tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Roubekas <p...@orthogroup.holdings>
Subject Re: No binary distribution for mod_jk?
Date Mon, 25 Jul 2016 14:34:30 GMT
On 7/24/2016 11:33 PM, Mark Eggers wrote:
> On 7/24/2016 5:10 PM, Paul Roubekas wrote:
>> On 7/24/2016 5:20 PM, Mark Eggers wrote:
>>> On 7/24/2016 1:13 PM, Paul Roubekas wrote:
>>>> On 7/23/2016 3:44 PM, Paul Roubekas wrote:
>>>>> On 7/23/2016 3:15 PM, Paul Roubekas wrote:
>>>>>> On 7/23/2016 2:57 PM, Christopher Schultz wrote:
>>>>>>> Paul,
>>>>>>>
>>>>>>> On 7/23/16 8:39 AM, Paul Roubekas wrote:
>>>>>>>> http://www.myDomain.com gets me to Tomcat where my ROOT webapp
is
>>>>>>>> deployed.  Thank you very much!!!
>>>>>>>> A few things that still need correction...
>>>>>>>> Not all my webpages/servlets are https, just one is https.
>>>>>>> No problem. You'll need an HTTPS and HTTP listener in httpd,
which it
>>>>>>> seems you already have working.
>>>>>>>
>>>>>>>> I can navigate to any page on the site, except the https
page, and
>>>>>>>> the prefix stays at http://.
>>>>>>> Good.
>>>>>>>
>>>>>>>> But once I hit the https page/servlet two things happen:
1) The
>>>>>>>> prefix stays at https:// for any other page in the site,
even
>>>>>>>> though the other pages were severed up as http:// in the
past.
>>>>>>> That's generally because your pages are using relative links,
which
>>>>>>> preserve the protocol. Is this a problem? Or do you just want
to
>>>>>>> understand why it's not reverting back to HTTP when HTTPS is
not needed?
>>>>>> I would like to fix it.
>>>> What do I need to do to stop this behavior?
>>>>>>>> 2) The port number 8443 now shows in the address bar and
does not
>>>>>>>> go away. What still needs to be done to fix the above two
issues.?
>>>>>>> If the port number shows 8443 then the proxying isn't quite set
up
>>>>>>> correctly. Since you are using httpd, you are probably using
port 443
>>>>>>> for HTTPS traffic. I'm not quite sure how TomEE does configuration,
>>>>>>> but I suspect it's quite similar to Tomcat. For Tomcat, you'd
have a
>>>>>>> configuration containing a <Connector> which has all kinds
of
>>>>>>> attributes on it. Specifically, there will be one called
>>>>>>> "redirectPort". By default, that value is set to "8443" because
>>>>>>> Tomcat's default HTTPS port is 8443. Since you are using httpd,
you'll
>>>>>>> want to change redirectPort to "443". That should stick you to
httpd
>>>>>>> instead of having TomEE serve the requests over port 8443.
>>>>>> These are the three <Connector> XML configuration elements
in my
>>>>>> server.xml for Tomee
>>>>>>     <Connector port="8080" protocol="HTTP/1.1"
>>>>>>                connectionTimeout="20000"
>>>>>>                 redirectPort="8443" xpoweredBy="false" server="Apache
>>>>>> TomEE" proxyName="www.myDomain.com" proxyPort="80" />
>>>>>>
>>>>>>     <Connector port="8443" maxHttpHeaderSize="8192"
>>>>>> protocol="org.apache.coyote.http11.Http11Protocol"
>>>>>>                maxThreads="150" minSpareThreads="25"
>>>>>> maxSpareThreads="75" enableLookups="false"
>>>>>>                disableUploadTimeout="true" acceptCount="100"
>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>                keyAlias="server" keystoreFile="[redacted]"
>>>>>> keystorePass="[redacted]"
>>>>>>                clientAuth="false" sslProtocol="TLS" xpoweredBy="false"
>>>>>> server="Apache TomEE" proxyName="www.myDomain.com" proxyPort="80"/>
>>>>>>
>>>>>>    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>>>> proxyName="www.myDomain.com" proxyPort="80"/>
>>>>> Changing the redirectPort= on both <Connector> XML elements to
443
>>>>> causes the https page to have a "Unable to connect" error.
>>>> What should I try next?
>>>>>>> BTW if you aren't using TomEE for HTTPS directly, you can remove
that
>>>>>>> <Connector> entirely. If you are using AJP to proxy from
httpd ->
>>>>>>> TomEE, then you need no other connectors besides the AJP one.
It will
>>>>>>> make your TomEE configuration simpler, use fewer resources, and
cause
>>>>>>> less confusion (like what was happening above, because TomEE
was
>>>>>>> handling the requests, not httpd).
>>>> I tested just having the AJP <Connector>.  That did not work for the
>>>> https page.  All pages but the https page worked.  On the https page I
>>>> got the "Unable to connect" error page.
>>>>>>>> Later, after the above is fixed, I will be adding Bugzilla
and
>>>>>>>> phpBB to the Fedora 23 server.  I am assuming phpBB and Bugzilla
>>>>>>>> don't support ajp, and/or I don't need the ajp protocol.
 Is that
>>>>>>>> correct?  AJP is just for Tomcat?
>>>>>>> AJP actually stands for Apache JServ Protocol, which was invented
>>>>>>> solely for the purposes of proxying to Java-based application
servers.
>>>>>>> It's mostly outlived its usefulness, but there are some of us
die-hard
>>>>>>> fans out there that simply can't live without mod_jk and all
the great
>>>>>>> things is provides. mod_proxy has been playing catch-up with
mod_jk
>>>>>>> for a very long time, and they are closing-in on feature parity.
But
>>>>>>> not quite yet :)
>>>>>>>
>>>>>>>> Since the below questions are off topic I will not be hurt
if they
>>>>>>>> are not answered.  I will go on to another internet search.
The
>>>>>>>> https configurations for phpBB and Bugzilla will just be...
>>>>>>>> For phpBB: ProxyPass /bb http://localhost:80/bb ProxyPassReverse
>>>>>>>> /bb http://localhost:80/bb
>>>>>>> Are you running a separate server for phpBB? Typically, you'll
just
>>>>>>> use an Alias to point a particular URL space to your disk, and
use
>>>>>>> mod_php to run the scripts directly:
>>>>>>>
>>>>>>> Alias /bb /path/to/phpBB
>>>>>> Let give that a try and get back with you.
>>>> That does not work.  Based on testing it seems the AJP <Connector>
takes
>>>> complete control of all http/https traffic.  I have placed the Alias
>>>> before the AJP directive.  I have testing putting the Alias directive
>>>> after the AJP <Connector>.  In both cases when I try MyDomain.com/bb
or
>>>> MyDomain.com/tt return the Tomcat "HTTP Status 404" error page.  I even
>>>> tried...
>>>>
>>>> #  <Location /bb>
>>>>
>>>> #     ProxyPass http://localhost/bb
>>>>
>>>> #  </Location>
>>>>
>>> #
>>> # Add this before your first ProxyPass
>>> # However, after your aliases
>>> #
>>>
>>> ProxyPass "/bb" !
>>> ProxyPass "/tt" !
>> This works now.  Thanks
>>> #
>>> # Also this would be a good idea to prevent TomEE manager access
>>> #
>>> ProxyPass "/manager" !
>> I protect this page via IP address.
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
>> allow="[redacted]" />
>>> #
>>> # Finally, to protect your one servlet
>>> #
>>> ProxyPass "/path-to-servlet" !
>> I have done something wrong here. It is not working.  See more details
>> below.
> Well this should block access to the servlet that you don't want to be
> visible via HTTP (only HTTPS).
>
>>> #
>>> # Now add the proxypass
>>> #
>>> ProxyPass "/" "ajp://TomEE-host:8009/"
>> ok
>>> In your ssl.conf, you'll need to proxy the HTTPS-protected servlet
>>>
>>> #
>>> # Protected servlet
>>> #
>>> ProxyPass "/path-to-servlet" "ajp://TomEE-host:8009/path-to-servlet"
>> I did a find on my whole Fedora 23 server looking for ssl.conf.  The
>> file did not exist.  I created one(ssl.conf) and put it in the same
>> directory as httpd.conf.  Now the https servlet returns a "Not Found The
>> requested URL /DonateServlet was not found on this server." 
>> 1) Did I put the ssl.conf in the correct directory?
>> 2) What else can I check?
> If you want Apache HTTPD to serve HTTPS content (in addition to HTTP
> content), you'll need to install the mod_ssl RPM.
>
> 2.4.23-3.fc23.x86_64.rpm
>
> is the latest release I believe. I'm not sure - my laptop died and with
> it my Fedora install (time to get a new laptop).
>
> In that rpm, you'll find:
>
> /etc/httpd/conf.d/ssl.conf
> /etc/httpd/conf.modules.d/00-ssl.conf
> /usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
> /usr/lib64/httpd/modules/mod_ssl.so
> /usr/libexec/httpd-ssl-pass-dialog
> /var/cache/httpd/ssl
>
> If Fedora and systemd haven't hacked things up too badly, you'll put
> proxypass statements (again, I use mod_jk, so I put in JkMount
> statements) in /etc/httpd/conf.d/ssl.conf.
>
> You'll be terminating SSL on Apache HTTPD, and sending AJP (not
> encrypted) traffic between Apache HTTPD and TomEE.
>
> Prevent the proxypass to your protected servlet (whatever the URL is) by
> using the exclamation point in httpd.conf. Add the required proxypass in
> ssl.conf, which is what Apache HTTPD uses in order to configure SSL.
Not working.  I am getting

Not Found

The requested URL /DonateServlet was not found on this server.

==== ssl.conf =====

#
# Protected servlet
#
ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet"
ErrorLog "/var/log/myDomain.com-error_log"
TransferLog "/var/log/myDomain.com-access_log"


>
>>>
>>> Personally, I don't alias Bugzilla or PHPBB. It just seems like another
>>> level of indirection.
>> What do you do?  I am an newbie that is willing to learn.
>>> There are other things that you can do to clean up the configuration,
>>> but hopefully that will get you up and running.
>> What "other things"?
>>>> But that did not work either.
>>>>>>>> For Bugzilla: ProxyPass /tt http://localhost:80/tt ProxyPassReverse
>>>>>>>> /tt http://localhost:80/tt
>>>>>>> Same here:
>>>>>>>
>>>>>>> Alias /tt /path/to/bugzilla
>>>>>>>
>>>>>>> For Bugzilla specifically, you'll need to enable cgi-bin capabilities
>>>>>>> on that directory. Read the Bugzilla configuration reference
for how
>>>>>>> to enable it. You'll end up with something like this:
>>>>>>>
>>>>>>> Alias /tt /path/to/bugzilla
>>>>>>> RedirectMatch ^/tt$ /tt/index.cgi
>>>>>>> <Directory "/path/to/bugzilla">
>>>>>>>     Order allow,deny
>>>>>>>     Allow from all
>>>>>>>
>>>>>>>     Options +ExecCGI
>>>>>>>     AllowOverride None
>>>>>>>
>>>>>>>     AddHandler cgi-script .cgi
>>>>>>>
>>>>>>>     DirectoryIndex index.cgi
>>>>>>>
>>>>>>>     .. probably some authentication configuration, here, too
..
>>>>>>>     .. maybe IP- or LDAP-based restrictions, etc. ..
>>>>>>> </Directory>
>>>> I have not tested this yet.  There does not seem to be a point when the
>>>> other configuration don't work yet.
>>>>>> Thanks for answering this.
>>>>>>> Hope that helps,
>>>>>>> -chris
>>>>>> Hope to return the favor some day :-)
>>>>>>
>>>>>>
>>>>> -- 
>>>>> The people that bring you Usque <http://Usque.software/>
>>> . . . just my two cents
>>> /mde/
> . . . just my two cents
> /mde/
>
>


-- 
The people that bring you Usque <http://Usque.software/>.

Mime
View raw message