You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Herb Burnswell <he...@gmail.com> on 2018/02/26 19:50:42 UTC
[users@httpd] mod_proxy - sticky sessions configuration help
All,
I am setting up a frontend HTTPD load balancer to a backend Tomcat
application using mod_proxy. I have not done so previously and am looking
for some guidance. Here is a diagram of what it will look like:
+---------------------+
| Firewall Public |
+---------------------+
+-------------------------------------------+
| +------+ +-------+ +-------+ |
| | httpd| | httpd | | httpd | |
| | 1 | | 2 | | 3 | |
| +------+ +-------+ +-------+ |
+-------------------------------------------+
+----------------------+
| Firewall Private |
+----------------------+
+---------------------------------------------+
| +--------+ +---------+ +--------+ |
| | tomcat | |tomcat | |tomcat| |
| | 1 | | 2 | | 3 | |
| +--------+ +---------+ +--------+ |
+---------------------------------------------+
The HTTPD 1-3 servers are in a DMZ subnet and will proxy back to internal
Tomcat application on a different subnet. I had this working without
sticky sessions (which are needed) but now when I try to set up the
configuration with sticky sessions I receive a 500 error in a browser.
Here is what I receive in the logs:
access_log:
10.37.11.14 - - [26/Feb/2018:09:48:34 -0800] "GET /favicon.ico HTTP/1.1"
500 527 "https://app.example.com/login.jsp" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186
Safari/537.36" "C1A3CF4AB2A4E8952C259E2F1B97A203.node1"
error_log:
[Mon Feb 26 09:48:34.714703 2018] [proxy:warn] [pid 37884] [client
10.37.11.14:53267] AH01144: No protocol handler was valid for the URL
/favicon.ico. If you are using a DSO version of mod_proxy, make sure the
proxy submodules are included in the configuration using LoadModule.,
referer: https://app.example.com/login.jsp
I believe the favicon.ico 'error' is benign, but if it is I'd like to
supress it. But I do receive a standard 500 error in the browser.
The 'login.jsp' is a redirect from the backend application. If I go
directly to one of the application servers:
https://app1.example.com:9009
The page loads properly and gives the following URL in the browser:
https://app1.example.com:9009/login.jsp
Here is the complete httpd.conf file. I only want the proxy to listen on
port 443. This system will only function as a DMZ proxy to the backend
application. Ideally the configuration is as minimal as possible with no
extra/unnecessary directives:
Listen 443 https
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
ErrorLog "logs/error_log"
TransferLog "logs/access_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" \"%{JSESSIONID}C\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ServerName app.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/cert.crt
<Proxy balancer://mycluster>
BalancerMember https://app1.example.com:9009 route=node1
BalancerMember https://app2.example.com:9009 route=node2
ProxySet lbmethod=bybusyness
</Proxy>
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / balancer://mycluster stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster stickysession=JSESSIONID
</VirtualHost>
Any guidance is greatly appreciated. Thanks in advance..
HB
Re: [users@httpd] mod_proxy - sticky sessions configuration help
Posted by Herb Burnswell <he...@gmail.com>.
Eric - Thanks for the suggestion about logging %f in the access log. It
did in fact point to the issue.
It ended up that I needed an ending '/' on my ProxyPass and
ProxyPassReverse directives:
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster/ stickysession=JSESSIONID
This allowed things to work as expected.
Thanks again.
Does anyone have any suggestions/best practices on the rest of the
httpd.conf file?
HB
On Mon, Feb 26, 2018 at 12:13 PM, Herb Burnswell <
herbert.burnswell@gmail.com> wrote:
> Thanks Eric.
>
> Rewrite rules on the HTTPD side or the backend Tomcat application? There
> are no other rewrite rules that I am aware of.
>
> HB
>
> On Mon, Feb 26, 2018 at 11:54 AM, Eric Covener <co...@gmail.com> wrote:
>
>> Do you have a separate set of rewriterules somewhere that might also
>> be proxying? Logging %f in the access log LogFormat may also help.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] mod_proxy - sticky sessions configuration help
Posted by Herb Burnswell <he...@gmail.com>.
Thanks Eric.
Rewrite rules on the HTTPD side or the backend Tomcat application? There
are no other rewrite rules that I am aware of.
HB
On Mon, Feb 26, 2018 at 11:54 AM, Eric Covener <co...@gmail.com> wrote:
> Do you have a separate set of rewriterules somewhere that might also
> be proxying? Logging %f in the access log LogFormat may also help.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] mod_proxy - sticky sessions configuration help
Posted by Eric Covener <co...@gmail.com>.
Do you have a separate set of rewriterules somewhere that might also
be proxying? Logging %f in the access log LogFormat may also help.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org