You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "rugman66 ." <jb...@gmail.com> on 2020/06/30 23:41:52 UTC

Re: Fwd: Reverse proxy and SSL redirect

On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas <ma...@apache.org> wrote:
>
> On 22/04/2020 00:11, rugman66 . wrote:
>
> <snip/>
>
> >        Tomcat log  (I'm trying to get more debug level logging)
> >             2020-04-21 13:39:33 INFO  app.CompletionRestController
> > Unsupported Media Type in Header
> >
> >       Postman
> >            415 Unsupported Media Type
> >
> >       GET URL
> >             http://server.com/app/api/completions.json?username=foo
> >
> > Both Tomcat and Apache are running SSL because all internal endpoints
> > are required to be secure.
>
> Looks like the app is generating the error. That moves us forwards.
>
> Try enabling the RequestDumperFilter. That should dump the full set of
> request headers received which will hopefully help explain what is going on.
>
> Mark

Hi Mark,

Was on unplanned leave for the past few months, but back.

I did try to enable RequestDumperFilter, however the file was created
but no log entries created. I did find something interesting. When I
test in Postman with
HTTP it does redirect to HTTPD but throws the error. However when I
change the URL in Postman using HTTPD I get the expected reply and see
the
proxy is indeed working. It's only throwing the error when the
redirect occurs. Seems to me the issue lies there, but I still can't
find a resolution. Any
suggestions would be appreciated.

Regards
-John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Fwd: Reverse proxy and SSL redirect

Posted by "rugman66 ." <jb...@gmail.com>.

On Wed, Jul 1, 2020 at 3:26 AM Mark Thomas <ma...@apache.org> wrote:
>
> On 01/07/2020 00:41, rugman66 . wrote:
> > On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas <ma...@apache.org> wrote:
> >>
> >> On 22/04/2020 00:11, rugman66 . wrote:
> >>
> >> <snip/>
> >>
> >>>        Tomcat log  (I'm trying to get more debug level logging)
> >>>             2020-04-21 13:39:33 INFO  app.CompletionRestController
> >>> Unsupported Media Type in Header
> >>>
> >>>       Postman
> >>>            415 Unsupported Media Type
> >>>
> >>>       GET URL
> >>>             http://server.com/app/api/completions.json?username=foo
> >>>
> >>> Both Tomcat and Apache are running SSL because all internal endpoints
> >>> are required to be secure.
> >>
> >> Looks like the app is generating the error. That moves us forwards.
> >>
> >> Try enabling the RequestDumperFilter. That should dump the full set of
> >> request headers received which will hopefully help explain what is
going on.
> >>
> >> Mark
> >
> > Hi Mark,
> >
> > Was on unplanned leave for the past few months, but back.
> >
> > I did try to enable RequestDumperFilter, however the file was created
> > but no log entries created. I did find something interesting. When I
> > test in Postman with
> > HTTP it does redirect to HTTPD but throws the error. However when I
> > change the URL in Postman using HTTPD I get the expected reply and see
> > the
> > proxy is indeed working. It's only throwing the error when the
> > redirect occurs. Seems to me the issue lies there, but I still can't
> > find a resolution. Any
> > suggestions would be appreciated.
>
> You need to find a way to see the full traffic for both client<->httpd
> and httpd<->Tomcat.
>
> Wireshark is one option. You'll need to configure it to decrypt the TLS.
>
> The access logs will also confirm whether requests are passed to Tomcat
> or handled by httpd.
>
> Mark

Unfortunately I cannot use wireshark as this is in one of our data centers,
and information security would flag packet sniffing as malicious. However I
did record the Apache access log entry for one attempt
and Apache error log entries from three separate attempts. Interestingly
enough all three differ in length. Also included the catalina.out log
entry. Below are the log snipents.

Appreciate your time
-John


*Tomcat*
catalina.out:
2020-07-01 13:18:59 INFO  app.CompletionRestController Unsupported Media
Type in Header

*Apache*
access log:
10.24.36.111 - - [01/Jul/2020:13:18:59 -0700] "GET
/app/api/completions.json?username=me HTTP/1.1" 415 46 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0"

error log:
[Wed Jul 01 10:42:24.994833 2020] [ssl:info] [pid 4874] [client
10.24.36.111:54100] AH01964: Connection to child 2 established (server
englearn-app3.foo.com:443)
[Wed Jul 01 10:42:25.011695 2020] [proxy:debug] [pid 72913]
proxy_util.c(1843): AH00925: initializing worker proxy:reverse shared
[Wed Jul 01 10:42:25.011740 2020] [proxy:debug] [pid 72913]
proxy_util.c(1885): AH00927: initializing worker proxy:reverse local
[Wed Jul 01 10:42:25.011903 2020] [proxy:debug] [pid 72913]
proxy_util.c(1936): AH00931: initialized single connection worker in child
72913 for (*)
[Wed Jul 01 10:42:25.011912 2020] [proxy:debug] [pid 72913]
proxy_util.c(1843): AH00925: initializing worker
https://englearn-app3.foo.com:8443/app shared
[Wed Jul 01 10:42:25.011917 2020] [proxy:debug] [pid 72913]
proxy_util.c(1885): AH00927: initializing worker
https://englearn-app3.foo.com:8443/app local
[Wed Jul 01 10:42:25.011934 2020] [proxy:debug] [pid 72913]
proxy_util.c(1936): AH00931: initialized single connection worker in child
72913 for (englearn-app3.foo.com)
[Wed Jul 01 10:42:25.041766 2020] [proxy:trace2] [pid 4874]
proxy_util.c(1985): [client 10.24.36.111:54100] https: found worker
https://englearn-app3.foo.com:8443/app for
https://englearn-app3.foo.com:8443/app/api/completions.json?username=me,
referer: http://englearn-app3.foo.com/app/api/completions.json?username=me
[Wed Jul 01 10:42:25.041787 2020] [proxy:debug] [pid 4874]
mod_proxy.c(1123): [client 10.24.36.111:54100] AH01143: Running scheme
https handler (attempt 0), referer:
http://englearn-app3.foo.com/app/api/completions.json?username=me
[Wed Jul 01 10:42:25.041804 2020] [proxy:debug] [pid 4874]
proxy_util.c(2203): AH00942: HTTPS: has acquired connection for (
englearn-app3.foo.com)
[Wed Jul 01 10:42:25.041826 2020] [proxy:debug] [pid 4874]
proxy_util.c(2256): [client 10.24.36.111:54100] AH00944: connecting
https://englearn-app3.foo.com:8443/app/api/completions.json?username=me to
englearn-app3.foo.com:8443, referer:
http://englearn-app3.foo.com/app/api/completions.json?username=me
[Wed Jul 01 10:42:25.042535 2020] [proxy:debug] [pid 4874]
proxy_util.c(2426): [client 10.24.36.111:54100] AH00947: connected
/app/api/completions.json?username=me to englearn-app3.foo.com:8443,
referer: http://englearn-app3.foo.com/app/api/completions.json?username=me
[Wed Jul 01 10:42:25.042561 2020] [proxy:trace2] [pid 4874]
proxy_util.c(2768): HTTPS: fam 2 socket created to connect to
englearn-app3.foo.com
[Wed Jul 01 10:42:25.042680 2020] [proxy:debug] [pid 4874]
proxy_util.c(2802): AH02824: HTTPS: connection established with
171.71.174.236:8443 (englearn-app3.foo.com)
[Wed Jul 01 10:42:25.042706 2020] [proxy:debug] [pid 4874]
proxy_util.c(2942): AH00962: HTTPS: connection complete to
171.71.174.236:8443 (englearn-app3.foo.com)
[Wed Jul 01 10:42:25.042714 2020] [ssl:info] [pid 4874] [remote
171.71.174.236:8443] AH01964: Connection to child 0 established (server
englearn-app3.foo.com:443)
[Wed Jul 01 10:42:25.052202 2020] [proxy:debug] [pid 4874]
proxy_util.c(2218): AH00943: https: has released connection for (
englearn-app3.foo.com)
[Wed Jul 01 10:42:26.006881 2020] [proxy:debug] [pid 72915]
proxy_util.c(1843): AH00925: initializing worker proxy:reverse shared
[Wed Jul 01 10:42:26.006924 2020] [proxy:debug] [pid 72915]
proxy_util.c(1885): AH00927: initializing worker proxy:reverse local
[Wed Jul 01 10:42:26.006965 2020] [proxy:debug] [pid 72915]
proxy_util.c(1936): AH00931: initialized single connection worker in child
72915 for (*)
[Wed Jul 01 10:42:26.006977 2020] [proxy:debug] [pid 72915]
proxy_util.c(1843): AH00925: initializing worker
https://englearn-app3.foo.com:8443/app shared
[Wed Jul 01 10:42:26.006983 2020] [proxy:debug] [pid 72915]
proxy_util.c(1885): AH00927: initializing worker
https://englearn-app3.foo.com:8443/app local
[Wed Jul 01 10:42:26.007000 2020] [proxy:debug] [pid 72915]
proxy_util.c(1936): AH00931: initialized single connection worker in child
72915 for (englearn-app3.foo.com)
[Wed Jul 01 10:42:30.053800 2020] [ssl:info] [pid 4874] (70007)The timeout
specified has expired: [client 10.24.36.111:54100] AH01991: SSL input
filter read failed.


[Wed Jul 01 13:14:38.484133 2020] [ssl:info] [pid 92711] [client
10.24.36.111:63197] AH01964: Connection to child 2 established (server
englearn-app3.foo.com:443)
[Wed Jul 01 13:14:38.508915 2020] [proxy:trace2] [pid 92711]
proxy_util.c(1985): [client 10.24.36.111:63197] https: found worker
https://englearn-app3.foo.com:8443/app for
https://englearn-app3.foo.com:8443/app/api/completions.json?username=me
[Wed Jul 01 13:14:38.508959 2020] [proxy:debug] [pid 92711]
mod_proxy.c(1123): [client 10.24.36.111:63197] AH01143: Running scheme
https handler (attempt 0)
[Wed Jul 01 13:14:38.508976 2020] [proxy:debug] [pid 92711]
proxy_util.c(2203): AH00942: HTTPS: has acquired connection for (
englearn-app3.foo.com)
[Wed Jul 01 13:14:38.508991 2020] [proxy:debug] [pid 92711]
proxy_util.c(2256): [client 10.24.36.111:63197] AH00944: connecting
https://englearn-app3.foo.com:8443/app/api/completions.json?username=me to
englearn-app3.foo.com:8443
[Wed Jul 01 13:14:38.509095 2020] [proxy:debug] [pid 92711]
proxy_util.c(2426): [client 10.24.36.111:63197] AH00947: connected
/app/api/completions.json?username=me to englearn-app3.foo.com:8443
[Wed Jul 01 13:14:38.509179 2020] [proxy:trace2] [pid 92711]
proxy_util.c(2768): HTTPS: fam 2 socket created to connect to
englearn-app3.foo.com
[Wed Jul 01 13:14:38.509233 2020] [proxy:debug] [pid 92711]
proxy_util.c(2802): AH02824: HTTPS: connection established with
171.71.174.236:8443 (englearn-app3.foo.com)
[Wed Jul 01 13:14:38.509255 2020] [proxy:debug] [pid 92711]
proxy_util.c(2942): AH00962: HTTPS: connection complete to
171.71.174.236:8443 (englearn-app3.foo.com)
[Wed Jul 01 13:14:38.509264 2020] [ssl:info] [pid 92711] [remote
171.71.174.236:8443] AH01964: Connection to child 0 established (server
englearn-app3.foo.com:443)
[Wed Jul 01 13:14:38.517001 2020] [proxy:debug] [pid 92711]
proxy_util.c(2218): AH00943: https: has released connection for (
englearn-app3.foo.com)
[Wed Jul 01 13:14:39.256467 2020] [proxy:debug] [pid 92718]
proxy_util.c(1843): AH00925: initializing worker proxy:reverse shared
[Wed Jul 01 13:14:39.256526 2020] [proxy:debug] [pid 92718]
proxy_util.c(1885): AH00927: initializing worker proxy:reverse local
[Wed Jul 01 13:14:39.256572 2020] [proxy:debug] [pid 92718]
proxy_util.c(1936): AH00931: initialized single connection worker in child
92718 for (*)
[Wed Jul 01 13:14:39.256586 2020] [proxy:debug] [pid 92718]
proxy_util.c(1843): AH00925: initializing worker
https://englearn-app3.foo.com:8443/app shared
[Wed Jul 01 13:14:39.256604 2020] [proxy:debug] [pid 92718]
proxy_util.c(1885): AH00927: initializing worker
https://englearn-app3.foo.com:8443/app local
[Wed Jul 01 13:14:39.256628 2020] [proxy:debug] [pid 92718]
proxy_util.c(1936): AH00931: initialized single connection worker in child
92718 for (englearn-app3.foo.com)
[Wed Jul 01 13:14:43.518364 2020] [ssl:info] [pid 92711] (70007)The timeout
specified has expired: [client 10.24.36.111:63197] AH01991: SSL input
filter read failed.


[Wed Jul 01 13:18:59.532770 2020] [ssl:info] [pid 92709] [client
10.24.36.111:63288] AH01964: Connection to child 0 established (server
englearn-app3.foo.com:443)
[Wed Jul 01 13:18:59.548285 2020] [proxy:trace2] [pid 92709]
proxy_util.c(1985): [client 10.24.36.111:63288] https: found worker
https://englearn-app3.foo.com:8443/app for
https://englearn-app3.foo.com:8443/app/api/completions.json?username=me
[Wed Jul 01 13:18:59.548318 2020] [proxy:debug] [pid 92709]
mod_proxy.c(1123): [client 10.24.36.111:63288] AH01143: Running scheme
https handler (attempt 0)
[Wed Jul 01 13:18:59.548339 2020] [proxy:debug] [pid 92709]
proxy_util.c(2203): AH00942: HTTPS: has acquired connection for (
englearn-app3.foo.com)
[Wed Jul 01 13:18:59.548359 2020] [proxy:debug] [pid 92709]
proxy_util.c(2256): [client 10.24.36.111:63288] AH00944: connecting
https://englearn-app3.foo.com:8443/app/api/completions.json?username=me to
englearn-app3.foo.com:8443
[Wed Jul 01 13:18:59.548412 2020] [proxy:debug] [pid 92709]
proxy_util.c(2426): [client 10.24.36.111:63288] AH00947: connected
/owe/api/completions.json?username=me to englearn-app3.foo.com:8443
[Wed Jul 01 13:18:59.548484 2020] [proxy:trace2] [pid 92709]
proxy_util.c(2768): HTTPS: fam 2 socket created to connect to
englearn-app3.foo.com
[Wed Jul 01 13:18:59.548609 2020] [proxy:debug] [pid 92709]
proxy_util.c(2802): AH02824: HTTPS: connection established with
171.71.174.236:8443 (englearn-app3.foo.com)
[Wed Jul 01 13:18:59.548622 2020] [proxy:debug] [pid 92709]
proxy_util.c(2942): AH00962: HTTPS: connection complete to
171.71.174.236:8443 (englearn-app3.foo.com)
[Wed Jul 01 13:18:59.548627 2020] [ssl:info] [pid 92709] [remote
171.71.174.236:8443] AH01964: Connection to child 0 established (server
englearn-app3.foo.com:443)
[Wed Jul 01 13:18:59.556770 2020] [proxy:debug] [pid 92709]
proxy_util.c(2218): AH00943: https: has released connection for (
englearn-app3.foo.com)
[Wed Jul 01 13:19:04.558528 2020] [ssl:info] [pid 92709] (70007)The timeout
specified has expired: [client 10.24.36.111:63288] AH01991: SSL input
filter read failed.

Re: Fwd: Reverse proxy and SSL redirect

Posted by Mark Thomas <ma...@apache.org>.

On 01/07/2020 00:41, rugman66 . wrote:
> On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas <ma...@apache.org> wrote:
>>
>> On 22/04/2020 00:11, rugman66 . wrote:
>>
>> <snip/>
>>
>>>        Tomcat log  (I'm trying to get more debug level logging)
>>>             2020-04-21 13:39:33 INFO  app.CompletionRestController
>>> Unsupported Media Type in Header
>>>
>>>       Postman
>>>            415 Unsupported Media Type
>>>
>>>       GET URL
>>>             http://server.com/app/api/completions.json?username=foo
>>>
>>> Both Tomcat and Apache are running SSL because all internal endpoints
>>> are required to be secure.
>>
>> Looks like the app is generating the error. That moves us forwards.
>>
>> Try enabling the RequestDumperFilter. That should dump the full set of
>> request headers received which will hopefully help explain what is going on.
>>
>> Mark
> 
> Hi Mark,
> 
> Was on unplanned leave for the past few months, but back.
> 
> I did try to enable RequestDumperFilter, however the file was created
> but no log entries created. I did find something interesting. When I
> test in Postman with
> HTTP it does redirect to HTTPD but throws the error. However when I
> change the URL in Postman using HTTPD I get the expected reply and see
> the
> proxy is indeed working. It's only throwing the error when the
> redirect occurs. Seems to me the issue lies there, but I still can't
> find a resolution. Any
> suggestions would be appreciated.

You need to find a way to see the full traffic for both client<->httpd
and httpd<->Tomcat.

Wireshark is one option. You'll need to configure it to decrypt the TLS.

The access logs will also confirm whether requests are passed to Tomcat
or handled by httpd.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org