You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leon Kolchinsky <lk...@gmail.com> on 2010/08/02 06:31:41 UTC
Rewrite URLs inside HTML pages?
Hello,
I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
(v.2.2.3 ) using mod_jk.
We have 2 of those Tomcat servers running on different machines.
We also configured load balancer (CISCO CSM) which we want to use for SSL
offloading and LB.
Load balancer serves https requests and forwards them to http (on the above
servers).
The problem is that links given by apache - the generated html pages (by
Sakai app.) appeared to include http://....
And this is a major problem since we can't even serve forms from https URL's
(the URL of the page is https://..... but links inside the HTML page itself
are from http://.... format)
I've been thinking to try to resolve this with ProxyHTMLURLMAp
(mod_proxy_html) but I have no experience with this module.
Can someone give me a sample syntax that I can try to include in my vhost
configuration?
Below is my virt. host configuration:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName servername.com
ServerAdmin Leon.K@servername.com
ServerAlias sakai-server
# if not specified, the global error log is used
ErrorLog /var/log/httpd/servername.com-error_log
CustomLog /var/log/httpd/servername.com-access_log combined
HostnameLookups Off
UseCanonicalName Off
# Add index.jsp to DirectoryIndex files
DirectoryIndex index.php index.html index.htm index.shtml index.php4
index.php3 index.phtml index.cgi index.jsp
JkMount /* worker1
Best Regards,
--
Leon Kolchinsky
Re: Rewrite URLs inside HTML pages?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Leon,
On 8/4/2010 9:30 PM, Leon Kolchinsky wrote:
> Of course I'd like to make it work with "simple configuration" or/and with
> JkHTTPSIndicator.
>
> I'm just not clear on how to make this "simple configuration".
Rainer laid it out in his other message. I'll repeat it for emphasis.
This is all you need in httpd.conf:
JkHTTPSIndicator FakeHTTPS
SetEnv FakeHTTPS On
Remove all that output filtering crap you added and you should be good
to go.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxa3KcACgkQ9CaO5/Lv0PDeMwCgqYWzD6dL65T+rDz8o+rDXnZ2
UUUAn24qOZeHbnZZxiIWdiLXzukENKIU
=9/Fn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Rainer Jung <ra...@kippdata.de>.
On 09.08.2010 03:28, Leon Kolchinsky wrote:
> On Thu, Aug 5, 2010 at 18:26, Rainer Jung<ra...@kippdata.de> wrote:
>> On 05.08.2010 03:30, Leon Kolchinsky wrote:
>> # JkRequestLogFormat set the request format
>>> JkRequestLogFormat "%w %V %T"
>>>
>>
>> Unrelated: Don't like the JkRequestFormat. Instead would use so called
>> "notes" to add the info directly to the access log.
>>
>> Are you talking about "mod_log_config" (
> http://tomcat.apache.org/connectors-doc/reference/apache.html)?
Yes, exactly. mod_jk sets so called notes, which you can add to your
standard AccessLog using them in a CustomLog format.
>> # Globally deny access to the WEB-INF directory
>>> <LocationMatch '.*WEB-INF.*'>
>>> AllowOverride None
>>> deny from all
>>> </LocationMatch>
>>>
>>
>> Unrelated: The application directory usually should not be reachable at all
>> by Apache.
>>
>> So, Is it safe to remove those<LocationMatch
> '.*WEB-INF.*'>.....</LocationMatch> lines?
It depends :)
If Apache can't see those directories, then "yes". If you have them in
directories visble by Apache and allowed to be served, then "no" and
instead the question would be: why is Apache allowed to see (and serve)
them.
See and serve would mean: under htdocs or some other directory that is
not secured. Usually "Directory /" has "deny from all" (secured) so
Apache doesn't serve arbitrary content, and htdocs and some individually
configured dirs like for the manual and icons are "allow from all".
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Leon Kolchinsky <lk...@gmail.com>.
Wow ;)
Thanks Rainer,
I'll comment inline.
On Thu, Aug 5, 2010 at 18:26, Rainer Jung <ra...@kippdata.de> wrote:
> Comments inline
>
>
> On 05.08.2010 03:30, Leon Kolchinsky wrote:
>
>> Hi,
>>
>> Hmm.
>> Interesting.
>> Of course I'd like to make it work with "simple configuration" or/and with
>> JkHTTPSIndicator.
>>
>> I'm just not clear on how to make this "simple configuration".
>>
>> As I've said there is no SSL handling on the server side. All SSL request
>> handled on the load balance level which in turn talks to Apache
>> (configured
>> to talk to Tomcat via mod_jk) via http.
>>
>> myserv.mydomain.com - Tomcat server's Domain name
>> sakai-stg.mydomain.com - Load balancer's Domain name
>>
>> Clients coming to Load Balancer's URL https://sakai-stg.mydomain.com need
>> to
>> use internal links (submit forms etc.) which appear as http://
>> sakai-stg.mydomain.com/..... on the served pages.
>> Submitting forms is not working in that scenario since the links should
>> look
>> like this inside the pages - https://sakai-stg.mydomain.com/.....
>>
>>
>> Please see my mod_jk.conf, workers.properties, 01myserv.mydomain.com.conf
>> files below.
>>
>> Can you come up with a solution without using mod_substitute as I do now?
>>
>> [root@myserv mod_sed]# cat /etc/httpd/conf/mod_jk.conf
>> LoadModule jk_module modules/mod_jk.so
>>
>> # mod_jk config
>> # Where to find workers.properties
>> # Update this path to match your conf directory location (put
>> workers.properties next to httpd.conf)
>> JkWorkersFile /etc/httpd/conf/workers.properties
>> # Where to put jk shared memory
>> # Update this path to match your local state directory or logs directory
>> JkShmFile /var/log/httpd/mod_jk.shm
>> # Where to put jk logs
>> # Update this path to match your logs directory location (put mod_jk.log
>> next to access_log)
>> JkLogFile /var/log/httpd/mod_jk.log
>>
>
> Unrelated: you could use rotatelogs here, as in "CustomLog" or "ErrorLog"
> to automatically rotate the files.
>
> My logs rotated by logrotate (I'm not familiar with rotatelogs option, will
need to read about it later)
>
> # Set the jk log level [debug/error/info]
>> JkLogLevel info
>> # Select the timestamp log format
>> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
>>
>
> Unrelated: I would remove JkLogStampFormat. Since a few years mod_jk will
> log sub second timestamps by default, but this format disables that.
>
> Done: removed JkLogStampFormat
>
> #JkOptions indicate to send SSL KEY SIZE,
>> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
>>
>
> Unrelated: You should remove "+ForwardURICompat" unless you understand what
> it does and that you will definitely need it.
>
> Done: removed "+ForwardURICompat"
>
> # JkRequestLogFormat set the request format
>> JkRequestLogFormat "%w %V %T"
>>
>
> Unrelated: Don't like the JkRequestFormat. Instead would use so called
> "notes" to add the info directly to the access log.
>
> Are you talking about "mod_log_config" (
http://tomcat.apache.org/connectors-doc/reference/apache.html)?
>
> # Globally deny access to the WEB-INF directory
>> <LocationMatch '.*WEB-INF.*'>
>> AllowOverride None
>> deny from all
>> </LocationMatch>
>>
>
> Unrelated: The application directory usually should not be reachable at all
> by Apache.
>
> So, Is it safe to remove those <LocationMatch
'.*WEB-INF.*'>.....</LocationMatch> lines?
>
> [root@myserv mod_sed]#
>> [root@myserv mod_sed]# cat /etc/httpd/conf/workers.properties
>> #
>> # This file provides minimal jk configuration properties needed to
>> # connect to Tomcat.
>> #
>> # We define a workers named worker1 and worker2
>> workers.tomcat_home=/srv/tomcat/
>> workers.java_home=/srv/jdk
>> ps=/
>>
>
> Unrelated: The above three are useless.
>
> Done: removed
>
> worker.list=worker1
>> worker.worker1.type=ajp13
>> worker.worker1.host=localhost
>> worker.worker1.port=8009
>> worker.worker1.lbfactor=1
>>
>
> Unrelated: That's very minimal.
>
>
> # Load-balancing behaviour (add when you have more than 1 worker and
>> change
>> worker.workerX.host and worker.list accordingly)
>> # worker.loadbalancer.type=lb
>>
>
> Unrelated: You are not actually using mod_jk load balancing here.
>
> Sure, I don't need load balancing here. It's done on the external LB.
>
> # Status worker for managing load balancer (add when you have more than 1
>> worker)
>> worker.status.type=status
>>
>
> Suggestion: grab the default workers.properties from the mod_jk 1.2.30
> source download. It contains important hints about production ready
> configuration.
>
> Thanks, very usefull suggestion.
>
> [root@myserv mod_sed]#
>> [root@myserv mod_sed]# cat
>> /etc/httpd/conf/vhosts.d/01myserv.mydomain.com.conf
>> LoadModule substitute_module modules/mod_substitute.so
>>
>> NameVirtualHost *:80
>>
>> <VirtualHost *:80>
>> ServerName myserv.mydomain.com
>> ServerAdmin Leon.Kolchinsky@mydomain.com
>> ServerAlias sakai-stg
>>
>> # Just in case
>> DocumentRoot /srv/sakai
>>
>> # if not specified, the global error log is used
>> ErrorLog /var/log/httpd/myserv.mydomain.com-error_log
>> CustomLog /var/log/httpd/myserv.mydomain.com-access_log combined
>> # don't loose time with IP address lookups
>> HostnameLookups Off
>> # needed for named virtual hosts
>> UseCanonicalName Off
>>
>> # Add index.jsp to DirectoryIndex files
>> DirectoryIndex index.php index.html index.htm index.shtml index.php4
>> index.php3 index.phtml index.cgi index.jsp
>>
>> JkMount /* worker1
>>
>
> Assuming that you always want Tomcat to assume https when a request came in
> via this VirtualHost:
>
> JkHTTPSIndicator FakeHTTPS
> SetEnv FakeHTTPS On
>
> (the module mod_env needs to be loaded).
>
> Done: Working fine :)
Thanks for such a detailed explanation!!!
>
> AddOutputFilterByType SUBSTITUTE text/html
>> Substitute "s|http://myserv|https://sakai-stg|i"
>> Substitute "s|http://sakai-stg|https://sakai-stg|i"
>>
>
> Those three should then no longer be needed (if sakai behaves well).
>
> Done: removed
> </VirtualHost>
>>
>
> Regards,
>
> Rainer
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Cheers,
--
Leon Kolchinsky
Re: Rewrite URLs inside HTML pages?
Posted by Rainer Jung <ra...@kippdata.de>.
Comments inline
On 05.08.2010 03:30, Leon Kolchinsky wrote:
> Hi,
>
> Hmm.
> Interesting.
> Of course I'd like to make it work with "simple configuration" or/and with
> JkHTTPSIndicator.
>
> I'm just not clear on how to make this "simple configuration".
>
> As I've said there is no SSL handling on the server side. All SSL request
> handled on the load balance level which in turn talks to Apache (configured
> to talk to Tomcat via mod_jk) via http.
>
> myserv.mydomain.com - Tomcat server's Domain name
> sakai-stg.mydomain.com - Load balancer's Domain name
>
> Clients coming to Load Balancer's URL https://sakai-stg.mydomain.com need to
> use internal links (submit forms etc.) which appear as http://
> sakai-stg.mydomain.com/..... on the served pages.
> Submitting forms is not working in that scenario since the links should look
> like this inside the pages - https://sakai-stg.mydomain.com/.....
>
>
> Please see my mod_jk.conf, workers.properties, 01myserv.mydomain.com.conf
> files below.
>
> Can you come up with a solution without using mod_substitute as I do now?
>
> [root@myserv mod_sed]# cat /etc/httpd/conf/mod_jk.conf
> LoadModule jk_module modules/mod_jk.so
>
> # mod_jk config
> # Where to find workers.properties
> # Update this path to match your conf directory location (put
> workers.properties next to httpd.conf)
> JkWorkersFile /etc/httpd/conf/workers.properties
> # Where to put jk shared memory
> # Update this path to match your local state directory or logs directory
> JkShmFile /var/log/httpd/mod_jk.shm
> # Where to put jk logs
> # Update this path to match your logs directory location (put mod_jk.log
> next to access_log)
> JkLogFile /var/log/httpd/mod_jk.log
Unrelated: you could use rotatelogs here, as in "CustomLog" or
"ErrorLog" to automatically rotate the files.
> # Set the jk log level [debug/error/info]
> JkLogLevel info
> # Select the timestamp log format
> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
Unrelated: I would remove JkLogStampFormat. Since a few years mod_jk
will log sub second timestamps by default, but this format disables that.
> #JkOptions indicate to send SSL KEY SIZE,
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
Unrelated: You should remove "+ForwardURICompat" unless you understand
what it does and that you will definitely need it.
> # JkRequestLogFormat set the request format
> JkRequestLogFormat "%w %V %T"
Unrelated: Don't like the JkRequestFormat. Instead would use so called
"notes" to add the info directly to the access log.
> # Globally deny access to the WEB-INF directory
> <LocationMatch '.*WEB-INF.*'>
> AllowOverride None
> deny from all
> </LocationMatch>
Unrelated: The application directory usually should not be reachable at
all by Apache.
> [root@myserv mod_sed]#
> [root@myserv mod_sed]# cat /etc/httpd/conf/workers.properties
> #
> # This file provides minimal jk configuration properties needed to
> # connect to Tomcat.
> #
> # We define a workers named worker1 and worker2
> workers.tomcat_home=/srv/tomcat/
> workers.java_home=/srv/jdk
> ps=/
Unrelated: The above three are useless.
> worker.list=worker1
> worker.worker1.type=ajp13
> worker.worker1.host=localhost
> worker.worker1.port=8009
> worker.worker1.lbfactor=1
Unrelated: That's very minimal.
> # Load-balancing behaviour (add when you have more than 1 worker and change
> worker.workerX.host and worker.list accordingly)
> # worker.loadbalancer.type=lb
Unrelated: You are not actually using mod_jk load balancing here.
> # Status worker for managing load balancer (add when you have more than 1
> worker)
> worker.status.type=status
Suggestion: grab the default workers.properties from the mod_jk 1.2.30
source download. It contains important hints about production ready
configuration.
> [root@myserv mod_sed]#
> [root@myserv mod_sed]# cat
> /etc/httpd/conf/vhosts.d/01myserv.mydomain.com.conf
> LoadModule substitute_module modules/mod_substitute.so
>
> NameVirtualHost *:80
>
> <VirtualHost *:80>
> ServerName myserv.mydomain.com
> ServerAdmin Leon.Kolchinsky@mydomain.com
> ServerAlias sakai-stg
>
> # Just in case
> DocumentRoot /srv/sakai
>
> # if not specified, the global error log is used
> ErrorLog /var/log/httpd/myserv.mydomain.com-error_log
> CustomLog /var/log/httpd/myserv.mydomain.com-access_log combined
> # don't loose time with IP address lookups
> HostnameLookups Off
> # needed for named virtual hosts
> UseCanonicalName Off
>
> # Add index.jsp to DirectoryIndex files
> DirectoryIndex index.php index.html index.htm index.shtml index.php4
> index.php3 index.phtml index.cgi index.jsp
>
> JkMount /* worker1
Assuming that you always want Tomcat to assume https when a request came
in via this VirtualHost:
JkHTTPSIndicator FakeHTTPS
SetEnv FakeHTTPS On
(the module mod_env needs to be loaded).
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|http://myserv|https://sakai-stg|i"
> Substitute "s|http://sakai-stg|https://sakai-stg|i"
Those three should then no longer be needed (if sakai behaves well).
> </VirtualHost>
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Leon Kolchinsky <lk...@gmail.com>.
Hi,
Hmm.
Interesting.
Of course I'd like to make it work with "simple configuration" or/and with
JkHTTPSIndicator.
I'm just not clear on how to make this "simple configuration".
As I've said there is no SSL handling on the server side. All SSL request
handled on the load balance level which in turn talks to Apache (configured
to talk to Tomcat via mod_jk) via http.
myserv.mydomain.com - Tomcat server's Domain name
sakai-stg.mydomain.com - Load balancer's Domain name
Clients coming to Load Balancer's URL https://sakai-stg.mydomain.com need to
use internal links (submit forms etc.) which appear as http://
sakai-stg.mydomain.com/..... on the served pages.
Submitting forms is not working in that scenario since the links should look
like this inside the pages - https://sakai-stg.mydomain.com/.....
Please see my mod_jk.conf, workers.properties, 01myserv.mydomain.com.conf
files below.
Can you come up with a solution without using mod_substitute as I do now?
[root@myserv mod_sed]# cat /etc/httpd/conf/mod_jk.conf
LoadModule jk_module modules/mod_jk.so
# mod_jk config
# Where to find workers.properties
# Update this path to match your conf directory location (put
workers.properties next to httpd.conf)
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile /var/log/httpd/mod_jk.shm
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log
next to access_log)
JkLogFile /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
#JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
# Globally deny access to the WEB-INF directory
<LocationMatch '.*WEB-INF.*'>
AllowOverride None
deny from all
</LocationMatch>
[root@myserv mod_sed]#
[root@myserv mod_sed]# cat /etc/httpd/conf/workers.properties
#
# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
#
# We define a workers named worker1 and worker2
workers.tomcat_home=/srv/tomcat/
workers.java_home=/srv/jdk
ps=/
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=1
# Load-balancing behaviour (add when you have more than 1 worker and change
worker.workerX.host and worker.list accordingly)
# worker.loadbalancer.type=lb
# Status worker for managing load balancer (add when you have more than 1
worker)
worker.status.type=status
[root@myserv mod_sed]#
[root@myserv mod_sed]# cat
/etc/httpd/conf/vhosts.d/01myserv.mydomain.com.conf
LoadModule substitute_module modules/mod_substitute.so
NameVirtualHost *:80
<VirtualHost *:80>
ServerName myserv.mydomain.com
ServerAdmin Leon.Kolchinsky@mydomain.com
ServerAlias sakai-stg
# Just in case
DocumentRoot /srv/sakai
# if not specified, the global error log is used
ErrorLog /var/log/httpd/myserv.mydomain.com-error_log
CustomLog /var/log/httpd/myserv.mydomain.com-access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# Add index.jsp to DirectoryIndex files
DirectoryIndex index.php index.html index.htm index.shtml index.php4
index.php3 index.phtml index.cgi index.jsp
JkMount /* worker1
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|http://myserv|https://sakai-stg|i"
Substitute "s|http://sakai-stg|https://sakai-stg|i"
</VirtualHost>
Best Regards,
Leon
On Wed, Aug 4, 2010 at 23:58, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Leon,
>
> On 8/3/2010 2:45 AM, Leon Kolchinsky wrote:
> > Thanks for your help Rainer/Felix,
> >
> > I've tested several options including mod_substitute and mod_sed and it
> > seems that mod_substitute is a way to go.
>
> Yuk: why go through the kludge of re-writing the pages when simple
> configuration can make it so the pages are correct in the first place?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxZciMACgkQ9CaO5/Lv0PBqtQCgqVkecwM/GcfFnpZY4CeQ5M+g
> weIAnjBkSVjFNpyHaRJ6b58XRXjwIu41
> =x21u
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Leon Kolchinsky
Senior Software Specialist (Collaborative Applications)
ITS Research Support Services
Monash e-Research Centre (MeRC)
Monash University
tel: +61 3 99059560
Re: Rewrite URLs inside HTML pages?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Leon,
On 8/3/2010 2:45 AM, Leon Kolchinsky wrote:
> Thanks for your help Rainer/Felix,
>
> I've tested several options including mod_substitute and mod_sed and it
> seems that mod_substitute is a way to go.
Yuk: why go through the kludge of re-writing the pages when simple
configuration can make it so the pages are correct in the first place?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxZciMACgkQ9CaO5/Lv0PBqtQCgqVkecwM/GcfFnpZY4CeQ5M+g
weIAnjBkSVjFNpyHaRJ6b58XRXjwIu41
=x21u
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Rainer Jung <ra...@kippdata.de>.
Did you notice, that our expectation is you won't need any page
rewriting when using JkHTTPSIndicator?
Regards,
Rainer
On 03.08.2010 08:45, Leon Kolchinsky wrote:
> Thanks for your help Rainer/Felix,
>
> I've tested several options including mod_substitute and mod_sed and it
> seems that mod_substitute is a way to go.
>
> This is my working configuration now:
>
> LoadModule substitute_module modules/mod_substitute.so
> .......................
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|http://myserver|https://load-balancer|i"
> Substitute "s|http://load-balancer|https://load-balancer|i"
>
> Don't ask me why there is a last line, I see no logic here, but without it I
> still get several http instead https links via load-balancer backend (May be
> Sakai or CISCO CSM side fault).
>
>
> Best Regards,
> Leon Kolchinsky
>
> On Mon, Aug 2, 2010 at 20:14, Rainer Jung<ra...@kippdata.de> wrote:
>
>> Hi Felix,
>>
>> hope you are doing well!
>>
>>
>> On 02.08.2010 11:46, Felix Schumacher wrote:
>>
>>> Hi Rainer,
>>> On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jung<ra...@kippdata.de>
>>> wrote:
>>>
>>>> On 02.08.2010 06:31, Leon Kolchinsky wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
>>>>> (v.2.2.3 ) using mod_jk.
>>>>>
>>>>> We have 2 of those Tomcat servers running on different machines.
>>>>> We also configured load balancer (CISCO CSM) which we want to use for
>>>>>
>>>> SSL
>>>
>>>> offloading and LB.
>>>>>
>>>>> Load balancer serves https requests and forwards them to http (on the
>>>>> above
>>>>> servers).
>>>>>
>>>>> The problem is that links given by apache - the generated html pages
>>>>>
>>>> (by
>>>
>>>> Sakai app.) appeared to include http://....
>>>>> And this is a major problem since we can't even serve forms from https
>>>>> URL's
>>>>> (the URL of the page is https://..... but links inside the HTML page
>>>>> itself
>>>>> are from http://.... format)
>>>>>
>>>>> I've been thinking to try to resolve this with ProxyHTMLURLMAp
>>>>> (mod_proxy_html) but I have no experience with this module.
>>>>>
>>>>> Can someone give me a sample syntax that I can try to include in my
>>>>>
>>>> vhost
>>>
>>>> configuration?
>>>>>
>>>>> Below is my virt. host configuration:
>>>>> NameVirtualHost *:80
>>>>>
>>>>> <VirtualHost *:80>
>>>>> ServerName servername.com
>>>>> ServerAdmin Leon.K@servername.com
>>>>> ServerAlias sakai-server
>>>>>
>>>>> # if not specified, the global error log is used
>>>>> ErrorLog /var/log/httpd/servername.com-error_log
>>>>> CustomLog /var/log/httpd/servername.com-access_log combined
>>>>> HostnameLookups Off
>>>>> UseCanonicalName Off
>>>>>
>>>>> # Add index.jsp to DirectoryIndex files
>>>>> DirectoryIndex index.php index.html index.htm index.shtml index.php4
>>>>> index.php3 index.phtml index.cgi index.jsp
>>>>>
>>>>> JkMount /* worker1
>>>>>
>>>>
>>>> It might be worthwhile finding out, why sakai produces wrong links. E.g.
>>>>
>>>
>>> if you are using mod_jk to connect Apache to Tomcat, and you are talking
>>>>
>>>
>>> HTTPS to Apache, then the calls the isSecure(), getScheme(),
>>>> getProtocol() will return the information as seen by Apache, so the
>>>> webapp is able to find out that https is used and it seems to be a bug
>>>> in sakai.
>>>>
>>> as I understood the issue, the problems arise from using a loadbalancer in
>>>
>>> front of the apache httpd servers, which are using mod_jk to communicate
>>> with the tomcats. The loadbalancers are terminating the ssl connection and
>>> presumably
>>> changing hostnames too.
>>>
>>
>> Ah OK, missed that.
>>
>>
>> But given the documentation link you gave below, it should be easy to
>>> configure
>>> the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic)
>>> by
>>> setting JkEnvVar for scheme, hostname and port if necessary.
>>>
>>> If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
>>> correctly, one could
>>> use proxyPort, proxyName and scheme in the ajp-connector.
>>>
>>
>> If using mod_jk, you can tell mod_jk, that it should derive the
>> information, whether SSL is used or not from some Apache environment
>> variable. You can the set the variable as you like e.g. depending on the
>> client IP is the connection coming from the loadbalancer) or some other
>> params.
>>
>> So you would use
>>
>> JkHTTPSIndicator MyHTTPSIndicator
>>
>> to let mod_jk check the variable "MyHTTPSIndicator" instead of the Apache
>> builtin "HTTPS" variable, whether HTTPS is used.
>>
>> Then you have to set the env var to "On" for each request you know, that it
>> is actually using https from the client point of view, e.g.
>>
>> SetEnvIf Remote_Addr "10\.0\.0\.27" MyHTTPSIndicator=On
>>
>> where e.g. 10.0.27 is the address of the load balancer (if the requests
>> arrive actually with this IP, see the acess log).
>>
>> Or you use a separate port and vhost in Apache where you connect the LB to
>> and you know everything on this port was originally HTTPS, then you could
>> simply set MyHTTPSIndicator always to On in this vhost.
>>
>> Regards,
>>
>> Rainer
>>
>>
>> See for instance:
>>>>
>>>> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
>>>>
>>>> If you are using http between Apache and Tomcat (not AJP13), then there
>>>> are connector settings for Tomcat to let the webapp know, that you are
>>>> actually using HTTPS on the proxy.
>>>>
>>>> If you can't fix it like this but instead really have to parse response
>>>> pages and replace links in them, three Apache module choices are
>>>> mod_proxy_html (which you already mentioned), mod_substitute and
>>>>
>>> mod_sed.
>>>
>>>>
>>>> Regards,
>>>>
>>>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Leon Kolchinsky <lk...@gmail.com>.
Thanks for your help Rainer/Felix,
I've tested several options including mod_substitute and mod_sed and it
seems that mod_substitute is a way to go.
This is my working configuration now:
LoadModule substitute_module modules/mod_substitute.so
.......................
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|http://myserver|https://load-balancer|i"
Substitute "s|http://load-balancer|https://load-balancer|i"
Don't ask me why there is a last line, I see no logic here, but without it I
still get several http instead https links via load-balancer backend (May be
Sakai or CISCO CSM side fault).
Best Regards,
Leon Kolchinsky
On Mon, Aug 2, 2010 at 20:14, Rainer Jung <ra...@kippdata.de> wrote:
> Hi Felix,
>
> hope you are doing well!
>
>
> On 02.08.2010 11:46, Felix Schumacher wrote:
>
>> Hi Rainer,
>> On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jung<ra...@kippdata.de>
>> wrote:
>>
>>> On 02.08.2010 06:31, Leon Kolchinsky wrote:
>>>
>>>> Hello,
>>>>
>>>> I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
>>>> (v.2.2.3 ) using mod_jk.
>>>>
>>>> We have 2 of those Tomcat servers running on different machines.
>>>> We also configured load balancer (CISCO CSM) which we want to use for
>>>>
>>> SSL
>>
>>> offloading and LB.
>>>>
>>>> Load balancer serves https requests and forwards them to http (on the
>>>> above
>>>> servers).
>>>>
>>>> The problem is that links given by apache - the generated html pages
>>>>
>>> (by
>>
>>> Sakai app.) appeared to include http://....
>>>> And this is a major problem since we can't even serve forms from https
>>>> URL's
>>>> (the URL of the page is https://..... but links inside the HTML page
>>>> itself
>>>> are from http://.... format)
>>>>
>>>> I've been thinking to try to resolve this with ProxyHTMLURLMAp
>>>> (mod_proxy_html) but I have no experience with this module.
>>>>
>>>> Can someone give me a sample syntax that I can try to include in my
>>>>
>>> vhost
>>
>>> configuration?
>>>>
>>>> Below is my virt. host configuration:
>>>> NameVirtualHost *:80
>>>>
>>>> <VirtualHost *:80>
>>>> ServerName servername.com
>>>> ServerAdmin Leon.K@servername.com
>>>> ServerAlias sakai-server
>>>>
>>>> # if not specified, the global error log is used
>>>> ErrorLog /var/log/httpd/servername.com-error_log
>>>> CustomLog /var/log/httpd/servername.com-access_log combined
>>>> HostnameLookups Off
>>>> UseCanonicalName Off
>>>>
>>>> # Add index.jsp to DirectoryIndex files
>>>> DirectoryIndex index.php index.html index.htm index.shtml index.php4
>>>> index.php3 index.phtml index.cgi index.jsp
>>>>
>>>> JkMount /* worker1
>>>>
>>>
>>> It might be worthwhile finding out, why sakai produces wrong links. E.g.
>>>
>>
>> if you are using mod_jk to connect Apache to Tomcat, and you are talking
>>>
>>
>> HTTPS to Apache, then the calls the isSecure(), getScheme(),
>>> getProtocol() will return the information as seen by Apache, so the
>>> webapp is able to find out that https is used and it seems to be a bug
>>> in sakai.
>>>
>> as I understood the issue, the problems arise from using a loadbalancer in
>>
>> front of the apache httpd servers, which are using mod_jk to communicate
>> with the tomcats. The loadbalancers are terminating the ssl connection and
>> presumably
>> changing hostnames too.
>>
>
> Ah OK, missed that.
>
>
> But given the documentation link you gave below, it should be easy to
>> configure
>> the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic)
>> by
>> setting JkEnvVar for scheme, hostname and port if necessary.
>>
>> If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
>> correctly, one could
>> use proxyPort, proxyName and scheme in the ajp-connector.
>>
>
> If using mod_jk, you can tell mod_jk, that it should derive the
> information, whether SSL is used or not from some Apache environment
> variable. You can the set the variable as you like e.g. depending on the
> client IP is the connection coming from the loadbalancer) or some other
> params.
>
> So you would use
>
> JkHTTPSIndicator MyHTTPSIndicator
>
> to let mod_jk check the variable "MyHTTPSIndicator" instead of the Apache
> builtin "HTTPS" variable, whether HTTPS is used.
>
> Then you have to set the env var to "On" for each request you know, that it
> is actually using https from the client point of view, e.g.
>
> SetEnvIf Remote_Addr "10\.0\.0\.27" MyHTTPSIndicator=On
>
> where e.g. 10.0.27 is the address of the load balancer (if the requests
> arrive actually with this IP, see the acess log).
>
> Or you use a separate port and vhost in Apache where you connect the LB to
> and you know everything on this port was originally HTTPS, then you could
> simply set MyHTTPSIndicator always to On in this vhost.
>
> Regards,
>
> Rainer
>
>
> See for instance:
>>>
>>> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
>>>
>>> If you are using http between Apache and Tomcat (not AJP13), then there
>>> are connector settings for Tomcat to let the webapp know, that you are
>>> actually using HTTPS on the proxy.
>>>
>>> If you can't fix it like this but instead really have to parse response
>>> pages and replace links in them, three Apache module choices are
>>> mod_proxy_html (which you already mentioned), mod_substitute and
>>>
>> mod_sed.
>>
>>>
>>> Regards,
>>>
>>> Rainer
>>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Leon Kolchinsky
Senior Software Specialist (Collaborative Applications)
ITS Research Support Services
Monash e-Research Centre (MeRC)
Monash University
tel: +61 3 99059560
Re: Rewrite URLs inside HTML pages?
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Felix,
hope you are doing well!
On 02.08.2010 11:46, Felix Schumacher wrote:
> Hi Rainer,
> On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jung<ra...@kippdata.de>
> wrote:
>> On 02.08.2010 06:31, Leon Kolchinsky wrote:
>>> Hello,
>>>
>>> I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
>>> (v.2.2.3 ) using mod_jk.
>>>
>>> We have 2 of those Tomcat servers running on different machines.
>>> We also configured load balancer (CISCO CSM) which we want to use for
> SSL
>>> offloading and LB.
>>>
>>> Load balancer serves https requests and forwards them to http (on the
>>> above
>>> servers).
>>>
>>> The problem is that links given by apache - the generated html pages
> (by
>>> Sakai app.) appeared to include http://....
>>> And this is a major problem since we can't even serve forms from https
>>> URL's
>>> (the URL of the page is https://..... but links inside the HTML page
>>> itself
>>> are from http://.... format)
>>>
>>> I've been thinking to try to resolve this with ProxyHTMLURLMAp
>>> (mod_proxy_html) but I have no experience with this module.
>>>
>>> Can someone give me a sample syntax that I can try to include in my
> vhost
>>> configuration?
>>>
>>> Below is my virt. host configuration:
>>> NameVirtualHost *:80
>>>
>>> <VirtualHost *:80>
>>> ServerName servername.com
>>> ServerAdmin Leon.K@servername.com
>>> ServerAlias sakai-server
>>>
>>> # if not specified, the global error log is used
>>> ErrorLog /var/log/httpd/servername.com-error_log
>>> CustomLog /var/log/httpd/servername.com-access_log combined
>>> HostnameLookups Off
>>> UseCanonicalName Off
>>>
>>> # Add index.jsp to DirectoryIndex files
>>> DirectoryIndex index.php index.html index.htm index.shtml index.php4
>>> index.php3 index.phtml index.cgi index.jsp
>>>
>>> JkMount /* worker1
>>
>> It might be worthwhile finding out, why sakai produces wrong links. E.g.
>
>> if you are using mod_jk to connect Apache to Tomcat, and you are talking
>
>> HTTPS to Apache, then the calls the isSecure(), getScheme(),
>> getProtocol() will return the information as seen by Apache, so the
>> webapp is able to find out that https is used and it seems to be a bug
>> in sakai.
> as I understood the issue, the problems arise from using a loadbalancer in
>
> front of the apache httpd servers, which are using mod_jk to communicate
> with the tomcats. The loadbalancers are terminating the ssl connection and
> presumably
> changing hostnames too.
Ah OK, missed that.
> But given the documentation link you gave below, it should be easy to
> configure
> the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic)
> by
> setting JkEnvVar for scheme, hostname and port if necessary.
>
> If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
> correctly, one could
> use proxyPort, proxyName and scheme in the ajp-connector.
If using mod_jk, you can tell mod_jk, that it should derive the
information, whether SSL is used or not from some Apache environment
variable. You can the set the variable as you like e.g. depending on the
client IP is the connection coming from the loadbalancer) or some other
params.
So you would use
JkHTTPSIndicator MyHTTPSIndicator
to let mod_jk check the variable "MyHTTPSIndicator" instead of the
Apache builtin "HTTPS" variable, whether HTTPS is used.
Then you have to set the env var to "On" for each request you know, that
it is actually using https from the client point of view, e.g.
SetEnvIf Remote_Addr "10\.0\.0\.27" MyHTTPSIndicator=On
where e.g. 10.0.27 is the address of the load balancer (if the requests
arrive actually with this IP, see the acess log).
Or you use a separate port and vhost in Apache where you connect the LB
to and you know everything on this port was originally HTTPS, then you
could simply set MyHTTPSIndicator always to On in this vhost.
Regards,
Rainer
>> See for instance:
>>
>> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
>>
>> If you are using http between Apache and Tomcat (not AJP13), then there
>> are connector settings for Tomcat to let the webapp know, that you are
>> actually using HTTPS on the proxy.
>>
>> If you can't fix it like this but instead really have to parse response
>> pages and replace links in them, three Apache module choices are
>> mod_proxy_html (which you already mentioned), mod_substitute and
> mod_sed.
>>
>> Regards,
>>
>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Rainer,
On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jung <ra...@kippdata.de>
wrote:
> On 02.08.2010 06:31, Leon Kolchinsky wrote:
>> Hello,
>>
>> I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
>> (v.2.2.3 ) using mod_jk.
>>
>> We have 2 of those Tomcat servers running on different machines.
>> We also configured load balancer (CISCO CSM) which we want to use for
SSL
>> offloading and LB.
>>
>> Load balancer serves https requests and forwards them to http (on the
>> above
>> servers).
>>
>> The problem is that links given by apache - the generated html pages
(by
>> Sakai app.) appeared to include http://....
>> And this is a major problem since we can't even serve forms from https
>> URL's
>> (the URL of the page is https://..... but links inside the HTML page
>> itself
>> are from http://.... format)
>>
>> I've been thinking to try to resolve this with ProxyHTMLURLMAp
>> (mod_proxy_html) but I have no experience with this module.
>>
>> Can someone give me a sample syntax that I can try to include in my
vhost
>> configuration?
>>
>> Below is my virt. host configuration:
>> NameVirtualHost *:80
>>
>> <VirtualHost *:80>
>> ServerName servername.com
>> ServerAdmin Leon.K@servername.com
>> ServerAlias sakai-server
>>
>> # if not specified, the global error log is used
>> ErrorLog /var/log/httpd/servername.com-error_log
>> CustomLog /var/log/httpd/servername.com-access_log combined
>> HostnameLookups Off
>> UseCanonicalName Off
>>
>> # Add index.jsp to DirectoryIndex files
>> DirectoryIndex index.php index.html index.htm index.shtml index.php4
>> index.php3 index.phtml index.cgi index.jsp
>>
>> JkMount /* worker1
>
> It might be worthwhile finding out, why sakai produces wrong links. E.g.
> if you are using mod_jk to connect Apache to Tomcat, and you are talking
> HTTPS to Apache, then the calls the isSecure(), getScheme(),
> getProtocol() will return the information as seen by Apache, so the
> webapp is able to find out that https is used and it seems to be a bug
> in sakai.
as I understood the issue, the problems arise from using a loadbalancer in
front of the apache httpd servers, which are using mod_jk to communicate
with the tomcats. The loadbalancers are terminating the ssl connection and
presumably
changing hostnames too.
But given the documentation link you gave below, it should be easy to
configure
the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic)
by
setting JkEnvVar for scheme, hostname and port if necessary.
If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
correctly, one could
use proxyPort, proxyName and scheme in the ajp-connector.
Bye
Felix
>
> See for instance:
>
> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
>
> If you are using http between Apache and Tomcat (not AJP13), then there
> are connector settings for Tomcat to let the webapp know, that you are
> actually using HTTPS on the proxy.
>
> If you can't fix it like this but instead really have to parse response
> pages and replace links in them, three Apache module choices are
> mod_proxy_html (which you already mentioned), mod_substitute and
mod_sed.
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Posted by Rainer Jung <ra...@kippdata.de>.
On 02.08.2010 06:31, Leon Kolchinsky wrote:
> Hello,
>
> I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
> (v.2.2.3 ) using mod_jk.
>
> We have 2 of those Tomcat servers running on different machines.
> We also configured load balancer (CISCO CSM) which we want to use for SSL
> offloading and LB.
>
> Load balancer serves https requests and forwards them to http (on the above
> servers).
>
> The problem is that links given by apache - the generated html pages (by
> Sakai app.) appeared to include http://....
> And this is a major problem since we can't even serve forms from https URL's
> (the URL of the page is https://..... but links inside the HTML page itself
> are from http://.... format)
>
> I've been thinking to try to resolve this with ProxyHTMLURLMAp
> (mod_proxy_html) but I have no experience with this module.
>
> Can someone give me a sample syntax that I can try to include in my vhost
> configuration?
>
> Below is my virt. host configuration:
> NameVirtualHost *:80
>
> <VirtualHost *:80>
> ServerName servername.com
> ServerAdmin Leon.K@servername.com
> ServerAlias sakai-server
>
> # if not specified, the global error log is used
> ErrorLog /var/log/httpd/servername.com-error_log
> CustomLog /var/log/httpd/servername.com-access_log combined
> HostnameLookups Off
> UseCanonicalName Off
>
> # Add index.jsp to DirectoryIndex files
> DirectoryIndex index.php index.html index.htm index.shtml index.php4
> index.php3 index.phtml index.cgi index.jsp
>
> JkMount /* worker1
It might be worthwhile finding out, why sakai produces wrong links. E.g.
if you are using mod_jk to connect Apache to Tomcat, and you are talking
HTTPS to Apache, then the calls the isSecure(), getScheme(),
getProtocol() will return the information as seen by Apache, so the
webapp is able to find out that https is used and it seems to be a bug
in sakai.
See for instance:
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
If you are using http between Apache and Tomcat (not AJP13), then there
are connector settings for Tomcat to let the webapp know, that you are
actually using HTTPS on the proxy.
If you can't fix it like this but instead really have to parse response
pages and replace links in them, three Apache module choices are
mod_proxy_html (which you already mentioned), mod_substitute and mod_sed.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org