I'm trying to configure SSL access using a frontend Apache (version 2.4.6) server as a ReverseProxy to serve multiple Java applications deployed on a backend server with glassfish (version 3.1.2.2).
Using virtualHost and ServerName, everything works fine with HTTP protocol:
<VirtualHost *:80>
ServerName ppd-cas.capeb.fr
# redirect "/" "https://ppd-cas.capeb.fr/cas"
ProxyPreserveHost On
RedirectMatch "/$" "/cas"
ProxyPass "/cas" "http://10.1.93.10:34674/cas" retry=0 timeout=300 Keepalive=On
ProxyPassReverse "/cas" "http://10.1.93.10:34674/cas"
</VirtualHost>
I configured the HTTPS (in ssl.conf) as follow:
<VirtualHost *:443>
ServerName ppd-cas.capeb.fr
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
# SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/ssl/private/server.cert
SSLCertificateKeyFile /etc/ssl/private/server.key
ProxyRequests Off
ProxyPreserveHost on
RedirectMatch "/$" "/cas"
ProxyPass "/cas" "https://10.1.93.10:56912/cas" retry=0 timeout=300 Keepalive=On
ProxyPassReverse "/cas" "https://10.1.93.10:56912/cas"
</VirtualHost>
The certificate is self-signed, generated and deployed on the frontend server. I thought I could go with HTTPS between browser and frontend then ignore certificate between frontend and backend thus the above options with "none" or "off" parameters.
The example provided (ppd-cas.capeb.fr) works fine using https, BUT, another application described below, with identical parameters, does not:
<VirtualHost *:443>
ServerName ppd-isabat.capeb.fr
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
# SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/ssl/private/server.cert
SSLCertificateKeyFile /etc/ssl/private/server.key
ProxyRequests Off
ProxyPreserveHost on
RedirectMatch "/$" "/CAPEBWeb"
ProxyPass "/CAPEBWeb" "https://10.1.93.10:8181/CAPEBWeb" retry=0 timeout=300 Keepalive=On
ProxyPassReverse "/CAPEBWeb" "https://10.1.93.10:8181/CAPEBWeb"
</VirtualHost>
The error I get in Glassfish logs is:
[#|2016-10-04T15:54:46.078+0200|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=19;_ThreadName=Thread-2;|StandardWrapperValve[action]: PWC1406: Servlet.service() for servlet action threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The tricky part is that the application ppd-isabat.capeb.fr (the one that doesn't work) is deployed on the domain1 of Glassfish and uses CAS authentication, and CAS (the one that works) is deployed on domain2 of the same Glassfish. Trying to access ppd-isabat.capeb.fr (https://ppd-isabat.capeb.fr), I'm redirected correctly to the authentication pages of CAS, the error occurs after validating credentials. For me the different installation domain is part of the problem but it's just a hunch.
Does my approach (disabling SSL constraints between frontend and backend) is wrong ? am I missing something obvious ? Glassfish has embeded self-signed certificate so he should be able to identify himself ?
I search thoroughly StackOverflow, but none of the questions really matches this peculiar configuration.
Any help appreciated :)
PS: It's my 1st post, so please, don't be too harsh. I'm french, so please, don't be too harsh !
You said in your post that you want to terminate SSL at Apache itself and the communication between Apache and Glassfish is meant to be HTTP(non-ssl) but yet you are passing requests to the backend with https URLs:
ProxyPass "/CAPEBWeb" "**https**://10.1.93.10:8181/CAPEBWeb" retry=0 timeout=300 Keepalive=On
ProxyPassReverse "/CAPEBWeb" "**https**://10.1.93.10:8181/CAPEBWeb"
Shouldn't you be using http:// instead of https://?
You may also need to change the port from 8181 to something else depending on your glassfish's configuration.
Related
I am running a web server with the following configuration:
PHP Website running on Apache (port 80) (www.MyWebsite.com)
GWT Web Application running on Tomcat (port 8080) with a different URL (www.MyWebapp.com)
Web service also running on Tomcat (port 8080) with subdomain (service.MyWebapp.com)
I am struggling with some configuration issues. I am able to access the website as well as the web service with my current configuration, but for some reason my web application is throwing an RPC error when I access it remotely through the URL.
My vhosts.conf file is as follows:
<VirtualHost *:80>
ServerName MyWebapp.com
ServerAlias www.MyWebapp.com
ProxyRequests off
DefaultType text/html
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/webapp/
ProxyPassReverse / ajp://localhost:8009/webapp/
</VirtualHost>
<VirtualHost *:80>
ServerName service.mywebapp.com
DefaultType text/html
ProxyRequests off
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/webservice/
ProxyPassReverse / ajp://localhost:8009/webservice/
</VirtualHost>
<VirtualHost *:80>
ServerName www.mywebsite.com
ServerAlias *.mywebsite.com
DocumentRoot "c:/wamp64/www/website"
<Directory "c:/wamp64/www/website/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
Require all granted
</Directory>
</VirtualHost>
If I try to access it remotely via www.mywebapp.com, I get the HTML landing page, but when I make any RPC calls I receive an RPC error:
Type 'com.mycom.client.utility.model.DataContainer' was not assignable to 'com.google.gwt.user.client.rpc.IsSerializable' and did not have a custom field serializer. For security purposes, this type will not be deserialized.
I can access and run my web application locally (localhost:8080/webapp), as well as remotely if I specify the port (www.MyWebapp.com:8080/webapp), and do not receive any RPC errors.
My 'DataContainer' class implements java.io.Serializable, not com.google.gwt.user.client.rpc.IsSerializable (I've never encountered an issue with this before). I am under the impression that this has more to do with proxy settings than serialization, but have tried everything I can think of without success.
Any help would be much appreciated!!! Thanks in advance...
When I tried to connect to Spring Boot web socket from Android stomp client, it is not connecting and the Catalina log shows
Handshake failed due to invalid Upgrade header: null
Tomcat server is running behind Apache and the Apache server runs on https. I haven't added https in Tomcat .All the http requests are redirected to https this is how I tried to connect to the websocket
mStompClient = Stomp.over(Stomp.ConnectionProvider.JWS, "wss://chat.example.com/ws/chat/websocket", headers);
but it works when running in local machine
mStompClient = Stomp.over(Stomp.ConnectionProvider.JWS, "http://10.0.2.2:8080/chat/ws/chat/websocket", headers);
this is my stomp end point setup
registry.addEndpoint("/chat").setHandshakeHandler(new HandShakeHandler()).withSockJS();
I have enabled mod proxy wstunnel and in the virtual host config I have added
ProxyPass / http://localhost:8080/chat/
proxyPassReverse / http://localhost:8080/chat/
ProxyPass /wss/ ws://localhost:8080/chat/
How can I fix this?
I got the answer from this server fault lin. I have to add
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule /api/(.*) ws://newapp.example.com:8080/api/$1 [P]
and changed the last line to
RewriteRule /chat/(.*) ws://localhost:8080/chat/chat/$1 [P]
and now it is connected
The problem may be in the order of your proxy commands:
ProxyPass / http://localhost:8080/chat/
proxyPassReverse / http://localhost:8080/chat/
ProxyPass /wss/ ws://localhost:8080/chat/
See the documentation:
Ordering ProxyPass Directives
The configured ProxyPass and ProxyPassMatch rules are checked in the order of configuration. The first rule that matches wins. So usually you should sort conflicting ProxyPass rules starting with the longest URLs first.
Since the first rule matches the /wss/ URLs, the later rule is never triggered. The correct order is:
ProxyPass /wss/ ws://localhost:8080/chat/
ProxyPass / http://localhost:8080/chat/
proxyPassReverse / http://localhost:8080/chat/
(I'm not sure if you need a reverse rule or not.)
I've spent hours trying to make the redirect rules work on my system but apparently you don't need them at all.
I am trying to redirect traffic from Apache to Tomcat on CentOs server by using mod_proxy and mod_proxy_wstunnel modules. HTTP traffic is redirected without problems but I am not able to successfully redirect websocket traffic with any configuration I tried so far. It gives me 200 response code instead of 101.
I have read a lot of similar questions, but haven't find any solution yet. These one have similar problems.
Question 1, Question 2
I'm using Apache Server 2.4.6 - > Apache Tomcat 7.0.92 - > Java Application with Spring and javax socket implementation.
Here is my modules:
Here is my httpd config:
<VirtualHost *:80>
ServerName domain.com
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"$
CustomLog /var/log/httpd/log_access.log combined
ErrorLog /var/log/httpd/log_error.log
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
RewriteEngine On
#RewriteCond %{HTTP:Connection} Upgrade [NC]
#RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule /app-api/chat/user/(.*) ws://127.0.0.1:8080/app-api/chat/user/$1 [P,L]
ProxyPass /app-api http://127.0.0.1:8080/ retry=1 acquire=3000
ProxyPassReverse /app-api http://127.0.0.1:8080/
DocumentRoot /var/www/html
If i use connect to Apache Tomcat directly on local machine - all is good, it's returns 101,but not on remote.
Why i'm getting 200 response?
What is wrong with this config?
I have tried a lot of implementaions, but still have 200 response from server instead of upgrade to 101.
Finnally, i have done it.
In my case, there is no need to put RewriteConds and RewriteRules.
All was need is to proxy request to actual backend (Apache Tomcat) by adding into httpd.conf
ProxyPass /api/chat/user/ ws://127.0.0.1:8080/chat/user/
ProxyPassReverse /api/chat/user/ ws://127.0.0.1:8080/chat/user/
Also mod_proxy_wstunnel must be enabled.
Got this config just from the official docs.
Just in case: mod_proxy_wstunnel
I've been running a site for the past 3 years with out any issues. The current SSL certificate was applied the past December. It is running on the FreeBSD 10 operating system. Apache is configured as a reverse proxy passing to Tomcat 6.0. As of this week the initial loading of pages has become extremely slow and does not leave any messages for the user. Nothing seems to stand out in my logs either. I will try to post the configuration below in hopes someone with a fresh set of eyes sees something I'm overlooking. There have been no modifications to the configuration since the site was stood up. If you need any additional info I'll be happy to provide.
Thanks
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache-tomcat-6.0/webapps"
ServerName hsc.myissinc.com
ServerAdmin support#myissinc.com
ServerSignature Off
Timeout 60
#KeepAlive On
ErrorLog /var/log/apache2/ajp.error.log
LogLevel warn
CustomLog /var/log/apache2/ajp.log combined
RewriteEngine On
#RewriteOptions inherit
ProxyVia On
ProxyRequests Off
ProxyPreserveHost Off
#ProxyPassReverseCookieDomain localhost hsc.myissinc.com
ProxyPass /easehsc/PublicTempStorage/ http://localhost:8080/easehsc/PublicTempStorage/ retry=10 acquire=3000 connectiontimeout=300 timeout=300 Keepalive=on
ProxyPassReverse /easehsc/PublicTempStorage/ http://localhost:8080/easehsc/PublicTempStorage/
ProxyPass /easehsc/ http://localhost:8080/easehsc/ retry=10 acquire=3000 connectiontimeout=300 timeout=300 Keepalive=on
ProxyPassReverse /easehsc/ http://localhost:8080/easehsc/
ProxyPass / http://localhost:8080/ retry=10 acquire=3000 connectiontimeout=300 timeout=300 Keepalive=on
ProxyPassReverse / https://localhost:8080/
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProxyEngine on
# Server Certificate:
SSLCertificateFile "/root/sslCA/myissinc.cer"
# Server Private Key:
SSLCertificateKeyFile "/root/sslCA/myissinc.key"
# Server Chain File (Intermediate Cert)
SSLCertificateChainFile "/root/sslCA/myissincint.cer"
</VirtualHost>
Turns out the issue was not with the Apache configuration nor tomcat at all. The web app was calling a REST API that was suddenly taken offline due to getting DDoS attack. We commented this call out and all works great. Thanks for those who looked at this and made suggestions.
I have a problem. I have two web apps deployed as wars. Let's call them app1.war and app2.war.
I would like app1.war to be accessed at the URL www.website.com and I would like app2.war to be accessible as www.anotherweb.com. I have my domain name ready.
I am able to run the application as www.website.com/app1, www.website.com/app2.
So Now i need to run using www.website.com and www.anotherweb.com
I am running JBoss7.1.1.
Thanks for any insights.
You need to put Apache Http server between user and JBoss server and not access your server directly from web. Configure Apache HTTP server to use mod_proxy with virtual host configuration. If your JBoss server runs on http://localhost:8080, it will look something like this in httpd.conf.
NameVirtualHost *:80
<VirtualHost *:80>
RewriteEngine On
ServerName www.website.com
ProxyPass / http://localhost:8080/app1/
ProxyPassReverse / http://localhost:8080/app1/
</VirtualHost>
<VirtualHost *:80>
RewriteEngine On
ServerName www.anotherweb.com
ProxyPass / http://localhost:8080/app2/
ProxyPassReverse / http://localhost:8080/app2/
</VirtualHost>