You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Timo Meinen <ti...@googlemail.com> on 2010/04/28 11:22:00 UTC
[users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL redirects
Hi,
I have a problem with our reverse proxy. I asked this question to the
tomcat-users mailinglist, too, but no one could help me and I am
absolutely stuck with this problem. So, I hope some of the httpd
experts here, may have an idea:
Our configuration is a Apache 2.2 web server, acting as a reverse
proxy for Tomcat 6. This is the configuration:
ServerName it.localhost.de
ProxyPass / ajp://127.0.0.1:8009/spike/
ProxyPassReverse / ajp://127.0.0.1:8009/spike/
ProxyPassReverseCookiePath /spike /
(This is the configuration in the VirtualHost entry for port 80. There
is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
As you can see, the webapp is hosted under ContextPath /spike but
available through the proxy via /. Everything works fine, until the
webapp sends an redirect to HTTPS. This is done via SpringSecurity.
The problem is, that the ProxyPassReverse directive doesn't catch the
ContextPath and converts it, if it includes the complete address.
These are the logs from the web browser:
GET http://it.localhost.de/users/65 => 302 =>
https://it.localhost.de/spike/users/65
1) Why does the ProxyPassReverse doesn't convert the /spike back to /
in https://it.localhost.de/spike/users/65? Is it because the Header
isn't relative? The protocol is still AJP and so the Proxy should know
how to convert it, right?
1a) If so, how could the webapp switch from http to https and vice
versa, when not able to send the absolute address with a new protocol?
After this, I tried to set additional ProxyPassReverse directives:
ProxyPassReverse / https://it.localhost.de/spike/
ProxyPassReverse / http://it.localhost.de/spike/
This time, the /spike/ is converted to /, but the two directives leads
to an infintive loop of redirects to
http://it.localhost.de/<REQUEST-URI>.
2) How can I stop this loop? or better
3) How can I configure the ProxyPassReverse correctly?
Thank you very much for any help
Timo
Here are the debug information from httpd:
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
APR_BUCKET_IS_EOS
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
to read (max 8186 at 4)
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
bytes of data
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
ajp_ilink_received 04
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got 04
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
ajp_unmarshal_response: status = 302
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
ajp_unmarshal_response: Number of headers is = 2
[Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
ajp://127.0.0.1:9091/spike/
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
ajp_unmarshal_response: Header[0] [Location] =
[https://it.localhost.de/spike/users/3]
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
ajp_unmarshal_response: Header[1] [Content-Length] = [0]
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
ajp_ilink_received 05
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got 05
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
response from 127.0.0.1:9091 (127.0.0.1)
[Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
released connection for (127.0.0.1)
[Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
received for child 9 (server it.localhost.de:80)
[Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
canonicalising URL //127.0.0.1:9091/spike/spike/users/3
[Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
http://it.localhost.de/
Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
[https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
the response, so that the next request will lead to the
doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Timo Meinen <ti...@googlemail.com>.
Yes, you're right. But why did the
ProxyPassReverse / https://it.localhost.de/spike
let to a circularity?
2010/4/29 Nick Kew <ni...@webthing.com>:
>
> On 29 Apr 2010, at 13:26, Timo Meinen wrote:
>
>> Anyhow, why does mod_proxy don't recognize the Location header. I
>> think it should treat ('convert') this header like any other. Is it a
>> bug?
>
> IIRC your ProxyPassReverse didn't match the Location
> (one being ajp:, the other http or https).
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL redirects
Posted by Nick Kew <ni...@webthing.com>.
On 29 Apr 2010, at 13:26, Timo Meinen wrote:
> Anyhow, why does mod_proxy don't recognize the Location header. I
> think it should treat ('convert') this header like any other. Is it a
> bug?
IIRC your ProxyPassReverse didn't match the Location
(one being ajp:, the other http or https).
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Timo Meinen <ti...@googlemail.com>.
Hi Nick,
thank you so much! This brought me to the solution to my problem. And
mod_headers was the last piece of the puzzle.
To rewrite the Location header to another context-path all I had to do
was this directive:
Header edit Location ^([^/]*//[^/]*)?/spike/(.*)$ $1/$2
Anyhow, why does mod_proxy don't recognize the Location header. I
think it should treat ('convert') this header like any other. Is it a
bug?
Best regards,
Timo
2010/4/29 Timo Meinen <ti...@googlemail.com>:
> Hi Nick,
>
> thank you for your mail. Both VHosts have the same proxy config,
> except for the 'SSLProxyEngine ON' directive. I will try the
> mod_headers fix.
>
> Btw: Is the SSLProxyEngine directive neccassary, when routing all the
> traffic via AJP? Is it correct, that the AJP connection is always
> unencrypted here?
>
> Thanks
> Timo
>
> 2010/4/29 Nick Kew <ni...@webthing.com>:
>> On Wed, 28 Apr 2010 11:22:00 +0200
>> Timo Meinen <ti...@googlemail.com> wrote:
>>
>>> ServerName it.localhost.de
>>> ProxyPass / ajp://127.0.0.1:8009/spike/
>>> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
>>> ProxyPassReverseCookiePath /spike /
>>>
>>> (This is the configuration in the VirtualHost entry for port 80. There
>>> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>>
>> Do both virtualhosts have the same proxy config?
>>
>> You may be experiencing a variant on the problem described in
>> http://svn.haxx.se/users/archive-2006-03/0549.shtml
>> If so, the fix is "Header edit" from mod_headers.
>>
>> --
>> Nick Kew
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Timo Meinen <ti...@googlemail.com>.
Hi Nick,
thank you for your mail. Both VHosts have the same proxy config,
except for the 'SSLProxyEngine ON' directive. I will try the
mod_headers fix.
Btw: Is the SSLProxyEngine directive neccassary, when routing all the
traffic via AJP? Is it correct, that the AJP connection is always
unencrypted here?
Thanks
Timo
2010/4/29 Nick Kew <ni...@webthing.com>:
> On Wed, 28 Apr 2010 11:22:00 +0200
> Timo Meinen <ti...@googlemail.com> wrote:
>
>> ServerName it.localhost.de
>> ProxyPass / ajp://127.0.0.1:8009/spike/
>> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
>> ProxyPassReverseCookiePath /spike /
>>
>> (This is the configuration in the VirtualHost entry for port 80. There
>> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>
> Do both virtualhosts have the same proxy config?
>
> You may be experiencing a variant on the problem described in
> http://svn.haxx.se/users/archive-2006-03/0549.shtml
> If so, the fix is "Header edit" from mod_headers.
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Nick Kew <ni...@webthing.com>.
On Wed, 28 Apr 2010 11:22:00 +0200
Timo Meinen <ti...@googlemail.com> wrote:
> ServerName it.localhost.de
> ProxyPass / ajp://127.0.0.1:8009/spike/
> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
> ProxyPassReverseCookiePath /spike /
>
> (This is the configuration in the VirtualHost entry for port 80. There
> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
Do both virtualhosts have the same proxy config?
You may be experiencing a variant on the problem described in
http://svn.haxx.se/users/archive-2006-03/0549.shtml
If so, the fix is "Header edit" from mod_headers.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Timo Meinen <ti...@googlemail.com>.
Hi,
yes SSLProxyEngine On is activated in the SSL VirtualHost. But this
doens't help.
Timo
2010/4/28 Arunkumar Janarthanan <ar...@gmail.com>:
> Hi,
>
> Did you try the "sslProxyEngine On", However I have got the specific error
> in my Apache log stating have to check this one.
>
> Hope this helps.
>
> Best Regards,
> Arun Janarthanan
>
> On Wed, Apr 28, 2010 at 5:44 AM, Mauri <la...@gmail.com> wrote:
>>
>> Hi Timo.
>>
>> i don't know ajp protocol, but I have a similar configuration.
>> this is my configuration that work fine with apache, mod_proxy as frontend
>> and a tomcat 6 with SSL (8443) as backend.
>> u don't set the end point (spike/) but only the ProxyPass. I'm using
>> another modules, also.
>> Please check my configuration. I hope it can help you.
>> Read this tutorial, it's very usefull:
>> http://www.apachetutor.org/admin/reverseproxies
>>
>> Cheers,
>> Mauri
>>
>> LoadModule ssl_module modules/mod_ssl.so
>> LoadFile /usr/lib/libxml2.so
>> LoadModule proxy_html_module modules/mod_proxy_html.so
>> LoadModule xml2enc_module modules/mod_xml2enc.so
>> LoadModule headers_module modules/mod_headers.so
>>
>> AddType application/x-httpd-php .amf
>> AddType video/x-ms-asf asf asx
>> AddType audio/x-ms-wma .wma
>> AddType application/octet-stream .doc .xls .pdf
>> AddType application/x-shockwave-flash swf
>>
>> Listen 443
>> Listen 80
>> AddType application/x-x509-ca-cert .crt
>> AddType application/x-pkcs7-crl .crl
>> SSLPassPhraseDialog builtin
>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>> SSLSessionCacheTimeout 300
>> SSLMutex default
>> SSLRandomSeed startup file:/dev/urandom 256
>> SSLRandomSeed connect builtin
>> SSLCryptoDevice builtin
>>
>> NameVirtualHost mydomain.com:443
>> <VirtualHost mydomain.com:443>
>> ServerName mydomain.com
>> ProxyRequests off
>> ProxyPass / https://10.173.90.167:8443/
>> ProxyHTMLURLMap https://10.173.90.167:8443 /
>> <Location />
>> ProxyPassReverse https://10.173.90.167:8443/
>> ProxyHTMLEnable On
>> ProxyHTMLURLMap / /
>> RequestHeader unset Accept-Encoding
>> </Location>
>> SSLEngine on
>> SSLProxyEngine on
>> SSLProtocol all -SSLv2
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /etc/httpd/cert/certificate.cer
>> SSLCertificateKeyFile /etc/httpd/cert/certificate.key
>> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> SSLOptions +StdEnvVars
>> </Files>
>> <Directory "/var/www/cgi-bin">
>> SSLOptions +StdEnvVars
>> </Directory>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>> </VirtualHost>
>>
>>
>>
>>
>> 2010/4/28 Timo Meinen <ti...@googlemail.com>
>>>
>>> Hi,
>>>
>>> I have a problem with our reverse proxy. I asked this question to the
>>> tomcat-users mailinglist, too, but no one could help me and I am
>>> absolutely stuck with this problem. So, I hope some of the httpd
>>> experts here, may have an idea:
>>>
>>> Our configuration is a Apache 2.2 web server, acting as a reverse
>>> proxy for Tomcat 6. This is the configuration:
>>>
>>> ServerName it.localhost.de
>>> ProxyPass / ajp://127.0.0.1:8009/spike/
>>> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
>>> ProxyPassReverseCookiePath /spike /
>>>
>>> (This is the configuration in the VirtualHost entry for port 80. There
>>> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>>>
>>> As you can see, the webapp is hosted under ContextPath /spike but
>>> available through the proxy via /. Everything works fine, until the
>>> webapp sends an redirect to HTTPS. This is done via SpringSecurity.
>>> The problem is, that the ProxyPassReverse directive doesn't catch the
>>> ContextPath and converts it, if it includes the complete address.
>>> These are the logs from the web browser:
>>>
>>> GET http://it.localhost.de/users/65 => 302 =>
>>> https://it.localhost.de/spike/users/65
>>>
>>> 1) Why does the ProxyPassReverse doesn't convert the /spike back to /
>>> in https://it.localhost.de/spike/users/65? Is it because the Header
>>> isn't relative? The protocol is still AJP and so the Proxy should know
>>> how to convert it, right?
>>> 1a) If so, how could the webapp switch from http to https and vice
>>> versa, when not able to send the absolute address with a new protocol?
>>>
>>> After this, I tried to set additional ProxyPassReverse directives:
>>>
>>> ProxyPassReverse / https://it.localhost.de/spike/
>>> ProxyPassReverse / http://it.localhost.de/spike/
>>>
>>> This time, the /spike/ is converted to /, but the two directives leads
>>> to an infintive loop of redirects to
>>> http://it.localhost.de/<REQUEST-URI>.
>>>
>>> 2) How can I stop this loop? or better
>>> 3) How can I configure the ProxyPassReverse correctly?
>>>
>>> Thank you very much for any help
>>> Timo
>>>
>>> Here are the debug information from httpd:
>>>
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
>>> APR_BUCKET_IS_EOS
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
>>> to read (max 8186 at 4)
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
>>> bytes of data
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>>> ajp_ilink_received 04
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>>> 04
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
>>> ajp_unmarshal_response: status = 302
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
>>> ajp_unmarshal_response: Number of headers is = 2
>>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
>>> ajp://127.0.0.1:9091/spike/
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>>> ajp_unmarshal_response: Header[0] [Location] =
>>> [https://it.localhost.de/spike/users/3]
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>>> ajp_unmarshal_response: Header[1] [Content-Length] = [0]
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>>> ajp_ilink_received 05
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>>> 05
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
>>> response from 127.0.0.1:9091 (127.0.0.1)
>>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
>>> released connection for (127.0.0.1)
>>> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
>>> received for child 9 (server it.localhost.de:80)
>>> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
>>> canonicalising URL //127.0.0.1:9091/spike/spike/users/3
>>> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
>>> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
>>> for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
>>> http://it.localhost.de/
>>>
>>>
>>> Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
>>> [https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
>>> the response, so that the next request will lead to the
>>> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>
>
--
Glück Auf
Timo
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Arunkumar Janarthanan <ar...@gmail.com>.
Hi,
Did you try the "sslProxyEngine On", However I have got the specific error
in my Apache log stating have to check this one.
Hope this helps.
Best Regards,
Arun Janarthanan
On Wed, Apr 28, 2010 at 5:44 AM, Mauri <la...@gmail.com> wrote:
> Hi Timo.
>
> i don't know ajp protocol, but I have a similar configuration.
> this is my configuration that work fine with apache, mod_proxy as frontend
> and a tomcat 6 with SSL (8443) as backend.
> u don't set the end point (spike/ <http://127.0.0.1:8009/spike/>) but only
> the ProxyPass. I'm using another modules, also.
> Please check my configuration. I hope it can help you.
> Read this tutorial, it's very usefull:
> http://www.apachetutor.org/admin/reverseproxies
>
> Cheers,
> Mauri
>
> LoadModule ssl_module modules/mod_ssl.so
> LoadFile /usr/lib/libxml2.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule xml2enc_module modules/mod_xml2enc.so
> LoadModule headers_module modules/mod_headers.so
>
> AddType application/x-httpd-php .amf
> AddType video/x-ms-asf asf asx
> AddType audio/x-ms-wma .wma
> AddType application/octet-stream .doc .xls .pdf
> AddType application/x-shockwave-flash swf
>
> Listen 443
> Listen 80
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom 256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> NameVirtualHost mydomain.com:443
> <VirtualHost mydomain.com:443>
> ServerName mydomain.com
> ProxyRequests off
> ProxyPass / https://10.173.90.167:8443/
> ProxyHTMLURLMap https://10.173.90.167:8443 /
> <Location />
> ProxyPassReverse https://10.173.90.167:8443/
> ProxyHTMLEnable On
> ProxyHTMLURLMap / /
> RequestHeader unset Accept-Encoding
> </Location>
> SSLEngine on
> SSLProxyEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/httpd/cert/certificate.cer
> SSLCertificateKeyFile /etc/httpd/cert/certificate.key
> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
>
>
>
>
> 2010/4/28 Timo Meinen <ti...@googlemail.com>
>
> Hi,
>>
>> I have a problem with our reverse proxy. I asked this question to the
>> tomcat-users mailinglist, too, but no one could help me and I am
>> absolutely stuck with this problem. So, I hope some of the httpd
>> experts here, may have an idea:
>>
>> Our configuration is a Apache 2.2 web server, acting as a reverse
>> proxy for Tomcat 6. This is the configuration:
>>
>> ServerName it.localhost.de
>> ProxyPass / ajp://127.0.0.1:8009/spike/
>> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
>> ProxyPassReverseCookiePath /spike /
>>
>> (This is the configuration in the VirtualHost entry for port 80. There
>> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>>
>> As you can see, the webapp is hosted under ContextPath /spike but
>> available through the proxy via /. Everything works fine, until the
>> webapp sends an redirect to HTTPS. This is done via SpringSecurity.
>> The problem is, that the ProxyPassReverse directive doesn't catch the
>> ContextPath and converts it, if it includes the complete address.
>> These are the logs from the web browser:
>>
>> GET http://it.localhost.de/users/65 => 302 =>
>> https://it.localhost.de/spike/users/65
>>
>> 1) Why does the ProxyPassReverse doesn't convert the /spike back to /
>> in https://it.localhost.de/spike/users/65? Is it because the Header
>> isn't relative? The protocol is still AJP and so the Proxy should know
>> how to convert it, right?
>> 1a) If so, how could the webapp switch from http to https and vice
>> versa, when not able to send the absolute address with a new protocol?
>>
>> After this, I tried to set additional ProxyPassReverse directives:
>>
>> ProxyPassReverse / https://it.localhost.de/spike/
>> ProxyPassReverse / http://it.localhost.de/spike/
>>
>> This time, the /spike/ is converted to /, but the two directives leads
>> to an infintive loop of redirects to
>> http://it.localhost.de/<REQUEST-URI>.
>>
>> 2) How can I stop this loop? or better
>> 3) How can I configure the ProxyPassReverse correctly?
>>
>> Thank you very much for any help
>> Timo
>>
>> Here are the debug information from httpd:
>>
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
>> APR_BUCKET_IS_EOS
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
>> to read (max 8186 at 4)
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
>> bytes of data
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>> ajp_ilink_received 04
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>> 04
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
>> ajp_unmarshal_response: status = 302
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
>> ajp_unmarshal_response: Number of headers is = 2
>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
>> ajp://127.0.0.1:9091/spike/
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>> ajp_unmarshal_response: Header[0] [Location] =
>> [https://it.localhost.de/spike/users/3]
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>> ajp_unmarshal_response: Header[1] [Content-Length] = [0]
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>> ajp_ilink_received 05
>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>> 05
>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
>> response from 127.0.0.1:9091 (127.0.0.1)
>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
>> released connection for (127.0.0.1)
>> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
>> received for child 9 (server it.localhost.de:80 <http://it.localhost.de/>
>> )
>> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
>> canonicalising URL //127.0.0.1:9091/spike/spike/users/3
>> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
>> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
>> for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
>> http://it.localhost.de/
>>
>>
>> Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
>> [https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
>> the response, so that the next request will lead to the
>> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] ReverseProxy for Tomcat (AJP) not working for SSL
redirects
Posted by Mauri <la...@gmail.com>.
Hi Timo.
i don't know ajp protocol, but I have a similar configuration.
this is my configuration that work fine with apache, mod_proxy as frontend
and a tomcat 6 with SSL (8443) as backend.
u don't set the end point (spike/ <http://127.0.0.1:8009/spike/>) but only
the ProxyPass. I'm using another modules, also.
Please check my configuration. I hope it can help you.
Read this tutorial, it's very usefull:
http://www.apachetutor.org/admin/reverseproxies
Cheers,
Mauri
LoadModule ssl_module modules/mod_ssl.so
LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule headers_module modules/mod_headers.so
AddType application/x-httpd-php .amf
AddType video/x-ms-asf asf asx
AddType audio/x-ms-wma .wma
AddType application/octet-stream .doc .xls .pdf
AddType application/x-shockwave-flash swf
Listen 443
Listen 80
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost mydomain.com:443
<VirtualHost mydomain.com:443>
ServerName mydomain.com
ProxyRequests off
ProxyPass / https://10.173.90.167:8443/
ProxyHTMLURLMap https://10.173.90.167:8443 /
<Location />
ProxyPassReverse https://10.173.90.167:8443/
ProxyHTMLEnable On
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
</Location>
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/cert/certificate.cer
SSLCertificateKeyFile /etc/httpd/cert/certificate.key
SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
2010/4/28 Timo Meinen <ti...@googlemail.com>
> Hi,
>
> I have a problem with our reverse proxy. I asked this question to the
> tomcat-users mailinglist, too, but no one could help me and I am
> absolutely stuck with this problem. So, I hope some of the httpd
> experts here, may have an idea:
>
> Our configuration is a Apache 2.2 web server, acting as a reverse
> proxy for Tomcat 6. This is the configuration:
>
> ServerName it.localhost.de
> ProxyPass / ajp://127.0.0.1:8009/spike/
> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
> ProxyPassReverseCookiePath /spike /
>
> (This is the configuration in the VirtualHost entry for port 80. There
> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>
> As you can see, the webapp is hosted under ContextPath /spike but
> available through the proxy via /. Everything works fine, until the
> webapp sends an redirect to HTTPS. This is done via SpringSecurity.
> The problem is, that the ProxyPassReverse directive doesn't catch the
> ContextPath and converts it, if it includes the complete address.
> These are the logs from the web browser:
>
> GET http://it.localhost.de/users/65 => 302 =>
> https://it.localhost.de/spike/users/65
>
> 1) Why does the ProxyPassReverse doesn't convert the /spike back to /
> in https://it.localhost.de/spike/users/65? Is it because the Header
> isn't relative? The protocol is still AJP and so the Proxy should know
> how to convert it, right?
> 1a) If so, how could the webapp switch from http to https and vice
> versa, when not able to send the absolute address with a new protocol?
>
> After this, I tried to set additional ProxyPassReverse directives:
>
> ProxyPassReverse / https://it.localhost.de/spike/
> ProxyPassReverse / http://it.localhost.de/spike/
>
> This time, the /spike/ is converted to /, but the two directives leads
> to an infintive loop of redirects to
> http://it.localhost.de/<REQUEST-URI>.
>
> 2) How can I stop this loop? or better
> 3) How can I configure the ProxyPassReverse correctly?
>
> Thank you very much for any help
> Timo
>
> Here are the debug information from httpd:
>
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
> APR_BUCKET_IS_EOS
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
> to read (max 8186 at 4)
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
> bytes of data
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
> ajp_ilink_received 04
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
> 04
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
> ajp_unmarshal_response: status = 302
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
> ajp_unmarshal_response: Number of headers is = 2
> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
> ajp://127.0.0.1:9091/spike/
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
> ajp_unmarshal_response: Header[0] [Location] =
> [https://it.localhost.de/spike/users/3]
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
> ajp_unmarshal_response: Header[1] [Content-Length] = [0]
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
> ajp_ilink_received 05
> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
> 05
> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
> response from 127.0.0.1:9091 (127.0.0.1)
> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
> released connection for (127.0.0.1)
> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
> received for child 9 (server it.localhost.de:80)
> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
> canonicalising URL //127.0.0.1:9091/spike/spike/users/3
> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
> for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
> http://it.localhost.de/
>
>
> Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
> [https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
> the response, so that the next request will lead to the
> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>