>>>> RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR]
>>>>> RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f
>>>>> RewriteCond %{REQUEST_URI} !=/application
>>>>> RewriteRule .* /application
>>>>
>>>> Let's remove the rewriting as long as we are debugging your original
>>>> problem.
>>> OK, I've anyway disabled them already since they were not working
>>>
>>>>
>>>>> # Load Module
>>>>> LoadModule      jk_module       modules/mod_jk.so
>>>>> # Worker File
>>>>> JkWorkersFile   /<path to worker file>/workers.properties
>>>>> # Where to put the log
>>>>> JkLogFile       /<path to log file>/mod_jk.log
>>>>> # Log level
>>>>> JkLogLevel      debug
>>>>> # Select the timestamp log format
>>>>> JkLogStampFormat        "[%a %b %d %H:%M:%S %Y] "
>>>>> JkMount         /* worker1
>>>>>
>>>>> mod_jk worker configuration:
>>>>> # Define 1 real worker using ajp13
>>>>> worker.list=worker1
>>>>> # Set properties for worker1 (ajp13)
>>>>> worker.worker1.type=ajp13
>>>>> worker.worker1.host=chnovmn3.lcsys.ch
>>>>> worker.worker1.port=8009
>>>>> worker.worker1.connection_pool_timeout=60
>>>>> worker.worker1.socket_keepalive=1
>>>>
>>>> The log snippert you provided was parts of the log produced by
>>>> successful requests, i.e. requests that were forwarded to tomcat and
>>>> replied stuff. Please do provide the log contents for a request that
>>>> does not work, i.e. which does show the problem.
>>> I can send you more log files, but I think the problem is more related
>>> with the application it self.
>> 
>> Right.
>> 
>>> The error I receive from apache is 404 which means he can not find the
>>> document (which indicates that I've made some configuration mistake)
>> 
>> You can look at the Apache access log to check, what other resources
the
> 
>> browser tries to access. Maybe they are contained in a few other
folders
> 
>> or have a few file content suffixes you can add with a couple of 
>> additional JkMounts.
> As soon as I've checked the source code of the page, I'll try to go with
> this solution.
> Hope it works
As written above, that was the problem ... I've applied the change and
everything is working now.
The only thing I have to-do is to redirect 404 return code to
http://<server name>/application - but that should not be a problem

> 
>> 
>>> General question, is it possible to allow access to /* to make the
> stuff
>>> working but restrict access for customers to /application
>>> (like you can do it with<directory>  stanza in apache)
>> 
>> In principle it is possible. The details depend on what "customers" are

>> (defined by IP or what?) and which URLs precisely need to be public vs.

>> private.
> Hmmm, customers can come from everywhere ... so I think this will be
> difficult.
> Basically the only URL which needs to be public access able is
> http://<servername>/application
> everything else should remain private
I'll see how I can implement this, maybe Apache <Location> stanza will
work

Thanks and all the best,
Simon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org