You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Melanie Pfefer <me...@yahoo.co.uk> on 2008/04/11 09:48:39 UTC
[users@httpd] url proxying
Hi everybody,
I want to enable proxying from apache to a tomcat application running on ssl.
Redirection is working:
RewriteRule /abc/ https://remoteserver:8443/abc/ [R=301,L]
But proxying is not:
RewriteRule /abc/ https://remoteserver:8443/abc/ [P,L]
In redirection:
http://myapache/abc/ goes to https://remoteserver:8443/abc/ but this is shown in the url which is not my intention.
Any idea how to fix the proxying?
thanks
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
hi Krist,
indeed enabling ssl on front-end solved the problem. thx
--- On Mon, 21/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] apache does not preserve user session of tomcat
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 21 April, 2008, 8:57 PM
> On Mon, Apr 21, 2008 at 6:26 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > or should I install ssl on apache? this way, the
> secure cookie will go to ssl channel also. Will it solve
> the problem?
>
> Ofcourse you can configure your apache server to use ssl.
> This will
> probably solve your problem. But I thought that you needed
> to convert
> http to https for some reason.
>
> Normally one would run the tomcat server in http only, and
> leave https
> entirely to the apache server. This is a lot easier to
> configure.
>
> Krist
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Apr 21, 2008 at 6:26 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> or should I install ssl on apache? this way, the secure cookie will go to ssl channel also. Will it solve the problem?
Ofcourse you can configure your apache server to use ssl. This will
probably solve your problem. But I thought that you needed to convert
http to https for some reason.
Normally one would run the tomcat server in http only, and leave https
entirely to the apache server. This is a lot easier to configure.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
or should I install ssl on apache? this way, the secure cookie will go to ssl channel also. Will it solve the problem?
thx
--- On Mon, 21/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] apache does not preserve user session of tomcat
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 21 April, 2008, 6:55 PM
> On Mon, Apr 21, 2008 at 4:16 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > hi Krist,
> >
> >
> > In LiveHTTPHeaders:
> >
> > Set-Cookie:
> JSESSIONID=2637CA3EADF9422597DF276AE1846E55; Path=/abc;
> Secure
> >
> > So I guess this means that the session is
> "secure". and from what you have said, the
> brwoser cannot send this cookie over http.
>
> The browser will indeed not send this cookie back to the
> server, and
> thus the session is lost. I do not know of any solution
> other than
> configuring your webapp not to send "secure"
> cookies... But maybe
> someone else has an idea.
>
> Krist
>
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Apr 21, 2008 at 4:16 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> hi Krist,
>
>
> In LiveHTTPHeaders:
>
> Set-Cookie: JSESSIONID=2637CA3EADF9422597DF276AE1846E55; Path=/abc; Secure
>
> So I guess this means that the session is "secure". and from what you have said, the brwoser cannot send this cookie over http.
The browser will indeed not send this cookie back to the server, and
thus the session is lost. I do not know of any solution other than
configuring your webapp not to send "secure" cookies... But maybe
someone else has an idea.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
hi Krist,
In LiveHTTPHeaders:
Set-Cookie: JSESSIONID=2637CA3EADF9422597DF276AE1846E55; Path=/abc; Secure
So I guess this means that the session is "secure". and from what you have said, the brwoser cannot send this cookie over http.
If the above reasoning is true, what are the alternatives?
thanks in advance
--- On Mon, 21/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] apache does not preserve user session of tomcat
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 21 April, 2008, 4:09 PM
> On Mon, Apr 21, 2008 at 2:21 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
>
> > Before editing httpd.conf, on the tomcat side: how to
> set the correct cookiedomain in the webapp?
>
> How to set this in the webapp I can't know, as I'm
> not a webapp
> specialist. But I have to deal with similar problems you
> have all the
> time.
> What I'd suggest is look at what exactly the server
> sends, and what
> the browser does with it. You can use firefox, and an
> extension like
> LiveHTTPHeaders to see exactly what gets send by the server
> and by the
> browser. This will allow to see what the cookie looks like
> that gets
> sent.
> There is another thing I remembered. You are proxying http
> to https.
> Now it is possible that the cookie that your tomcat
> generates (and
> passes to the browser) is a "secure" cookie. Some
> java webapps do this
> by default if accessed over https. A browser will never
> send such a
> cookie over a non-secure connection. So if you access your
> webapp via
> your apache server the browser gets it's cookie, but
> never sends it
> back, on subsequent requests, so the session info gets
> lost. You can
> verify this using LiveHTTPHeaders.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Apr 21, 2008 at 2:21 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> Before editing httpd.conf, on the tomcat side: how to set the correct cookiedomain in the webapp?
How to set this in the webapp I can't know, as I'm not a webapp
specialist. But I have to deal with similar problems you have all the
time.
What I'd suggest is look at what exactly the server sends, and what
the browser does with it. You can use firefox, and an extension like
LiveHTTPHeaders to see exactly what gets send by the server and by the
browser. This will allow to see what the cookie looks like that gets
sent.
There is another thing I remembered. You are proxying http to https.
Now it is possible that the cookie that your tomcat generates (and
passes to the browser) is a "secure" cookie. Some java webapps do this
by default if accessed over https. A browser will never send such a
cookie over a non-secure connection. So if you access your webapp via
your apache server the browser gets it's cookie, but never sends it
back, on subsequent requests, so the session info gets lost. You can
verify this using LiveHTTPHeaders.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi Krist,
Tomcat sends session ids in cookies to the user. The developers haven’t set any domain values. They are just using tomcat as is.
Everything works as expected when using the webapp directly on the tomcat server.
Before editing httpd.conf, on the tomcat side: how to set the correct cookiedomain in the webapp?
Thanks.
--- On Mon, 21/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] apache does not preserve user session of tomcat
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 21 April, 2008, 2:32 PM
> On Mon, Apr 21, 2008 at 8:57 AM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > hi again,
> >
> > I am using apache as a reverse proxy to a tomcat
> server running ssl. In httpd.conf:
> >
> > SSLProxyEngine On
> > SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
> > RewriteRule ^/(abc.*) https://backend:8443/$1 [P,L]
> >
> > and url proxying is working.
> > however I noticed that the tomcat user session is not
> preserved. How to preserve the user session?
>
> That depends. What does tomcat use to preserve the user
> session? Does
> everything work as expected when using the webapp directly
> on the
> tomcat server?
>
> What it might be is that your webapp sends a cookie, but
> not with the
> right cookiedomain set. In this case the client's
> browser will not
> sent the cookie back, and your webapp won't know who
> the request comes
> from.
>
> Possible solutions:
> - Ask the developers to set the correct cookiedomain in the
> webapp.
> - You may need to set the ProxyPassReverseCookieDomain and
> ProxyPassReverseCookiePath directives. See:
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreversecookiedomain
>
> Krist
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache does not preserve user session of tomcat
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Apr 21, 2008 at 8:57 AM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> hi again,
>
> I am using apache as a reverse proxy to a tomcat server running ssl. In httpd.conf:
>
> SSLProxyEngine On
> SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
> RewriteRule ^/(abc.*) https://backend:8443/$1 [P,L]
>
> and url proxying is working.
> however I noticed that the tomcat user session is not preserved. How to preserve the user session?
That depends. What does tomcat use to preserve the user session? Does
everything work as expected when using the webapp directly on the
tomcat server?
What it might be is that your webapp sends a cookie, but not with the
right cookiedomain set. In this case the client's browser will not
sent the cookie back, and your webapp won't know who the request comes
from.
Possible solutions:
- Ask the developers to set the correct cookiedomain in the webapp.
- You may need to set the ProxyPassReverseCookieDomain and
ProxyPassReverseCookiePath directives. See:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreversecookiedomain
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] apache does not preserve user session of tomcat
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
hi again,
I am using apache as a reverse proxy to a tomcat server running ssl. In httpd.conf:
SSLProxyEngine On
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
RewriteRule ^/(abc.*) https://backend:8443/$1 [P,L]
and url proxying is working.
however I noticed that the tomcat user session is not preserved. How to preserve the user session?
thanks!
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Krist van Besien <kr...@gmail.com>.
On Wed, Apr 16, 2008 at 10:23 AM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> Hi Krist,all
> indeed the cause was related to redirects on the backend application. The developers fixed this issue and the url proxying is working now.
>
>
> I appreciate your help and support. thank you.
You're welcome. Glad your problem is solved.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi Krist,all
indeed the cause was related to redirects on the backend application. The developers fixed this issue and the url proxying is working now.
I appreciate your help and support. thank you.
--- On Tue, 15/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Tuesday, 15 April, 2008, 10:48 PM
> On Tue, Apr 15, 2008 at 9:03 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> >
> > SSLProxyEngine On
> >
> > SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
> > ProxyPass /abc/ https://backend:8443/abc/
> > #ProxyPassReverse /abc/ https://abc:8443/abc/
> >
> > The redirects works. But proxying not.
>
> ProxyPass does a proxy, not a redirect. Do you have a
> "redirect"
> directive somewhere in your confing?
>
>
> > If I commented out the last line (ProxyPassReverse),
> firefox gives:
> >
> > 'Firefox has detected that the server is
> redirecting the request for this address in a way that will
> never complete.
> > This problem can sometimes be caused by disabling or
> refusing to accept cookies'
>
> Well, basically something is doing a redirect. Something,
> probably
> your backend server. You need to find out how to either
> stop your
> backend server from
> issueing redirects, or either make your backend server do
> redirects to
> the correct url.
>
> Basically when you run a web application behind a reverse
> proxy you
> must configure it as if it was on the reverse proxy itself.
> How to do
> this I don't know, as you haven't shown us what is
> really on your
> backend.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi Krist,
my apache configuration does not have redirect directive. However, I noticed that the web application is doing a redirect:
https://backend:8443/abc/xxx/xxx becomes
https://backend:8443/abc/xxx:/yyy/zzz/login.jsp
The backend is a tomcat server. I am not the developer of that web application. Could it be the cause why apache can't do this proxying?
thx and appreciate your support.
--- On Tue, 15/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Tuesday, 15 April, 2008, 10:48 PM
> On Tue, Apr 15, 2008 at 9:03 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> >
> > SSLProxyEngine On
> >
> > SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
> > ProxyPass /abc/ https://backend:8443/abc/
> > #ProxyPassReverse /abc/ https://abc:8443/abc/
> >
> > The redirects works. But proxying not.
>
> ProxyPass does a proxy, not a redirect. Do you have a
> "redirect"
> directive somewhere in your confing?
>
>
> > If I commented out the last line (ProxyPassReverse),
> firefox gives:
> >
> > 'Firefox has detected that the server is
> redirecting the request for this address in a way that will
> never complete.
> > This problem can sometimes be caused by disabling or
> refusing to accept cookies'
>
> Well, basically something is doing a redirect. Something,
> probably
> your backend server. You need to find out how to either
> stop your
> backend server from
> issueing redirects, or either make your backend server do
> redirects to
> the correct url.
>
> Basically when you run a web application behind a reverse
> proxy you
> must configure it as if it was on the reverse proxy itself.
> How to do
> this I don't know, as you haven't shown us what is
> really on your
> backend.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Apr 15, 2008 at 9:03 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
>
> SSLProxyEngine On
>
> SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
> ProxyPass /abc/ https://backend:8443/abc/
> #ProxyPassReverse /abc/ https://abc:8443/abc/
>
> The redirects works. But proxying not.
ProxyPass does a proxy, not a redirect. Do you have a "redirect"
directive somewhere in your confing?
> If I commented out the last line (ProxyPassReverse), firefox gives:
>
> 'Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
> This problem can sometimes be caused by disabling or refusing to accept cookies'
Well, basically something is doing a redirect. Something, probably
your backend server. You need to find out how to either stop your
backend server from
issueing redirects, or either make your backend server do redirects to
the correct url.
Basically when you run a web application behind a reverse proxy you
must configure it as if it was on the reverse proxy itself. How to do
this I don't know, as you haven't shown us what is really on your
backend.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
SSLProxyEngine On
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
ProxyPass /abc/ https://backend:8443/abc/
#ProxyPassReverse /abc/ https://abc:8443/abc/
The redirects works. But proxying not.
If I commented out the last line (ProxyPassReverse), firefox gives:
'Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies'
any idea is really appreciated.
thx
--- On Tue, 15/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Tuesday, 15 April, 2008, 11:19 AM
> On Mon, Apr 14, 2008 at 10:48 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > hi
> >
> > Whenever I use ProxyPassReverse, the page could not
> be displayed.
> > ProxyPassReverse /psc-web/
> https://remoteserver:8443/abc/
>
> You need both. ProxyPass and ProxyPassReverse. What might
> be happening
> in your case (test this using something like
> LiveHTTPHeaders) is that
> your webapp sends a redirect to itself as the response to
> the first
> request. This you can change using ProxyPassReverse.
>
> Krist
>
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Apr 14, 2008 at 10:48 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> hi
>
> Whenever I use ProxyPassReverse, the page could not be displayed.
> ProxyPassReverse /psc-web/ https://remoteserver:8443/abc/
You need both. ProxyPass and ProxyPassReverse. What might be happening
in your case (test this using something like LiveHTTPHeaders) is that
your webapp sends a redirect to itself as the response to the first
request. This you can change using ProxyPassReverse.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
hi
Whenever I use ProxyPassReverse, the page could not be displayed.
ProxyPassReverse /psc-web/ https://remoteserver:8443/abc/
this directive never worked...
thanks.
--- On Mon, 14/4/08, Eric Covener <co...@gmail.com> wrote:
> From: Eric Covener <co...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 14 April, 2008, 11:28 PM
> On Mon, Apr 14, 2008 at 3:44 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > Hi Krist, all,
> >
> > The url proxying is still not working: The url
> changes to point to the backend server.
> >
> > ProxyRequests off
> > RewriteEngine On
> > SSLProxyEngine On
> > ProxyPass /psc-web/ https://remoteserver:8443/abc/
> > SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
>
> ProxyPassReverse?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Eric Covener <co...@gmail.com>.
On Mon, Apr 14, 2008 at 3:44 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> Hi Krist, all,
>
> The url proxying is still not working: The url changes to point to the backend server.
>
> ProxyRequests off
> RewriteEngine On
> SSLProxyEngine On
> ProxyPass /psc-web/ https://remoteserver:8443/abc/
> SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
ProxyPassReverse?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi Krist, all,
The url proxying is still not working: The url changes to point to the backend server.
ProxyRequests off
RewriteEngine On
SSLProxyEngine On
ProxyPass /psc-web/ https://remoteserver:8443/abc/
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl
As stated before, the certificate has CN=remoteserver. The certificate was generated using keytool. I then issued c_rehash on ssl/ directory.
Do you have any idea on how to enable proxying?
thanks.
--- On Mon, 14/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 14 April, 2008, 4:50 PM
> On Mon, Apr 14, 2008 at 3:43 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
>
> > But When I GET the page, nothing is returned.
>
> That "GET" isn't really that important.
> Probably your tomcat server
> that refuses to answer when no "host" header is
> present. The important
> thing you test here is that an ssl connection is possible,
> and that
> the certificate verifies OK using the CACerts directory you
> just made.
>
> Go ahead, and configure and test your apache server.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Apr 14, 2008 at 3:43 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> But When I GET the page, nothing is returned.
That "GET" isn't really that important. Probably your tomcat server
that refuses to answer when no "host" header is present. The important
thing you test here is that an ssl connection is possible, and that
the certificate verifies OK using the CACerts directory you just made.
Go ahead, and configure and test your apache server.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi Kirst,
thanks for your assistance.
I exported the keystore file on remoteserver:
keytool -export -alias tomcat -rfc > tomcat.pem
I then ftp'ed tomcat.pem to proxy server (apache) to run c_rehash as root on the ssl/ directory.
A link was created:
cc5d41ae.0 -> tomcat.pem
When doing
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
The CN displays the remoteserver
CONNECTED(00000004)
…
---
Certificate chain
…
---
Server certificate
-----BEGIN CERTIFICATE-----
..
---
No client certificate CA names sent
---
SSL handshake has read 1136 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 480357285859DB7A420754C6062AE334E398F8C90064E0B8E39F6C7F21753DB4
Session-ID-ctx:
Master-Key: BDD6FAE6136A55CE4AA4F5050ED22E318131264E2857E37D917CEF28C51094280768177BE7EC9C1044109670B44CCE61
Key-Arg : None
Start Time: 1208178472
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
But When I GET the page, nothing is returned.
Any idea?
thanks
--- On Mon, 14/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Monday, 14 April, 2008, 1:47 PM
> On Sun, Apr 13, 2008 at 11:32 PM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > hi Kirst, all,
> >
> > To use c_rehash, I must have .pem and .crt files.
> Correct me if I am worong please. The remote server has a
> self-signed certificate that was generated using keytool
> (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so
> the file generated is .keytool. Should I generate .pem and
> .crt files to run c_rehash? If so, how?
>
> You can export your certificate using keytool, like this:
>
> keytool -export -alias tomcat -rfc > tomcat.pem
>
> The "-rfc" option is important, as this exports a
> PEM certicate.
> If your keystore is in a different location you need to add
> the
> -keystore <keystorefile> option. If your tomcat
> server uses a
> certificate with a different alias modify the -alias
> parameter.
>
> For proxying via apache to work it is important that the
> certicate
> passes all the tests. Normally when you connectyour browser
> to a https
> server with a self signed certificate, or when something
> else is wrong
> a dialog will pop up telling you what is wrong and giving
> you the
> option to go ahead and connect anyway. You must understand
> that since
> apache will connect to the https server in an
> non-interactive way
> there is no-one to confirm apache it is ook to proceed.
> Therefore the
> certificate must pass all the test.
> 1) The common name of the certificate must be identical to
> the name
> used in the URL.
> 2) The certificate must still be valid.
> 3) The signature must verify as OK.
>
> 1 &2 you take care of when you generate the
> certificate. 3) you take
> care of on the apache side, by putting the self signed cert
> in the
> cacerts dir.
>
> > On another front, I understand from you that I can
> having apache as a proxy server that talks SSL witht the
> backend and non-ssl with the end user (in URL, the user
> puts http not https even if the backend server is accessed
> via https). Correct me if I am wrong please.
>
> You can indeed do this. I have one server who does exactly
> this.
>
> Krist
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Krist van Besien <kr...@gmail.com>.
On Sun, Apr 13, 2008 at 11:32 PM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> hi Kirst, all,
>
> To use c_rehash, I must have .pem and .crt files. Correct me if I am worong please. The remote server has a self-signed certificate that was generated using keytool (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so the file generated is .keytool. Should I generate .pem and .crt files to run c_rehash? If so, how?
You can export your certificate using keytool, like this:
keytool -export -alias tomcat -rfc > tomcat.pem
The "-rfc" option is important, as this exports a PEM certicate.
If your keystore is in a different location you need to add the
-keystore <keystorefile> option. If your tomcat server uses a
certificate with a different alias modify the -alias parameter.
For proxying via apache to work it is important that the certicate
passes all the tests. Normally when you connectyour browser to a https
server with a self signed certificate, or when something else is wrong
a dialog will pop up telling you what is wrong and giving you the
option to go ahead and connect anyway. You must understand that since
apache will connect to the https server in an non-interactive way
there is no-one to confirm apache it is ook to proceed. Therefore the
certificate must pass all the test.
1) The common name of the certificate must be identical to the name
used in the URL.
2) The certificate must still be valid.
3) The signature must verify as OK.
1 &2 you take care of when you generate the certificate. 3) you take
care of on the apache side, by putting the self signed cert in the
cacerts dir.
> On another front, I understand from you that I can having apache as a proxy server that talks SSL witht the backend and non-ssl with the end user (in URL, the user puts http not https even if the backend server is accessed via https). Correct me if I am wrong please.
You can indeed do this. I have one server who does exactly this.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
hi Kirst, all,
To use c_rehash, I must have .pem and .crt files. Correct me if I am worong please. The remote server has a self-signed certificate that was generated using keytool (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so the file generated is .keytool. Should I generate .pem and .crt files to run c_rehash? If so, how?
On another front, I understand from you that I can having apache as a proxy server that talks SSL witht the backend and non-ssl with the end user (in URL, the user puts http not https even if the backend server is accessed via https). Correct me if I am wrong please.
thanks.
--- On Fri, 11/4/08, Krist van Besien <kr...@gmail.com> wrote:
> From: Krist van Besien <kr...@gmail.com>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org, melanie_pfefer@yahoo.co.uk
> Date: Friday, 11 April, 2008, 4:28 PM
> On Fri, Apr 11, 2008 at 9:48 AM, Melanie Pfefer
> <me...@yahoo.co.uk> wrote:
> > Hi everybody,
> >
> > I want to enable proxying from apache to a tomcat
> application running on ssl.
> >
> > Redirection is working:
> > RewriteRule /abc/ https://remoteserver:8443/abc/
> [R=301,L]
> >
> >
> > But proxying is not:
> > RewriteRule /abc/ https://remoteserver:8443/abc/
> [P,L]
> >
> > In redirection:
> > http://myapache/abc/ goes to
> https://remoteserver:8443/abc/ but this is shown in the url
> which is not my intention.
> >
> > Any idea how to fix the proxying?
> > thanks
>
> Apache can't proxy to https urls out of the box. You
> need to do some work.
>
> you need to add the following to your config.
>
> # turn on SSL proxying.
> SSLProxyEngine On
>
> # to tell Apache where to find CA certificates to check
> remote server
> certificates with:
> # (You can choose yourself where you put these
> certificates)
> SSLProxyCACertificatePath /path/to/ca/certificates.
>
> Then in this path you need to put the CA certificate(s)
> used to sign
> the certificate(s) used by the server(s) you communicate
> with. If you
> want to talk to a server that uses a "self
> signed" certificate you
> will need to put it in this dir too.
>
> Once you've done that you need to run c_rehash in that
> directory.
> c_rehash is part of a standard openssl distribution.
> c_rehash creates
> hashed aliases in this dir. Apache needs these.
>
> In order to test if everything is there you can do the
> following:
>
> openssl s_client -CApath /path/to/ca/certificates -connect
> remoteserver:8443
>
> if the conenction succeeds just try to do a
> GET /abc/
>
> and see if you get something. If all goes well it should
> work for apache also.
>
> Krist
>
>
>
>
>
>
>
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Krist van Besien <kr...@gmail.com>.
On Fri, Apr 11, 2008 at 9:48 AM, Melanie Pfefer
<me...@yahoo.co.uk> wrote:
> Hi everybody,
>
> I want to enable proxying from apache to a tomcat application running on ssl.
>
> Redirection is working:
> RewriteRule /abc/ https://remoteserver:8443/abc/ [R=301,L]
>
>
> But proxying is not:
> RewriteRule /abc/ https://remoteserver:8443/abc/ [P,L]
>
> In redirection:
> http://myapache/abc/ goes to https://remoteserver:8443/abc/ but this is shown in the url which is not my intention.
>
> Any idea how to fix the proxying?
> thanks
Apache can't proxy to https urls out of the box. You need to do some work.
you need to add the following to your config.
# turn on SSL proxying.
SSLProxyEngine On
# to tell Apache where to find CA certificates to check remote server
certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.
Then in this path you need to put the CA certificate(s) used to sign
the certificate(s) used by the server(s) you communicate with. If you
want to talk to a server that uses a "self signed" certificate you
will need to put it in this dir too.
Once you've done that you need to run c_rehash in that directory.
c_rehash is part of a standard openssl distribution. c_rehash creates
hashed aliases in this dir. Apache needs these.
In order to test if everything is there you can do the following:
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
if the conenction succeeds just try to do a
GET /abc/
and see if you get something. If all goes well it should work for apache also.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Vincent Bray <no...@gmail.com>.
On 11/04/2008, Melanie Pfefer <me...@yahoo.co.uk> wrote:
> thanks.
> SSLProxyEngine On
> ProxyPass /abc/ https://remoteserver:8443/abc/
>
> If I try the URL http://myapache/abc/....
> the redirection works but the url changes so proxying is not working as expected.
Remember to use:
ProxyPassReverse /abc/ https://remoteserver:8443/abc/
.. so that any redirects sent by the origin server are rewritten to
use the frontend address.
You might also want to check the logs for the backend (origin) server
to see if it received the request and if it sent a redirect.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Nils Jeppe <ni...@pandemonium.de>.
Not sure what you mean? There's a redirect after the initial access
via the proxy? Don't do that, or proxy the second path too :-)
Best wishes
Nils
On 11.04.2008, at 15:22, Melanie Pfefer wrote:
> thanks.
> SSLProxyEngine On
> ProxyPass /abc/ https://remoteserver:8443/abc/
>
> If I try the URL http://myapache/abc/....
> the redirection works but the url changes so proxying is not working
> as expected.
>
> Any idea?
> thx
>
> --- On Fri, 11/4/08, Nils Jeppe <ni...@pandemonium.de> wrote:
>
>> From: Nils Jeppe <ni...@pandemonium.de>
>> Subject: Re: [users@httpd] url proxying
>> To: users@httpd.apache.org
>> Date: Friday, 11 April, 2008, 12:04 PM
>> Hello Melanie,
>>
>> I am not sure if the RewriteRule behaviour is identical to
>> ProxyPass
>> od mod_proxy.
>>
>> In mod_proxy, I believe you have to enable ssl connections
>> to the
>> backend with SSLProxyEngine on (or something similar, if my
>> memory
>> fails me), so this might be the issue here as well.
>> Mod_proxy does log
>> this to the error_log, though, if it is needed.
>>
>>
>>
>> Best wishes
>> Nils
>>
>>
>> On 11.04.2008, at 09:48, Melanie Pfefer wrote:
>>> Hi everybody,
>>>
>>> I want to enable proxying from apache to a tomcat
>> application
>>> running on ssl.
>>>
>>> Redirection is working:
>>> RewriteRule /abc/ https://remoteserver:8443/abc/
>> [R=301,L]
>>>
>>>
>>> But proxying is not:
>>> RewriteRule /abc/ https://remoteserver:8443/abc/
>> [P,L]
>>>
>>> In redirection:
>>> http://myapache/abc/ goes to
>> https://remoteserver:8443/abc/ but this
>>> is shown in the url which is not my intention.
>>>
>>> Any idea how to fix the proxying?
>>> thanks
>>>
>>>
>>>
>>>
>>>
>> ___________________________________________________________
>>> Yahoo! For Good helps you make a difference
>>>
>>> http://uk.promotions.yahoo.com/forgood/
>>>
>>>
>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache
>> HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html>
>> for more info.
>>> To unsubscribe, e-mail:
>> users-unsubscribe@httpd.apache.org
>>> " from the digest:
>> users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail:
>> users-help@httpd.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>> Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for
>> more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest:
>> users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail:
>> users-help@httpd.apache.org
>
>
> ___________________________________________________________
> Yahoo! For Good helps you make a difference
>
> http://uk.promotions.yahoo.com/forgood/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
thanks.
SSLProxyEngine On
ProxyPass /abc/ https://remoteserver:8443/abc/
If I try the URL http://myapache/abc/....
the redirection works but the url changes so proxying is not working as expected.
Any idea?
thx
--- On Fri, 11/4/08, Nils Jeppe <ni...@pandemonium.de> wrote:
> From: Nils Jeppe <ni...@pandemonium.de>
> Subject: Re: [users@httpd] url proxying
> To: users@httpd.apache.org
> Date: Friday, 11 April, 2008, 12:04 PM
> Hello Melanie,
>
> I am not sure if the RewriteRule behaviour is identical to
> ProxyPass
> od mod_proxy.
>
> In mod_proxy, I believe you have to enable ssl connections
> to the
> backend with SSLProxyEngine on (or something similar, if my
> memory
> fails me), so this might be the issue here as well.
> Mod_proxy does log
> this to the error_log, though, if it is needed.
>
>
>
> Best wishes
> Nils
>
>
> On 11.04.2008, at 09:48, Melanie Pfefer wrote:
> > Hi everybody,
> >
> > I want to enable proxying from apache to a tomcat
> application
> > running on ssl.
> >
> > Redirection is working:
> > RewriteRule /abc/ https://remoteserver:8443/abc/
> [R=301,L]
> >
> >
> > But proxying is not:
> > RewriteRule /abc/ https://remoteserver:8443/abc/
> [P,L]
> >
> > In redirection:
> > http://myapache/abc/ goes to
> https://remoteserver:8443/abc/ but this
> > is shown in the url which is not my intention.
> >
> > Any idea how to fix the proxying?
> > thanks
> >
> >
> >
> >
> >
> ___________________________________________________________
> > Yahoo! For Good helps you make a difference
> >
> > http://uk.promotions.yahoo.com/forgood/
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache
> HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> > " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] url proxying
Posted by Nils Jeppe <ni...@pandemonium.de>.
Hello Melanie,
I am not sure if the RewriteRule behaviour is identical to ProxyPass
od mod_proxy.
In mod_proxy, I believe you have to enable ssl connections to the
backend with SSLProxyEngine on (or something similar, if my memory
fails me), so this might be the issue here as well. Mod_proxy does log
this to the error_log, though, if it is needed.
Best wishes
Nils
On 11.04.2008, at 09:48, Melanie Pfefer wrote:
> Hi everybody,
>
> I want to enable proxying from apache to a tomcat application
> running on ssl.
>
> Redirection is working:
> RewriteRule /abc/ https://remoteserver:8443/abc/ [R=301,L]
>
>
> But proxying is not:
> RewriteRule /abc/ https://remoteserver:8443/abc/ [P,L]
>
> In redirection:
> http://myapache/abc/ goes to https://remoteserver:8443/abc/ but this
> is shown in the url which is not my intention.
>
> Any idea how to fix the proxying?
> thanks
>
>
>
>
> ___________________________________________________________
> Yahoo! For Good helps you make a difference
>
> http://uk.promotions.yahoo.com/forgood/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org