tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Gray <>
Subject Re: Strange URL rewrite when reverse proxy with Apache HTTP Server
Date Tue, 21 Feb 2017 23:55:56 GMT
Honestly, thank you for your replies and helping me step through this.  I
was at my wits end with no known place to go.  I appreciate it, truly.

I have to leave now to be somewhere in like 15 minutes, so I cant really
get in to all this now, but I read it. and I will dedicate time to it
tomorrow at work.
A works
B works
C does not work

I am waiting on the vendor BMC Software to get back to me on this.

I should add also that I have another application which is not Tomcat, but
I do the same F5 -> Apache HTTP Server (2.2.31) -> App Server, which HTTPS
termination on Apache HTTP Server, and it works perfectly.  I asked the
Network Folks to compare the configs and they say the config is good.  I
will also escalate here at my company and perhaps when I have even more
ammo (logs per your request and such) to get F5 support involved.

I suspect they'll probably try to point the finger elsewhere, which will
make this an even bigger hassle.

On Tue, Feb 21, 2017 at 3:39 PM, André Warnier (tomcat) <>

> On 21.02.2017 23:28, Aaron Gray wrote:
>> Antonio:  The Tomcat server has no knowledge of the F5, or that it is
>> being
>> fronted by an Apache HTTP Server.  I do SSL termination in Apache HTTP
>> Server, and clear-text from HTTP to Tomcat.
>> My redirect port for the normal HTTP listen in Tomcat is commented out.
>>      <Connector port="18080" protocol="HTTP/1.1"
>>                 connectionTimeout="20000" />
>>      <!-- A "Connector" using the shared thread pool-->
>>      <!--
>>      <Connector executor="tomcatThreadPool"
>>                 port="8080" protocol="HTTP/1.1"
>>                 connectionTimeout="20000"
>>                 redirectPort="8443" />
>>      -->
>> Andre:
>> The URL I am using is
>> It is listening on port 80 and 443, if you hit 80, internally it redirects
>> you to 443.  No SSL cert on the F5 load balancer.  It simply sends the
>> traffic to one of the two HTTP servers (round-robin, also tried
>> persistence, no difference).  The HTTP server is listening only for HTTPS
>> on 23270/tcp.
>> Hitting
>> I see my "Hello world!" which is all that is in index.html.  This is the
>> DocumentRoot of HTTP, and *not* proxied over at this time.
> So in this case, there is no delay, and you get the Apache httpd-hosted
> "index.html" containing "Hello World. Right ?
>   Only
>> /SelfService and /static are proxied
>> /static just being my test of static content, but still served up by
>> Tomcat..
>> It's exactly 30 seconds before the page cannot be loaded when trying
>> anything proxied to Tomcat, but also accessed via the F5 load balancer.
>> Not sure where the 30 seconds comes from; perhaps a load balancer time
>> out,
>> as I dont see a "30" in my httpd configurations or my tomcat server.xml
> You can certainly look at the Apache httpd logs, and the tomcat logs, to
> see if you get a request or not.
> In Apache httpd, you can set the loglevel individually for mod_proxy (if
> you are running v 2.4), and it should show something if it gets this
> request and forwards it to tomcat.
> In tomcat, you can either enable an access log (which will show if it
> receives this request), or you could temporarily remove/rename the /static
> webapp. This way, it should trigger an error "not found" which you would
> also see in the error log.
> There should be nothing between them to hinder it.  We have many load
>> balancers and this one specifically you dont need to open any firewall
>> requests for the specific networks the HTTP servers are on.  I did have to
>> get the firewall opened up to allow me to hit
>> because the VIP for "
>> is in the DMZ, and my Desktop & VPN networks cannot hit it on 80/443
>> without opening holes.  But beyond that, any connection from the F5 to the
>> HTTP Server should be 100% open bi-directional, since same subnet.
> But something isn't working, otherwise you would not be asking.
> So,
> a) hitting the tomcat webapps through httpd seems to be working fine
>   (browser -> httpd:23270 -> tomcat:18080 -> webapp or static)
> b) hitting a non-proxied-to-tomcat resource of httpd seems to work fine
> too, even through the F5
>   (browser -> F5:443 -> httpd:23270 -> html page)
> c) it is only when you do :
>   (browser -> F5:443 -> httpd:23270 -> tomcat:18080 -> webapp or static)
>   that you see this issue
> It would really help if you looked in the logs of both httpd and tomcat,
> and checked for differences betweens cases a, b and c above.
> I believe that the F5 message with the port 23270 is a minor issue, of
> information disclosure by the F5, that it should not disclose.
> But the reason why it returns this error is obviously that in that case,
> it does not get a response from his request to httpd.
> The reason for this response not coming back to the F5 (in case c only),
> can be due to either httpd or tomcat. But F5 doesn't know about tomcat. So
> for the F5, it is httpd which is not responding. Thus,
> - either httpd is never getting the request from the F5 (unlikely, because
> in b above it gets it and responds)
> - or httpd is getting the request from the F5, but not forwarding it to
> tomcat, but also not returning an immediate error response to F5 (which
> seems also unlikely, because of a and b)
> - or httpd is getting the request, forwarding it to tomcat, but not
> getting a response from tomcat. So
>   - either tomcat is never getting the request from httpd (but in a, it
> gets it)
>   - or tomcat is getting the request from httpd, but not responding (but
> in a, it does)
>   - or tomcat is getting the request and responding, but the response
> never gets back to httpd (but in a, it does)
> So if a and b and c are all accurate, there is something apparently
> illogical happening.
> This would lead to the conclusion that a and b and c cannot all be
> accurate.
> The logs.. ?
> On Tue, Feb 21, 2017 at 2:05 PM, Antonio S. Cofino <>
>> wrote:
>> Aaron, on tomcat instances change the redirectPort attributte on the http
>>> conectó to the loabbalancer's port 443
>>> My guess is that your webapp has restriction rule requesting SSL con
>>> fidntial channel. Therefore the non-confidential to the 18080 port from
>>> the
>>> balancer are redirected to the 23270 port, but it should be 443.
>>> Antonio
>>> El 21/2/2017 19:46, "Aaron Gray" <> escribió:
>>> I have an application server from a vendor that comes bundled with an
>>> additional Apache Tomcat server.  The webapp SelfService.war is vendor
>>> supplied too.
>>> Here's my problem (IP's replaced to protect the innocent):
>>> networks:
>>> DMZ=172.x.x.x
>>> INTERNAL=10.x.x.x
>>> server1 https listen =
>>> server2 https listen =
>>> F5 load balancer hostname =
>>> backend tomcat server =
>>> mod_proxy configuration:
>>> ProxyPass /SelfService
>>> ProxyPassReverse /SelfService
>>> When I access these DMZ webservers which mod_proxy back to Apache Tomcat
>>> as:
>>> and
>>> <
>>> >
>>> They load properly. Perfectly, every time!
>>> When I access these DMZ webservers via the F5 load balancer (to which I
>>> dont have access to, but the network folks configure for me), it hangs.
>>> Eventually returns:
>>> cant load.
>>> No idea why the URL is being re-written with the ":23270".
>>> I added static content to the server.xml on (Tomcat) to test:
>>> <Context docBase="/path/to/tomcat/static" path="/static" />
>>> Then put a simple index.html in there.  Accessing via the Apache Web
>>> Servers works fine, but if you hit it with the Load Balancer it once
>>> again
>>> adds the
>>> Do you have any thoughts?  Thanks so much, I have been working with this
>>> for weeks now with no success
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message