You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jake Vang <va...@googlemail.com> on 2009/02/01 06:57:48 UTC
[users@httpd] connecting two apache http servers
I want to connect two Apache HTTP servers in the same way that I would
connect Apache to Tomcat with mod_jk.
Right now I have two Apache servers, apache1 and apache2, accessed at
http://apache1 and http://apache2, correspondingly. Apache1 and Apache2 each
has a website, accessed by http://apache1/website1 and
http://apache2/website2, respectively. My problem is that I want to use
apache1 as a front end for both servers (since it is the only server that is
accessible to the outside world). How do I set up apache1 so that if users
access http://apache1/website2, the request will be sent to
http://apache2/website2, but still, the URL will be http://apache1/website2?
This set up is similar to the possibility with Apache + Tomcat via mod_jk.
In this situation, if Tomcat is running on port 8080 with AJP, then I can
access Tomcat with http://tomcat:8080/tomcat-site. I can set up Apache as a
frontend (to the outside world) so that when users type in
http://apache/tomcat-site, mod_jk will connect to Tomcat. Is there a similar
connector for Apache-to-Apache?
Thanks,
Jake.
Re: [users@httpd] connecting two apache http servers
Posted by Jake Vang <va...@googlemail.com>.
Thank you. Those points you raised helped me to get it working. The key was
to turn on SSL proxy (i.e. SSLProxyEngine On). I did not have to do anything
with CA certificates or c_rehash.
Again, I appreciate your help and thank you.
On Tue, Feb 3, 2009 at 2:42 AM, Krist van Besien
<kr...@gmail.com>wrote:
> On Tue, Feb 3, 2009 at 5:42 AM, Jake Vang <va...@googlemail.com> wrote:
> > Thanks for the link. I tried to implement it according to that site.
> > However, I keep getting a permission denied error.
>
> What do you have in the error log?
>
> >
> > Could this permission error be related to the fact that server1 and
> server2
> > are both running on SSL? I am running Ubuntu 8.10, and I've already
> enabled
> > mod_proxy (a2enmod proxy). Is there any other module I need to enable?
>
> You might have to explicitely allow access to <Location /site2>, also
> proxing to ssl is not something that usually works out of the box. You
> have two options here.
> - Enable http on your site2 (in a way that only access from the other
> apache is permitted),
> or
> - setup SSLProxying.
>
> Apache can't proxy to https urls out of the box. You need to do some work.
>
> you need to add the following to your config.
> --- begin config ---
> # turn on SSL proxying.
> SSLProxyEngine On
>
> # to tell Apache where to find CA certificates to check remote server
> certificates with:
> # (You can choose yourself where you put these certificates)
> SSLProxyCACertificatePath /path/to/ca/certificates.
> --- end config ---
>
> Then in this path you need to put the CA certificate(s) used to sign
> the certificate(s) used by the server(s) you communicate with. If you
> want to talk to a server that uses a "self signed" certificate you
> will need to put it in this dir too. (Remember that Apache is acting
> as a HTTPS client here)
>
> Once you've done that you need to run c_rehash in that directory.
> c_rehash is part of a standard openssl distribution. c_rehash creates
> hashed aliases in this dir. Apache needs these.
>
> In order to test if everything is there you can do the following:
>
> openssl s_client -CApath /path/to/ca/certificates -connect
> remoteserver:8443
>
> if the conenction succeeds just try to do a
> GET /something/
>
>
> HTH,
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] connecting two apache http servers
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Feb 3, 2009 at 5:42 AM, Jake Vang <va...@googlemail.com> wrote:
> Thanks for the link. I tried to implement it according to that site.
> However, I keep getting a permission denied error.
What do you have in the error log?
>
> Could this permission error be related to the fact that server1 and server2
> are both running on SSL? I am running Ubuntu 8.10, and I've already enabled
> mod_proxy (a2enmod proxy). Is there any other module I need to enable?
You might have to explicitely allow access to <Location /site2>, also
proxing to ssl is not something that usually works out of the box. You
have two options here.
- Enable http on your site2 (in a way that only access from the other
apache is permitted),
or
- setup SSLProxying.
Apache can't proxy to https urls out of the box. You need to do some work.
you need to add the following to your config.
--- begin config ---
# turn on SSL proxying.
SSLProxyEngine On
# to tell Apache where to find CA certificates to check remote server
certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.
--- end config ---
Then in this path you need to put the CA certificate(s) used to sign
the certificate(s) used by the server(s) you communicate with. If you
want to talk to a server that uses a "self signed" certificate you
will need to put it in this dir too. (Remember that Apache is acting
as a HTTPS client here)
Once you've done that you need to run c_rehash in that directory.
c_rehash is part of a standard openssl distribution. c_rehash creates
hashed aliases in this dir. Apache needs these.
In order to test if everything is there you can do the following:
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
if the conenction succeeds just try to do a
GET /something/
HTH,
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] connecting two apache http servers
Posted by Jake Vang <va...@googlemail.com>.
Thanks for the link. I tried to implement it according to that site.
However, I keep getting a permission denied error.
My configuration is:
ProxyPass /site2/ https://server2/site2/
ProxyHTMLURLMap https://server2 /site2
<Location /site2/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / site2/
ProxyHTMLURLMap /site2 /site2
</Location>
Please note that server1 and server2 are both on SSL (port 443, and access
through other ports, including port 80, is not allowed).
I also tried simply adding the following without success:
ProxyPass /site2/ https://server2/site2
ProxyPassReverse /site2/ https://server2/site2
As well as:
ProxyPass /site2/ https://server2/
ProxyPassReverse /site2/ https://server2/
Could this permission error be related to the fact that server1 and server2
are both running on SSL? I am running Ubuntu 8.10, and I've already enabled
mod_proxy (a2enmod proxy). Is there any other module I need to enable?
On Sun, Feb 1, 2009 at 5:40 AM, Krist van Besien
<kr...@gmail.com>wrote:
> On Sun, Feb 1, 2009 at 6:57 AM, Jake Vang <va...@googlemail.com> wrote:
> > I want to connect two Apache HTTP servers in the same way that I would
> > connect Apache to Tomcat with mod_jk.
> >
> > Right now I have two Apache servers, apache1 and apache2, accessed at
> > http://apache1 and http://apache2, correspondingly. Apache1 and Apache2
> each
> > has a website, accessed by http://apache1/website1 and
> > http://apache2/website2, respectively. My problem is that I want to use
> > apache1 as a front end for both servers (since it is the only server that
> is
> > accessible to the outside world). How do I set up apache1 so that if
> users
> > access http://apache1/website2, the request will be sent to
> > http://apache2/website2, but still, the URL will be
> http://apache1/website2?
> >
> > This set up is similar to the possibility with Apache + Tomcat via
> mod_jk.
> > In this situation, if Tomcat is running on port 8080 with AJP, then I can
> > access Tomcat with http://tomcat:8080/tomcat-site. I can set up Apache
> as a
> > frontend (to the outside world) so that when users type in
> > http://apache/tomcat-site, mod_jk will connect to Tomcat. Is there a
> similar
> > connector for Apache-to-Apache?
>
> Sure. It's called mod_proxy, and you can read all about it here:
>
> http://www.apachetutor.org/admin/reverseproxies
>
> Just read this, and if you have trouble implementing it you can always ask
> here.
>
> Krist
>
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] connecting two apache http servers
Posted by Krist van Besien <kr...@gmail.com>.
On Sun, Feb 1, 2009 at 6:57 AM, Jake Vang <va...@googlemail.com> wrote:
> I want to connect two Apache HTTP servers in the same way that I would
> connect Apache to Tomcat with mod_jk.
>
> Right now I have two Apache servers, apache1 and apache2, accessed at
> http://apache1 and http://apache2, correspondingly. Apache1 and Apache2 each
> has a website, accessed by http://apache1/website1 and
> http://apache2/website2, respectively. My problem is that I want to use
> apache1 as a front end for both servers (since it is the only server that is
> accessible to the outside world). How do I set up apache1 so that if users
> access http://apache1/website2, the request will be sent to
> http://apache2/website2, but still, the URL will be http://apache1/website2?
>
> This set up is similar to the possibility with Apache + Tomcat via mod_jk.
> In this situation, if Tomcat is running on port 8080 with AJP, then I can
> access Tomcat with http://tomcat:8080/tomcat-site. I can set up Apache as a
> frontend (to the outside world) so that when users type in
> http://apache/tomcat-site, mod_jk will connect to Tomcat. Is there a similar
> connector for Apache-to-Apache?
Sure. It's called mod_proxy, and you can read all about it here:
http://www.apachetutor.org/admin/reverseproxies
Just read this, and if you have trouble implementing it you can always ask here.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org