You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Herb Burnswell <he...@gmail.com> on 2018/02/26 19:50:42 UTC

[users@httpd] mod_proxy - sticky sessions configuration help

All,

I am setting up a frontend HTTPD load balancer to a backend Tomcat
application using mod_proxy.  I have not done so previously and am looking
for some guidance.  Here is a diagram of what it will look like:

+---------------------+
|   Firewall Public   |
+---------------------+
+-------------------------------------------+
|      +------+   +-------+  +-------+      |
|      | httpd|   | httpd |  | httpd   |      |
|      |    1 |       |   2   |  |   3       |      |
|      +------+   +-------+  +-------+      |
+-------------------------------------------+
+----------------------+
|   Firewall Private   |
+----------------------+
+---------------------------------------------+
|    +--------+  +---------+  +--------+      |
|    | tomcat |  |tomcat   |  |tomcat|      |
|    |   1       |  |    2      |  |   3        |      |
|    +--------+  +---------+  +--------+      |
+---------------------------------------------+

The HTTPD 1-3 servers are in a DMZ subnet and will proxy back to internal
Tomcat application on a different subnet.  I had this working without
sticky sessions (which are needed) but now when I try to set up the
configuration with sticky sessions I receive a 500 error in a browser.


Here is what I receive in the logs:

access_log:

10.37.11.14 - - [26/Feb/2018:09:48:34 -0800] "GET /favicon.ico HTTP/1.1"
500 527 "https://app.example.com/login.jsp" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186
Safari/537.36" "C1A3CF4AB2A4E8952C259E2F1B97A203.node1"

error_log:

[Mon Feb 26 09:48:34.714703 2018] [proxy:warn] [pid 37884] [client
10.37.11.14:53267] AH01144: No protocol handler was valid for the URL
/favicon.ico. If you are using a DSO version of mod_proxy, make sure the
proxy submodules are included in the configuration using LoadModule.,
referer: https://app.example.com/login.jsp


I believe the favicon.ico 'error' is benign, but if it is I'd like to
supress it.  But I do receive a standard 500 error in the browser.

The 'login.jsp' is a redirect from the backend application.  If I go
directly to one of the application servers:

https://app1.example.com:9009

The page loads properly and gives the following URL in the browser:

https://app1.example.com:9009/login.jsp


Here is the complete httpd.conf file.  I only want the proxy to listen on
port 443.  This system will only function as a DMZ proxy to the backend
application.  Ideally the configuration is as minimal as possible with no
extra/unnecessary directives:



Listen 443 https

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

ErrorLog        "logs/error_log"
TransferLog     "logs/access_log"
LogLevel        warn

<IfModule log_config_module>

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" \"%{JSESSIONID}C\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %I %O" combinedio

    </IfModule>

        CustomLog "logs/access_log" combined

</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>

    MIMEMagicFile conf/magic

</IfModule>

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost _default_:443>

        ServerName app.example.com

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

        SSLCertificateFile /etc/pki/tls/certs/cert.crt

<Proxy balancer://mycluster>

        BalancerMember https://app1.example.com:9009 route=node1
        BalancerMember https://app2.example.com:9009 route=node2
        ProxySet lbmethod=bybusyness

</Proxy>

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPass / balancer://mycluster stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster stickysession=JSESSIONID

</VirtualHost>

Any guidance is greatly appreciated.  Thanks in advance..

HB

Re: [users@httpd] mod_proxy - sticky sessions configuration help

Posted by Herb Burnswell <he...@gmail.com>.

Eric - Thanks for the suggestion about logging %f in the access log.  It
did in fact point to the issue.

It ended up that I needed an ending '/' on my ProxyPass and
ProxyPassReverse directives:

ProxyPass / balancer://mycluster/ stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster/ stickysession=JSESSIONID

This allowed things to work as expected.

Thanks again.

Does anyone have any suggestions/best practices on the rest of the
httpd.conf file?

HB


On Mon, Feb 26, 2018 at 12:13 PM, Herb Burnswell <
herbert.burnswell@gmail.com> wrote:

> Thanks Eric.
>
> Rewrite rules on the HTTPD side or the backend Tomcat application?  There
> are no other rewrite rules that I am aware of.
>
> HB
>
> On Mon, Feb 26, 2018 at 11:54 AM, Eric Covener <co...@gmail.com> wrote:
>
>> Do you have a separate set of rewriterules somewhere that might also
>> be proxying?  Logging %f in the access log LogFormat may also help.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Re: [users@httpd] mod_proxy - sticky sessions configuration help

Posted by Herb Burnswell <he...@gmail.com>.

Thanks Eric.

Rewrite rules on the HTTPD side or the backend Tomcat application?  There
are no other rewrite rules that I am aware of.

HB

On Mon, Feb 26, 2018 at 11:54 AM, Eric Covener <co...@gmail.com> wrote:

> Do you have a separate set of rewriterules somewhere that might also
> be proxying?  Logging %f in the access log LogFormat may also help.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] mod_proxy - sticky sessions configuration help

Posted by Eric Covener <co...@gmail.com>.

Do you have a separate set of rewriterules somewhere that might also
be proxying?  Logging %f in the access log LogFormat may also help.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org