[users@httpd] Struggling with Reverse Proxy Configuration for Server with multiple subdomains

[Ryan Merrell <ry...@gmail.com>]

Our web application (an LMS) uses three subdomains to serve its content:

home.example.com
training.example.com
shared.example.com

These are all vhosts running off of 1 server. My end goal is to use
mod_proxy as a reverse proxy and to load balance between two servers.
Until we can make changes to the app to be more tolerant to HA
systems, the load balancer will most likely need to be Active/Passive
between two back end servers.

I'm new to mod_proxy, so I've started off with just trying to set up a
1:1 reverse proxy, meaning one proxy server sending all traffic to one
server only. But I can't seem to get that working. Every example I can
find for setting up a reverse proxy uses examples like
"example.com/$FUNCTION" as the public side and "$FUNCTION.example.com'
as the private. For example, www.example.com/shared on the proxy goes
to shared.example.com on the private side. www.example.com/training on
the proxy goes to training.example.com on the private side. I can't do
this without considerable changes to how our application works. What i
need is for home.example.com on the proxy to go to home.example.com on
the back end. Same for shared and training.

On the proxy I tried configuring 3 vhosts (home.example.com,
shared.example.com, and training.example.com). An example is like the
following:(proxy is 192.168.2.210 and host 1 is 192.168.2.211)

NameVirtualHost 192.168.2.210:80
<VirtualHost 192.168.2.210:80>
ServerName home.example.com
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPreserveHost On

ProxyPass / http://192.168.2.211/
ProxyPassReverse / http://192.168.2.211/

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

</IfModule>
</VirtualHost>

I have the same thing for training and shared as well. Then on the
backend server, I have a standard vhost configuration for the three
vhosts (meaning if I change my dns to resolve to 192.168.2.211, the
web page functions as expected).

With this set up, and my DNS resolving to the proxy for all three
subdomains, I can pull up the few items that loads from "home", but
anything being requested from shared (training isn't used on the login
screen) gets a 404. When I look at the backend server looks, the 404
is looking in home's document root instead of Shared. So it seems that
all requests being passed to the back end server are going to the
default vhost and not based off of the Host name.Everything I can find
regarding this type of error have lead to making sure the
NameVirtualHost and VirtualHost directives match, which they do and it
still seems to go to the first vhost listed.

So a couple questions I have are
1) Is what I'm planning to accomplish even doable? I figured if it was
I'd at least be able to find just one example out on the Internet, but
I haven't been able to, which has created doubt as to whether I'm
fully understanding how mod_proxy works.
2) If it is doable, what config changes do I need to make so it uses
the hostname instead of the default vhost?
3) If I can get this part to work, am I going to have any problems in
getting an Active/Passive load balancer set up?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Struggling with Reverse Proxy Configuration for Server with multiple subdomains

[Daniel Ruggeri <DR...@primary.net>]

On 3/15/2013 10:38 AM, Ryan Merrell wrote:
> 1. I found that once server 1 came back online, it started receiving
> all the requests again. Is there a way to keep that server in an error
> state until I'm ready to have it start serving again? Is this what the
> "retry" value is for? Do I just have to set it to a really high
> number?

I would suggest enabling the balancer manager and then taking the server
that you plan to do maintenance on out out of service. Consider it
"administratively down" until you say otherwise in the balancer manager
(a quick howto is in that presentation and the docs). Note that if you
are on 2.2 and you restart the reverse proxy at this time, the first
server will be put back into service. If you are on 2.4, there is shared
memory persistence as of 2.4.4 that will preserve these balancer manager
changes.

> 2. I also found that once a failover occurs, users are logged out
> because their session doesn't exist on the hot spare. Sessions are
> handled by a cookie with PHPSESSID. I saw that there is a
> "stickysession" option. Will this allow the session to be maintained
> across the two servers? If not, is there a way to do this? (Forgive my
> ignorance on this part, but I'm just a systems guy and
> cookies/sessions is a little beyond my knowledge area).
Not exactly. The sticky cookie to httpd is a cookie that tells it where
to send the request. If you haven't configured a sticky cookie in httpd,
I encourage you to do so (there is a "universal sticky cookie" example
in that presentation. You won't see much of a benefit until you add a
second, live server. The sticky cookie tells httpd which backend served
this users last request.

The reason the user has to log back in is because the session is not on
the second server. To get the session to fail over (prevent
reuathentication/etc) you have to have some sort of session replication
where session state is shared by the two backends. There are a few ways
to do this in PHP. A quick search on the 'tubes for "PHP session
replication" should get you started on the right path.


> 3. To make sure I'm understanding the BalancerMember config
> correctly... "route=1" means to always use this member first, right?
> And "redirect=2" means that if that member is unavailable, to always
> use the member with route=2? And status=+H means to keep this member
> inactive until all other members are in an error state, correct?

Think of the route parameter as an identifier. That identifier comes
into play with the sticky cookie. When a user presents a cookie (let's
say "Sticky=myApp.1") it is parsed to figure out where to send them. In
the example quoted, it means the user would go to the server named "1"
as the route. You are correct otherwise on your statements. If you would
like to have a few servers in grouping "A" and a few other servers in
grouping "B" but only use group B if all the members of A aren't
available, that would be a use case for the lbset parameter.

> 4. Now that I have it working with the above configuration, and
> considering I'm a mod_proxy newbie, are there any other settings I
> should be aware of? Any advice or suggestions you have?

Depending on the settings on your backend, you may want to play with the
min and max parameters for the BalancerMember. A persistent ready to use
connection (so long as the backend keeps it open and firewalls don't
drop it) is going to be a bit faster. If you want persistent connections
and have a firewall between the front and back, the keepalive parameter
will probably be helpful. Otherwise, the sky is the limit. You have app
traffic running through the Swiss Army Knife of the Internet - you can
do almost anything you'd like as it crosses the proxy. There are a few
examples in that presentation of some of the scenarios and use cases
that might be interesting. Deflate would be a good start - it's always
nice to save bandwidth.

--
Daniel Ruggeri


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Struggling with Reverse Proxy Configuration for Server with multiple subdomains

[Ryan Merrell <ry...@gmail.com>]

Thanks for the replies. Fortunately I was able to get everything
working to an acceptable level. But it seems I'm running a very
minimal configuration and there's definitely room to improve. First,
to answer some of you questions about the app itself, the users log in
at home.example.com, which pulls elements from home and shared. Once
they log in, they can select there training course to begin their
studies, which then takes them to training.example.com. So I have all
those vhosts set up on the proxy and the exact same vhosts set up on
the back end servers. So the proxy will send all requests exactly how
they are to server 1. If server 1 ever fails, it then starts sending
all requests to server 2. Here's what I did to get it working.


I added a Balancer with this configuration. I also made a second one for HTTPS.
NameVirtualHost 192.168.2.210:80
<Proxy balancer://balancer1>
BalancerMember http://192.168.2.211/ route=1 redirect=2
BalancerMember http://192.168.2.212/ route=2 status=+H
</Proxy>

### Then, I set up four different vhosts for home, training, and
shared. home has one for http and https. On the backend server, any
requests to home.example.com get redirected to HTTPS.
<VirtualHost 192.168.2.210:80>
ServerName home.example.com
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPreserveHost On

        ProxyPass / balancer://balancer1/
        ProxyPassReverse / balancer://balancer1/

<Proxy *>
        Order deny,allow
        Allow from all
</Proxy>
</IfModule>
</VirtualHost>

### The fix that solved most of my problems was the ProxyPass and
ProxyPassReverse directive. All the examples I had been looking at
were using domain names here (because they weren't really load
balancing) so this is where I was really struggling conceptually to
figure out how it's suppose to work. I then found out that you can put
your balancer, which I did, and everything started working.

So I configured it and tested it out and it seems to work rather well.
I can reboot server one and my requests instantly start going to
server 2. Even though it's working, I still have a few more questions
I'd like to ask, if that's alright.

1. I found that once server 1 came back online, it started receiving
all the requests again. Is there a way to keep that server in an error
state until I'm ready to have it start serving again? Is this what the
"retry" value is for? Do I just have to set it to a really high
number?

2. I also found that once a failover occurs, users are logged out
because their session doesn't exist on the hot spare. Sessions are
handled by a cookie with PHPSESSID. I saw that there is a
"stickysession" option. Will this allow the session to be maintained
across the two servers? If not, is there a way to do this? (Forgive my
ignorance on this part, but I'm just a systems guy and
cookies/sessions is a little beyond my knowledge area).

3. To make sure I'm understanding the BalancerMember config
correctly... "route=1" means to always use this member first, right?
And "redirect=2" means that if that member is unavailable, to always
use the member with route=2? And status=+H means to keep this member
inactive until all other members are in an error state, correct?

4. Now that I have it working with the above configuration, and
considering I'm a mod_proxy newbie, are there any other settings I
should be aware of? Any advice or suggestions you have?

Thanks.



On Fri, Mar 15, 2013 at 7:39 AM, Daniel Ruggeri <DR...@primary.net> wrote:
> On 3/14/2013 11:15 AM, Ryan Merrell wrote:
>> So a couple questions I have are
>> 1) Is what I'm planning to accomplish even doable? I figured if it was
>> I'd at least be able to find just one example out on the Internet, but
>> I haven't been able to, which has created doubt as to whether I'm
>> fully understanding how mod_proxy works.
> Yes, absolutely.
>
>> 2) If it is doable, what config changes do I need to make so it uses
>> the hostname instead of the default vhost?
> See question below - we can diagnose this with more info.
>
>> 3) If I can get this part to work, am I going to have any problems in
>> getting an Active/Passive load balancer set up?
> I'm just verifying but do you mean an active/passive backend? If so,
> that is trival to accomplish but you will need to use the balancer.
>
>
> Your configuration example looks good. The most important directive is
> the ProxyPreserveHost. Is there any way on the backend server to log the
> host header received? It sounds like the backend has a name-based vhost
> setup and my initial suspicion is that we're losing something on the way
> there. Another helpful module in httpd is mod_dumpio which will show the
> request as sent to the backend (but produces tons of logs).
>
> Feel free to review/steal examples from this presentation as we get
> closer to the balancer config:
> http://people.apache.org/~druggeri/notes/ApacheConNA%202010%20Presentation.odp
>
> --
> Daniel Ruggeri
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Struggling with Reverse Proxy Configuration for Server with multiple subdomains

[Daniel Ruggeri <DR...@primary.net>]

On 3/14/2013 11:15 AM, Ryan Merrell wrote:
> So a couple questions I have are
> 1) Is what I'm planning to accomplish even doable? I figured if it was
> I'd at least be able to find just one example out on the Internet, but
> I haven't been able to, which has created doubt as to whether I'm
> fully understanding how mod_proxy works.
Yes, absolutely.

> 2) If it is doable, what config changes do I need to make so it uses
> the hostname instead of the default vhost?
See question below - we can diagnose this with more info.

> 3) If I can get this part to work, am I going to have any problems in
> getting an Active/Passive load balancer set up?
I'm just verifying but do you mean an active/passive backend? If so,
that is trival to accomplish but you will need to use the balancer.


Your configuration example looks good. The most important directive is
the ProxyPreserveHost. Is there any way on the backend server to log the
host header received? It sounds like the backend has a name-based vhost
setup and my initial suspicion is that we're losing something on the way
there. Another helpful module in httpd is mod_dumpio which will show the
request as sent to the backend (but produces tons of logs).

Feel free to review/steal examples from this presentation as we get
closer to the balancer config:
http://people.apache.org/~druggeri/notes/ApacheConNA%202010%20Presentation.odp

--
Daniel Ruggeri


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Struggling with Reverse Proxy Configuration for Server with multiple subdomains

[Igor Cicimov <ic...@gmail.com>]

On Fri, Mar 15, 2013 at 3:15 AM, Ryan Merrell <ry...@gmail.com> wrote:

> Our web application (an LMS) uses three subdomains to serve its content:
>
> home.example.com
> training.example.com
> shared.example.com
>
> These are all vhosts running off of 1 server. My end goal is to use
> mod_proxy as a reverse proxy and to load balance between two servers.
> Until we can make changes to the app to be more tolerant to HA
> systems, the load balancer will most likely need to be Active/Passive
> between two back end servers.
>
> I'm new to mod_proxy, so I've started off with just trying to set up a
> 1:1 reverse proxy, meaning one proxy server sending all traffic to one
> server only. But I can't seem to get that working. Every example I can
> find for setting up a reverse proxy uses examples like
> "example.com/$FUNCTION" as the public side and "$FUNCTION.example.com'
> as the private.


Correct.


> For example, www.example.com/shared on the proxy goes
> to shared.example.com on the private side. www.example.com/training on
> the proxy goes to training.example.com on the private side. I can't do
> this without considerable changes to how our application works. What i
> need is for home.example.com on the proxy to go to home.example.com on
> the back end. Same for shared and training.
>
> On the proxy I tried configuring 3 vhosts (home.example.com,
> shared.example.com, and training.example.com). An example is like the
> following:(proxy is 192.168.2.210 and host 1 is 192.168.2.211)
>
> NameVirtualHost 192.168.2.210:80
> <VirtualHost 192.168.2.210:80>
> ServerName home.example.com
> <IfModule mod_proxy.c>
> ProxyRequests Off
> ProxyPreserveHost On
>
> ProxyPass / http://192.168.2.211/
> ProxyPassReverse / http://192.168.2.211/
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> </IfModule>
> </VirtualHost>
>
> I have the same thing for training and shared as well. Then on the
> backend server, I have a standard vhost configuration for the three
> vhosts (meaning if I change my dns to resolve to 192.168.2.211, the
> web page functions as expected).
>

When you go to http://192.168.2.211/, how do you access each of the
applications? Meaning what is the direct url you will be using? In your
current set-up there isn't any right? So how are you going to distinguish
to which backend application you are going to send a specific request?


> With this set up, and my DNS resolving to the proxy for all three
> subdomains, I can pull up the few items that loads from "home", but
> anything being requested from shared (training isn't used on the login
> screen) gets a 404. When I look at the backend server looks, the 404
> is looking in home's document root instead of Shared. So it seems that
> all requests being passed to the back end server are going to the
> default vhost and not based off of the Host name.Everything I can find
> regarding this type of error have lead to making sure the
> NameVirtualHost and VirtualHost directives match, which they do and it
> still seems to go to the first vhost listed.
>
> So a couple questions I have are
> 1) Is what I'm planning to accomplish even doable? I figured if it was
> I'd at least be able to find just one example out on the Internet, but
> I haven't been able to, which has created doubt as to whether I'm
> fully understanding how mod_proxy works.
> 2) If it is doable, what config changes do I need to make so it uses
> the hostname instead of the default vhost?
> 3) If I can get this part to work, am I going to have any problems in
> getting an Active/Passive load balancer set up?
>

You need to host the domains on the frontend apache and forward the
requests to the backend application, but you can't host it on both frontend
and backend as you are doing. Example:

NameVirtualHost 192.168.2.210:80
<VirtualHost 192.168.2.210:80>
ServerName home.example.com
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPreserveHost On

ProxyPass / http://192.168.2.211/home/
ProxyPassReverse / http://192.168.2.211/home/

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

</IfModule>
</VirtualHost>

Then on the backend server you'll have:

NameVirtualHost 192.168.2.211:80 <http://192.168.2.210:80>
<VirtualHost 192.168.2.211:80 <http://192.168.2.210:80>>
    ServerName <call_it_whatever_you_want>
    DocumentRoot <your_document_root>/home/
</VirtualHost>
<VirtualHost 192.168.2.211:80 <http://192.168.2.210:80>>
    ServerName <call_it_whatever_you_want>
    DocumentRoot <your_document_root>/training/
</VirtualHost>
<VirtualHost 192.168.2.211:80 <http://192.168.2.210:80>>
    ServerName <call_it_whatever_you_want>
    DocumentRoot <your_document_root>/shared/
</VirtualHost>

and put the home application files under <your_document_root>/home/, where
<your_document_root> for most of the linux's would be /var/www.


> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>