You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gautam <ad...@gmail.com> on 2012/04/14 23:46:18 UTC
Cannot connect to tomcat through apache (proxy)
We have a set up where we use apache web server to respond to secure (https)
web pages/services on server 1. For one particular service, we need to forward
the request to another server 2 on which we have tomcat running.
We have done this in order to maintain the URL scheme. Also we want to resolve
the ssl on server 1 since all other services get resolved there and we don't want
to deal with ssl on the
tomcat server for that one service. So for that one service we want to setup
apache as a proxy to tomact server.
We took guidance from this blog in setting up our servers:
http://pwu-
developer.blogspot.in/2011/04/securing-tomcat-with-apache-web-server.html
Here is our set up:
On server 1 with Apache:
The following directives have been enabled in the httpd.conf file.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
Further, the following two lines added in httpd conf file
ProxyRequests Off
ProxyPreserveHost on
Next, have the following lines in ssl.conf
Listen 443
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/your_company_certificate.pem
SSLCertificateKeyFile /etc/pki/tls/certs/your_company_private_key.pem
ServerName my_company_domain_name
ProxyPass /app http://tomcat_server_ip:8443/app
ProxyPassReverse /app http://tomcat_server_ip:8443/app
</VirtualHost>
Now in tomcat on server 2, we specified the following inside server.xml:
<Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75" enableLookups="true" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75" enableLookups="true" acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
scheme="https"
secure="false"
SSLEnabled="true"
proxyPort="443"
proxyName="my_company_domain_name"
/>
All the pages/services on server 1 are working fine. Only one service which is
supposed to run on server 2 is giving a 503 error. We think the https handling
between the two server could be an issue. We repeated the configuration with
unsecure (port 80 on apache and corresponding 8080 on tomcat) setup but that
did not work either. Can someone throw a light on what we need to do on tomcat
in order for it work seamlessly?
Thanks,
Gautam
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cannot connect to tomcat through apache (proxy)
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sat, Apr 14, 2012 at 2:46 PM, Gautam <ad...@gmail.com> wrote:
> All the pages/services on server 1 are working fine. Only one service which is
> supposed to run on server 2 is giving a 503 error. We think ...
? "think"? -- how about starting with:
Where is the 503 being generated, httpd or Tomcat?
What happens when you access the application on Tomcat directly?
What do the httpd and Tomcat logs show when this occurs?
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
http://about.me/hassanschroeder
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cannot connect to tomcat through apache (proxy)
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/4/16 Gautam <ad...@gmail.com>:
>
>
>> Now in tomcat on server 2, we specified the following inside server.xml:
>
>> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
>> minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="true" acceptCount="100"
>> connectionTimeout="20000"
>> disableUploadTimeout="true"
>> scheme="https"
>> secure="false"
>> SSLEnabled="true"
>> proxyPort="443"
>> proxyName="my_company_domain_name"
>> />
>
> Thanks for the thoughts to folks who commented.
>
> We have resolved this.
>
> The resolution was to remove the reference to https (sslEnabled = "true" and
The above is important
> scheme="https").
I'd leave it to be scheme="https"
Have you read the docs? Specifically: the "HTTP connectors" page in
the "Configuration Reference Guide". It should explain all attributes
there.
> The http service then worked as designed. We also tested
> the above code by adding a certificate (self signed) in tomcat. In that instance
> it also worked.
>
> Bottom line is if you are going reference https, then you
> should have the certificate credentials in the right place. Otherwise remove
> the reference and let it default to http.
>
The important bit is that in the Apache HTTP Server configuration that
you cited above
all security for HTTPS is handled by Apache HTTP Server.
The traffic between Apache HTTP Server and Tomcat is plain HTTP,
without any TLS.
> I guess we were side tracked by the write up as it seemed to be well
> researched.
>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cannot connect to tomcat through apache (proxy)
Posted by Gautam <ad...@gmail.com>.
> Now in tomcat on server 2, we specified the following inside server.xml:
> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75" enableLookups="true" acceptCount="100"
> connectionTimeout="20000"
> disableUploadTimeout="true"
> scheme="https"
> secure="false"
> SSLEnabled="true"
> proxyPort="443"
> proxyName="my_company_domain_name"
> />
Thanks for the thoughts to folks who commented.
We have resolved this.
The resolution was to remove the reference to https (sslEnabled = "true" and
scheme="https"). The http service then worked as designed. We also tested
the above code by adding a certificate (self signed) in tomcat. In that instance
it also worked. Bottom line is if you are going reference https, then you
should have the certificate credentials in the right place. Otherwise remove
the reference and let it default to http.
I guess we were side tracked by the write up as it seemed to be well
researched.
Thanks again,
Gautam
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cannot connect to tomcat through apache (proxy)
Posted by Mark Thomas <ma...@apache.org>.
Pid * <pi...@pidster.com> wrote:
>On 14 Apr 2012, at 22:50, Gautam <ad...@gmail.com> wrote:
>> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
>> minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="true" acceptCount="100"
>> connectionTimeout="20000"
>> disableUploadTimeout="true"
>> scheme="https"
>> secure="false"
>> SSLEnabled="true"
>> proxyPort="443"
>> proxyName="my_company_domain_name"
>> />
>
>You want SSLEnabled="false", I think.
And secure="true"
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cannot connect to tomcat through apache (proxy)
Posted by Pid * <pi...@pidster.com>.
On 14 Apr 2012, at 22:50, Gautam <ad...@gmail.com> wrote:
> We have a set up where we use apache web server to respond to secure (https)
> web pages/services on server 1. For one particular service, we need to forward
> the request to another server 2 on which we have tomcat running.
> We have done this in order to maintain the URL scheme. Also we want to resolve
> the ssl on server 1 since all other services get resolved there and we don't want
> to deal with ssl on the
> tomcat server for that one service. So for that one service we want to setup
> apache as a proxy to tomact server.
>
> We took guidance from this blog in setting up our servers:
> http://pwu-
> developer.blogspot.in/2011/04/securing-tomcat-with-apache-web-server.html
It's not entirely accurate. Not sure why the author would refer to 5.5, either.
> Here is our set up:
>
> On server 1 with Apache:
>
> The following directives have been enabled in the httpd.conf file.
>
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
> LoadModule proxy_connect_module modules/mod_proxy_connect.so
Why add proxy_connect?
> Further, the following two lines added in httpd conf file
>
> ProxyRequests Off
> ProxyPreserveHost on
>
> Next, have the following lines in ssl.conf
>
> Listen 443
> <VirtualHost _default_:443>
> SSLEngine on
> SSLProxyEngine on
> SSLCertificateFile /etc/pki/tls/certs/your_company_certificate.pem
> SSLCertificateKeyFile /etc/pki/tls/certs/your_company_private_key.pem
> ServerName my_company_domain_name
> ProxyPass /app http://tomcat_server_ip:8443/app
> ProxyPassReverse /app http://tomcat_server_ip:8443/app
> </VirtualHost>
>
> Now in tomcat on server 2, we specified the following inside server.xml:
>
> <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75" enableLookups="true" redirectPort="443" acceptCount="100"
> connectionTimeout="20000" disableUploadTimeout="true"/>
>
> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75" enableLookups="true" acceptCount="100"
> connectionTimeout="20000"
> disableUploadTimeout="true"
> scheme="https"
> secure="false"
> SSLEnabled="true"
> proxyPort="443"
> proxyName="my_company_domain_name"
> />
You want SSLEnabled="false", I think.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
p
> All the pages/services on server 1 are working fine. Only one service which is
> supposed to run on server 2 is giving a 503 error. We think the https handling
> between the two server could be an issue. We repeated the configuration with
> unsecure (port 80 on apache and corresponding 8080 on tomcat) setup but that
> did not work either. Can someone throw a light on what we need to do on tomcat
> in order for it work seamlessly?
>
> Thanks,
>
> Gautam
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org