tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Spradley <ted.k.sprad...@gmail.com>
Subject Re: Proxy Apache https to Tomcat http
Date Thu, 27 Oct 2016 16:21:52 GMT
Chris,

On Wed, Oct 5, 2016 at 7:52 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ted,
>
> On 10/5/16 6:47 PM, Ted Spradley wrote:
> > Chris,
> >
> > On Wed, Oct 5, 2016 at 5:14 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Ted,
> >
> > On 10/5/16 6:10 PM, Ted Spradley wrote:
> >>>> Chris,
> >>>>
> >>>> Thanks for your response.
> >>>>
> >>>> On Wed, Oct 5, 2016 at 3:14 PM, Christopher Schultz <
> >>>> chris@christopherschultz.net> wrote:
> >>>>
> >>>> Ted,
> >>>>
> >>>> On 10/5/16 3:42 PM, TED SPRADLEY wrote:
> >>>>>>> Tomcat 7.0.68 Apache 2.4.6 CentOS  7.2.1511
> >>>>
> >>>> Thanks.
> >>>>
> >>>>>>> Problem: A Tomcat application at context "/mycontext"
> >>>>>>> on port 8081 running through Apache proxy renders as
> >>>>>>> expected when using http://example.com/mycontext but
> >>>>>>> https://example.com/mycontext call renders "The
> >>>>>>> requested URL /mycontext/ was not found on this
> >>>>>>> server."
> >>>>>>>
> >>>>>>> Question: Do I have a Tomcat Connector configuration
> >>>>>>> problem? Or an Apache proxy configuration problem? Or
> >>>>>>> an Apache ssl.conf problem?
> >>>>>>>
> >>>>>>> Note: the CA issued certificate appears to be properly
> >>>>>>> installed as evidence by the lock icon in the url bar
> >>>>>>> displaying "Verified by Š " when doing a mouseover.
> >>>>>>>
> >>>>>>> Files: Httpd.conf - <VirtualHost *:80> ServerName
> >>>>>>> www.example.com ServerAlias *.example.com ProxyRequests
> >>>>>>> off ProxyPass /mycontext
> >>>>>>> http://example.com:8081/mycontext ProxyPassReverse
> >>>>>>> /mycontext http://example.com:8081/mycontext
> >>>>>>> </VirtualHost> <VirtualHost *:443> ProxyRequests
off
> >>>>>>> ProxyPreserveHost on SSLEngine on SSLCertificateFile
> >>>>>>> /path/to/certs/ca.crt SSLCertificateKeyFile
> >>>>>>> /path/to/key/private/exampleDotCom.key ServerName
> >>>>>>> www.example.com ServerAlias *.example.com ProxyPass
> >>>>>>> /mycontext http://example.com:8081/mycontext
> >>>>>>> ProxyPassReverse /mycontext
> >>>>>>> http://example.com:8081/mycontext </VirtualHost>
> >>>>
> >>>> On first inspection, that looks correct.
> >>>>
> >>>>>>> Tomcat's server.xml Connector <Connector port="8081"
> >>>>>>> protocol="HTTP/1.1" connectionTimeout="20000"
> >>>>>>> proxyName="www.example.com" proxyPort="80"
> >>>>>>> redirectPort="8443" xpoweredBy="false" server="Apache
> >>>>>>> TomEE" />
> >>>>
> >>>> That also looks correct.
> >>>>
> >>>> How have you deployed your actual application?
> >>>>
> >>>>
> >>>>> Yes. It is deployed and responds as expected through the
> >>>>> proxy when using http.
> >
> > Great. But *HOW* have you deployed your actual application?
> >
> >
> >> Sorry, I missed the "How". I'm not sure what descriptors you are
> >> asking for when you ask how.
>
> Auto-deployed WAR file/directory? WAR/dir deployed via manager
> application? Explicit descriptor XML file placed in
> CATALINA_HOME/conf/[service]/[host]/[app].xml?
>
> WAR/dir deployed via manager application?
Yes
Explicit descriptor XML file placed in CATALINA_HOME/conf/[service]/[
host]/[app].xml?
Yes - with a caveat. The path is CATALINA_HOME/conf/[service]/[
host]/context.xml

The only contents being one empty <Context> element with the docBase
attribute defined

<Context docBase="CATALINA_HOME/exampledotcomapps">

</Context>
The CATALINA_HOME/exampledotcomapps directory contains three applications
deployed using the manager application.
1. "http:example.com/mycontext"
2. "http:example.com/anotherContext"
3. "http:example.com/stillAnontherContext"

All three applications are reached as expected through the proxy on port 80.

The path CATALINA_HOME/exampledotcomapps matches the
appBase attribute in the <Host> element for example.com in
CATALINA_HOME/conf/server.xml

I've since defined a separate Connector to listen for the redirect
from Apache on port 8082 because I thought there was a
possibility the proxyPort directive would need to be specifically
port 443 instead of port 80. So now I have a Connector to
receive the port 80 traffic and another for the port 443 traffic.
I've tried it with and without the redirectPort attribute. Still no
success.

The Connectors appear in this order in server.xml

    <Connector port="8081" protocol="HTTP/1.1"

        connectionTimeout="20000"

        proxyName="www.example.com"

        proxyPort="80"

        redirectPort="8443"

        xpoweredBy="false"

        server="Apache TomEE" />

    <Connector port="8082" protocol="HTTP/1.1"

        connectionTimeout="20000"

        proxyName="www.example.com"

        proxyPort="443"

        redirectPort="8443"

        xpoweredBy="false"

        server="Apache TomEE" />

Note: It is curious to me that when I enter https://example.com/
into a browser, Apache serves the page at /var/www/html/index.html
which is in the document root defined in /etc/httpd/conf/httpd.conf

with the directive DocumentRoot "/var/www/html"
My expectation is that the call to https://example.com/ would be
redirected with the pair
  ProxyPass / http://example.com:8082/
  ProxyPassReverse / https://example.com:8082/
in the virtual host element for port 443.

To refresh, the virtual host definitions are currently:

<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias *.example.com
  ProxyRequests off
  ProxyPreserveHost on
  ProxyPass / http://example.com:8081/
  ProxyPassReverse / http://example.com:8081/
  ProxyPass         /mycontext  http://example.com:8081/mycontext
  ProxyPassReverse  /mycontext  http://example.com:8081/mycontext
  ProxyPass         /anotherContext  http://example.com:8081/anotherContext
  ProxyPassReverse  /anotherContext  http://example.com:8081/anotherContext
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
  ServerAlias *.example.com
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
  ProxyRequests off
  ProxyPreserveHost on
  CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
  ErrorLog "/etc/httpd/logs/examplessl_error.log"
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /etc/pki/tls/certs/certfile.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.key
  ProxyRequests off
  ProxyPreserveHost on
  ProxyPass / http://example.com:8082/
  ProxyPassReverse / https://example.com:8082/
  ProxyPass         /mycontext  http://example.com:8082/mycontext
  ProxyPassReverse  /mycontext  http://example.com:8082/mycontext
  ProxyPass         /anotherContext  http://example.com:8082/anotherContext
  ProxyPassReverse  /anotherContext  http://example.com:8082/anotherContext
</VirtualHost>

Any other thoughts as to what I may not be seeing here? I think I've read
the docs exhaustively. Your responses are much appreciated.

Thank you,
Ted S.

- -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX9aA5AAoJEBzwKT+lPKRYoxAP/2KTSxTMFqtpm3gYOphW1B1N
> Tx56YMCETDtihjLCtWuLQt0QSZ/u92Lbd+xg/aCM9SdkrQQkSby+h2oJuT2E5Dpb
> LkWpeODS1xp93l0UO4eTp1RW46ToHZHlVABlYDkr27LPrIqYrtntyCLNPTr3N1Xo
> ExBzvZxxM5C36uDVtnrrNxay/qKpq/sOJaW84yc161eXhrHvXh5wQF76hTGJswbs
> OQapt+VCzDRcaQVeHpBXm6JvfSwFfjbflgpAcPen/Mwu1sgqeNicOKNd5kBnL2pJ
> 7NOEyMIJnVMaZ9hdu/9HF4fVo307ix7n2yjm3JAMZcb3+2GRD3Zw8e6/+YIk7gRI
> 8n8I8Q/zW8qEG9S5jqsX7Gb7wF2ZZUKc7xOOpGQy4Ctoa0RizFxipfQB77OhNzeu
> 9txqUgks+AvjVV3aCEWMeyqhC9n8QPxws3Sc9A8MxQ4IqII9KWgsP3tQT2iqZukj
> kXH1L5ELbe4CIFQBCxVS4BsvnFzGm96iz4DzkIRUnHGL0ipHXoWlQBXPjxFwudw2
> N7Ln+os14LZvnHFLSV1UDpEkB7pfWvIRAiRqavYx42gPpwXxx3MiImuevr+LDRbw
> ublChOTt1yzsWNQIYspwGt8srDtBIW7rZZggqVmds9NmD+d3tLHoxfJ3bm7Cc9qA
> lm7rwoaI3foiJ2Jnpn0D
> =B1CN
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message