tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Roubekas <p...@orthogroup.holdings>
Subject Re: No binary distribution for mod_jk?
Date Mon, 25 Jul 2016 00:10:29 GMT
On 7/24/2016 5:20 PM, Mark Eggers wrote:
> On 7/24/2016 1:13 PM, Paul Roubekas wrote:
>> On 7/23/2016 3:44 PM, Paul Roubekas wrote:
>>> On 7/23/2016 3:15 PM, Paul Roubekas wrote:
>>>> On 7/23/2016 2:57 PM, Christopher Schultz wrote:
>>>>> Paul,
>>>>>
>>>>> On 7/23/16 8:39 AM, Paul Roubekas wrote:
>>>>>> http://www.myDomain.com gets me to Tomcat where my ROOT webapp is
>>>>>> deployed.  Thank you very much!!!
>>>>>> A few things that still need correction...
>>>>>> Not all my webpages/servlets are https, just one is https.
>>>>> No problem. You'll need an HTTPS and HTTP listener in httpd, which it
>>>>> seems you already have working.
>>>>>
>>>>>> I can navigate to any page on the site, except the https page, and
>>>>>> the prefix stays at http://.
>>>>> Good.
>>>>>
>>>>>> But once I hit the https page/servlet two things happen: 1) The
>>>>>> prefix stays at https:// for any other page in the site, even
>>>>>> though the other pages were severed up as http:// in the past.
>>>>> That's generally because your pages are using relative links, which
>>>>> preserve the protocol. Is this a problem? Or do you just want to
>>>>> understand why it's not reverting back to HTTP when HTTPS is not needed?
>>>> I would like to fix it.
>> What do I need to do to stop this behavior?
>>>>>> 2) The port number 8443 now shows in the address bar and does not
>>>>>> go away. What still needs to be done to fix the above two issues.?
>>>>> If the port number shows 8443 then the proxying isn't quite set up
>>>>> correctly. Since you are using httpd, you are probably using port 443
>>>>> for HTTPS traffic. I'm not quite sure how TomEE does configuration,
>>>>> but I suspect it's quite similar to Tomcat. For Tomcat, you'd have a
>>>>> configuration containing a <Connector> which has all kinds of
>>>>> attributes on it. Specifically, there will be one called
>>>>> "redirectPort". By default, that value is set to "8443" because
>>>>> Tomcat's default HTTPS port is 8443. Since you are using httpd, you'll
>>>>> want to change redirectPort to "443". That should stick you to httpd
>>>>> instead of having TomEE serve the requests over port 8443.
>>>> These are the three <Connector> XML configuration elements in my
>>>> server.xml for Tomee
>>>>     <Connector port="8080" protocol="HTTP/1.1"
>>>>                connectionTimeout="20000"
>>>>                 redirectPort="8443" xpoweredBy="false" server="Apache
>>>> TomEE" proxyName="www.myDomain.com" proxyPort="80" />
>>>>
>>>>     <Connector port="8443" maxHttpHeaderSize="8192"
>>>> protocol="org.apache.coyote.http11.Http11Protocol"
>>>>                maxThreads="150" minSpareThreads="25"
>>>> maxSpareThreads="75" enableLookups="false"
>>>>                disableUploadTimeout="true" acceptCount="100"
>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>                keyAlias="server" keystoreFile="[redacted]"
>>>> keystorePass="[redacted]"
>>>>                clientAuth="false" sslProtocol="TLS" xpoweredBy="false"
>>>> server="Apache TomEE" proxyName="www.myDomain.com" proxyPort="80"/>
>>>>
>>>>    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>> proxyName="www.myDomain.com" proxyPort="80"/>
>>> Changing the redirectPort= on both <Connector> XML elements to 443
>>> causes the https page to have a "Unable to connect" error.
>> What should I try next?
>>>>> BTW if you aren't using TomEE for HTTPS directly, you can remove that
>>>>> <Connector> entirely. If you are using AJP to proxy from httpd
->
>>>>> TomEE, then you need no other connectors besides the AJP one. It will
>>>>> make your TomEE configuration simpler, use fewer resources, and cause
>>>>> less confusion (like what was happening above, because TomEE was
>>>>> handling the requests, not httpd).
>> I tested just having the AJP <Connector>.  That did not work for the
>> https page.  All pages but the https page worked.  On the https page I
>> got the "Unable to connect" error page.
>>>>>> Later, after the above is fixed, I will be adding Bugzilla and
>>>>>> phpBB to the Fedora 23 server.  I am assuming phpBB and Bugzilla
>>>>>> don't support ajp, and/or I don't need the ajp protocol.  Is that
>>>>>> correct?  AJP is just for Tomcat?
>>>>> AJP actually stands for Apache JServ Protocol, which was invented
>>>>> solely for the purposes of proxying to Java-based application servers.
>>>>> It's mostly outlived its usefulness, but there are some of us die-hard
>>>>> fans out there that simply can't live without mod_jk and all the great
>>>>> things is provides. mod_proxy has been playing catch-up with mod_jk
>>>>> for a very long time, and they are closing-in on feature parity. But
>>>>> not quite yet :)
>>>>>
>>>>>> Since the below questions are off topic I will not be hurt if they
>>>>>> are not answered.  I will go on to another internet search. The
>>>>>> https configurations for phpBB and Bugzilla will just be...
>>>>>> For phpBB: ProxyPass /bb http://localhost:80/bb ProxyPassReverse
>>>>>> /bb http://localhost:80/bb
>>>>> Are you running a separate server for phpBB? Typically, you'll just
>>>>> use an Alias to point a particular URL space to your disk, and use
>>>>> mod_php to run the scripts directly:
>>>>>
>>>>> Alias /bb /path/to/phpBB
>>>> Let give that a try and get back with you.
>> That does not work.  Based on testing it seems the AJP <Connector> takes
>> complete control of all http/https traffic.  I have placed the Alias
>> before the AJP directive.  I have testing putting the Alias directive
>> after the AJP <Connector>.  In both cases when I try MyDomain.com/bb or
>> MyDomain.com/tt return the Tomcat "HTTP Status 404" error page.  I even
>> tried...
>>
>> #  <Location /bb>
>>
>> #     ProxyPass http://localhost/bb
>>
>> #  </Location>
>>
> #
> # Add this before your first ProxyPass
> # However, after your aliases
> #
>
> ProxyPass "/bb" !
> ProxyPass "/tt" !
This works now.  Thanks
>
> #
> # Also this would be a good idea to prevent TomEE manager access
> #
> ProxyPass "/manager" !
I protect this page via IP address.
<Valve className="org.apache.catalina.valves.RemoteAddrValve" 
allow="[redacted]" />
> #
> # Finally, to protect your one servlet
> #
> ProxyPass "/path-to-servlet" !
I have done something wrong here. It is not working.  See more details
below.
>
> #
> # Now add the proxypass
> #
> ProxyPass "/" "ajp://TomEE-host:8009/"
ok
>
> In your ssl.conf, you'll need to proxy the HTTPS-protected servlet
>
> #
> # Protected servlet
> #
> ProxyPass "/path-to-servlet" "ajp://TomEE-host:8009/path-to-servlet"
I did a find on my whole Fedora 23 server looking for ssl.conf.  The
file did not exist.  I created one(ssl.conf) and put it in the same
directory as httpd.conf.  Now the https servlet returns a "Not Found The
requested URL /DonateServlet was not found on this server." 
1) Did I put the ssl.conf in the correct directory?
2) What else can I check?
>
>
> Personally, I don't alias Bugzilla or PHPBB. It just seems like another
> level of indirection.
What do you do?  I am an newbie that is willing to learn.
>
> There are other things that you can do to clean up the configuration,
> but hopefully that will get you up and running.
What "other things"?
>
>> But that did not work either.
>>>>>> For Bugzilla: ProxyPass /tt http://localhost:80/tt ProxyPassReverse
>>>>>> /tt http://localhost:80/tt
>>>>> Same here:
>>>>>
>>>>> Alias /tt /path/to/bugzilla
>>>>>
>>>>> For Bugzilla specifically, you'll need to enable cgi-bin capabilities
>>>>> on that directory. Read the Bugzilla configuration reference for how
>>>>> to enable it. You'll end up with something like this:
>>>>>
>>>>> Alias /tt /path/to/bugzilla
>>>>> RedirectMatch ^/tt$ /tt/index.cgi
>>>>> <Directory "/path/to/bugzilla">
>>>>>     Order allow,deny
>>>>>     Allow from all
>>>>>
>>>>>     Options +ExecCGI
>>>>>     AllowOverride None
>>>>>
>>>>>     AddHandler cgi-script .cgi
>>>>>
>>>>>     DirectoryIndex index.cgi
>>>>>
>>>>>     .. probably some authentication configuration, here, too ..
>>>>>     .. maybe IP- or LDAP-based restrictions, etc. ..
>>>>> </Directory>
>> I have not tested this yet.  There does not seem to be a point when the
>> other configuration don't work yet.
>>>> Thanks for answering this.
>>>>> Hope that helps,
>>>>> -chris
>>>> Hope to return the favor some day :-)
>>>>
>>>>
>>>
>>> -- 
>>> The people that bring you Usque <http://Usque.software/>
> . . . just my two cents
> /mde/
>
>


-- 
The people that bring you Usque <http://Usque.software/>.

Mime
View raw message