Status: tomcat8, redirect from apache2 via ajp
Apache2 VirtualHost directive contains:
ProxyPass / ajp://localhost:8009/SecureMain/
ProxyPassReverse / ajp://localhost:8009/SecureMain/
Tomcat8 server.xml contains:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
When servlet runs, header contains JSESSIONID, but getAttribute returns null.
When running the same servlet directly via tomcat8 port 8080, session content is availalble.
Any help would be appreciated.
I would say the use of StickySession attribute on ProxyPass should do. This question on ServerFault gives an idea about how to configure ajp.
stickysession=JSESSIONID|jsessionid
Related
I have installed Pentaho (9.x) on Tomcat 8.5 and OpenJDK 1.8 as required.
In front of it there is Apache 2.4 with mod_proxy_http.
My website is served with HTTPS and I have these Proxy rules:
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost on
ProxyPass "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPassReverse "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPass "/pentaho/" "http://tomcat_host_ip:8080/pentaho/"
ProxyPassReverse "/pentaho/" "http://tomcat_host_ip:8080/pentaho/"
ProxyPass "/pentaho/Login" "http://tomcat_host_ip:8080/pentaho/Login"
ProxyPassReverse "/pentaho/Login" "http://tomcat_host_ip:8080/pentaho/Login"
When I try to log in a get an error during the POST:
https://pentaho.mywebsite.org/pentaho/j_spring_security_check
The application try to responde with HTTP protocol instead HTTPS.
In the request header I have the correct Referer and Origin:
Origin: https://pentaho.mywebsite.org
Referer: https://pentaho.mywebsite.org/pentaho/Login
But the response header reply with HTTP and NOT https:
Location http://pentaho.mywebsite.org/pentaho/
I solved the problem just adding proxyPort="443" and scheme="https" to my http connector in Tomcat.
The rule
RequestHeader set X-Forwarded-Proto "https"
on Apache was unusefull. This is my correct Apache configuration
ProxyPreserveHost on
ProxyPass "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPassReverse "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPass "/pentaho/" "http://tomcat_host_ip:8080/pentaho/"
ProxyPassReverse "/pentaho/" "http://tomcat_host_ip:8080/pentaho/"
And this is my Tomcat HTTP connector
<Connector URIEncoding="UTF-8"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
proxyPort="443"
scheme="https"
redirectPort="8443"
relaxedPathChars="[]|"
relaxedQueryChars="^{}[]|&"
maxHttpHeaderSize="65536"
/>
Servlet applications use the scheme, serverName and serverPort properties of a ServletRequest to generate hyperlinks. Usually Tomcat gets the latter two from the Host request header, while scheme depends on the connector.
If you use a reverse proxy, the above logic may not be enough. You have two solution:
Setting scheme statically
In your case the proxy uses HTTPS, while Tomcat uses HTTP, so you must override the scheme and secure properties:
<Connector
port="8080"
scheme="https"
secure="true"
...
while the Apache HTTP Server configuration can be shortened to:
ProxyPreserveHost on
ProxyPass "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPassReverse "/pentaho" "http://tomcat_host_ip:8080/pentaho"
Remark that in your answer you didn't set the secure attribute: this attribute decides whether the transport is confidential. If you don't set it to true, Tomcat will automatically redirect the browser to redirectPort whenever the application asks for a confidential transport (cf. Securing Web Applications).
This solution only works correctly, if your proxy forwards only HTTPS requests to Tomcat.
Setting scheme dynamically
If you forward both HTTP and HTTPS requests to Tomcat, the server needs a way to distinguish between them. Therefore you need to add a RemoteIpValve to your Tomcat configuration:
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<Connector
port="8080"
redirectPort="443"
...
and ask Apache HTTP Server to add an X-Forwarded-Proto header:
RequestHeader set X-Forwarded-Proto "expr=%{REQUEST_SCHEME}"
ProxyPreserveHost on
ProxyPass "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPassReverse "/pentaho" "http://tomcat_host_ip:8080/pentaho"
This solution has also the advantage to set the client's remoteHost and remoteAddr instead of those of the proxy.
I have a Docker container with wordpress:latest in a host which has Apache 2.4 installed.
I added the lines below to my Apache configuration file, inside the vhost group:
ProxyPass http://localhost:8010
ProxyPassReverse http://localhost:8010
When I try to access my URL I can reach wordpress homepage, however all static files point to localhost so my layout doesn't work.
What am I missing? Some setup at Apache? Wordpress itself?
Apache modules are already enabled.
Edit 1:
Forgot to mention: this piece of configuration is inside a Location directive, which is inside a vhost directive.
<VirtualHost *:80>
...
<Location /usa>
RequestHeader set X-Is-Reverse=Proxy true
RequestHeader set X-Original-Host mysite.com.br
ProxyPass http://localhost:8010
ProxyPreserveHost On
ProxyPassReverse http://localhost:8010
</Location>
...
</VirtualHost>
Check that the Site URL setting in wordpress matches the URL your clients are calling.
This is the documentation on how to change the site URL in wordpress: https://codex.wordpress.org/Changing_The_Site_URL
If you proxy pass to your backend like that, requests coming into your container will be sent with the Host header set to localhost. Apparently, the WordPress container takes care of the host that has been set in order to generate static assets links. Try setting the following proxy option:
ProxyPreserveHost On
Just after the ProxyPass configuration line.
This options forward the Host HTTP header coming from the client over to the proxy connection. This way the backend will understand which public URL it's been called from and asset links should be correct.
Edit.
If you can't use the ProxyPreserveHost Directive you could try and directly set the Host header using:
RequestHeader set Host "your.host.name"
When I access my application using https://application.domain.net/ui, the request is getting redirected in a weird fashion.
Log:
GET 302 Redirect (cached) https://application.domain.net/ui
GET 301 Redirect to: http://application.domain.net/ui/login.do
GET 200 text/html https://application.domain.net/ui/login.do
Application Server: TomEE 1.7.4 with SSL connector enabled.
Application: ear application
The application later brings the login page. But why would the redirection happen from https to http then to https
My TomEE conf/server.xml content with connector details:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" xpoweredBy="false" server="Apache TomEE" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" xpoweredBy="false" server="Apache TomEE" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Please advise.
can be programmatic or configured in web.xml, you can enforce https by setting transport-guarantee to CONFIDENTIAL in web.xml.
We have 3 Jenkins instances for DEV/STG/PRD in a single CI Server.
It uses 3001,3002 and 3003 TCP ports for each. For example, If I want to access STG Jenkins, I can access the server with the URL "192.168.0.3:3002".
But now we have to move the Jenkins instances to behind Nginx Server for remote users, the users only can access the Jenkins through Nginx and port no 443. Only TCP 443 port of their Fire Wall is opened for outbound traffic. Because of this reason(Single Nginx instance of TCP 443), the only way to distinguish between DEV/STG/PRD is to use different URI.
For example:
"192.168.0.3:3001" --> "192.168.0.3:443/dev"
"192.168.0.3:3002" --> "192.168.0.3:443/stg"
and so on.
Below is a sample NginX configuration for port forward I expect.
server (
listen 443;
server_name localhost;
location /dev (
proxy_pass http://localhost:3001;
)
location /stg (
proxy_pass http://localhost:3002;
)
location /prd (
proxy_pass http://localhost:3003;
)
)
Is it possible? Does Nginx support multiple ports forward with a single instance?
Yes, Nginx supports multiple upstream, the only change you need to make is to customise Jira server XML config path:
See full config below: https://gist.github.com/mikhailov/8562320
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
</Context>
</Host>
....
</Engine>
I've followed all over the instruction provided in the below website.
rApache.net.
mod_R.so is installed and I've configured below things in the sites-enabled folder.
#rApacheInfo
<Location /RApacheInfo>
SetHandler r-info
</Location>
#brew function
<Directory /var/www/brew>
SetHandler r-script
RHandler sys.source
</Directory>
<Directory /var/www/brew>
SetHandler r-script
RHandler brew::brew
DefaultType html
</Directory>
But if i go to localhost:8080/RApacheInfo I get the error HTTP Status 404 - /RApacheInfo.
localhost:8080 gives me apache tomcat welcome note.
As I checked the differed between apache and tomcat from this post. Now I have a doubt whether we'll be able to install it or not.
Please help.
Errr no. Apache tomcat is a server which acts as a container for Java-based 'servlets'. Apache http server is a general server for http requests. What you have listening on port 8080 must be tomcat since you get the tomcat error page.
rApache is specifically a handler for the apache http server. Normally apache http server just sends back a file when a request for /foo.html comes in, but it can be configured to run a program via a handler, which is what rApache is.
You can run apache http server AND tomcat on the same machine, they just have to be listening on different ports. If you try and run them on the same port the second one won't start.
By default apache http server listens on port 80, so if you are running it as root then going to http://localhost/ will get a response if it is running.