I was looking over this guide to setup tomcat + apache with SSL: http://www.mulesoft.com/tcat/tomcat-ssl
Under section, "When To Use SSL With Tomcat" it says:
"...In other words, if you're fronting Tomcat with a web server and using it only as
an application server or Tomcat servlet container, in most cases you should let the web server function as a proxy for all SSL requests"
Since I already have a webserver set up with SSL, I decided to be lazy. I installed tomcat with default settings, and started it up. In my httpd.conf, I redirected all 80 traffic to 443, and then proxypass and proxypassreverse to ajp://hostname.com:8009. I restarted httpd and it "appears" to redirect to tomcat server over ssl. Is this completely broken or did I actually manage to do what I intended on first go? Any test suggestions are much appreciated.
<VirtualHost *:80>
ServerName hostname_DNS_alias.com
Redirect / https://hostname_DNS_alias.com
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/thecrt.crt
SSLCertificateKeyFile /etc/pki/tls/private/thekey.key
SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
ServerName hostname_DNS_alias.com
DocumentRoot /var/www/html
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://hostname.com:8009/
ProxyPassReverse / ajp://hostname.com:8009/
</VirtualHost>
I think you've got it, but you can look at the access logs on HTTPD & Tomcat to confirm the request is being proxied. You should see an access log entry on both systems.
A couple quick notes...
As mentioned in the comment, you can remove the HTTP connector from Tomcat. It's not a must though. Sometimes it nice to keep open for testing purposes (i.e. you can hit the server directly) or if you want to run the Manager app on it. If you do keep it around, especially if you use it to run the Manager app, you should probably restrict access to it. Two easy ways to do that are by setting the address attribute on the HTTP connector to localhost or by configuring a RemoteAddressFilter.
Keep in mind that the AJP connection from your HTTPD server to Tomcat is not encrypted (SSL is terminated at HTTPD), so you want to make sure that traffic never goes over an insecure network (like the Internet).
Since you already have HTTPD in the mix, you can also use it to serve up your static files. If you deploy them to your document root, you can then add a "ProxyPass !" directive to exclude that path from being proxied to Tomcat. This will offer slightly less latency on the request as HTTPD does need to get the static file from Tomcat.
Related
I am running a web server with the following configuration:
PHP Website running on Apache (port 80) (www.MyWebsite.com)
GWT Web Application running on Tomcat (port 8080) with a different URL (www.MyWebapp.com)
Web service also running on Tomcat (port 8080) with subdomain (service.MyWebapp.com)
I am struggling with some configuration issues. I am able to access the website as well as the web service with my current configuration, but for some reason my web application is throwing an RPC error when I access it remotely through the URL.
My vhosts.conf file is as follows:
<VirtualHost *:80>
ServerName MyWebapp.com
ServerAlias www.MyWebapp.com
ProxyRequests off
DefaultType text/html
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/webapp/
ProxyPassReverse / ajp://localhost:8009/webapp/
</VirtualHost>
<VirtualHost *:80>
ServerName service.mywebapp.com
DefaultType text/html
ProxyRequests off
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/webservice/
ProxyPassReverse / ajp://localhost:8009/webservice/
</VirtualHost>
<VirtualHost *:80>
ServerName www.mywebsite.com
ServerAlias *.mywebsite.com
DocumentRoot "c:/wamp64/www/website"
<Directory "c:/wamp64/www/website/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
Require all granted
</Directory>
</VirtualHost>
If I try to access it remotely via www.mywebapp.com, I get the HTML landing page, but when I make any RPC calls I receive an RPC error:
Type 'com.mycom.client.utility.model.DataContainer' was not assignable to 'com.google.gwt.user.client.rpc.IsSerializable' and did not have a custom field serializer. For security purposes, this type will not be deserialized.
I can access and run my web application locally (localhost:8080/webapp), as well as remotely if I specify the port (www.MyWebapp.com:8080/webapp), and do not receive any RPC errors.
My 'DataContainer' class implements java.io.Serializable, not com.google.gwt.user.client.rpc.IsSerializable (I've never encountered an issue with this before). I am under the impression that this has more to do with proxy settings than serialization, but have tried everything I can think of without success.
Any help would be much appreciated!!! Thanks in advance...
Environment:
Apache2
nanohttpd (web server (java))
The site itself is and has been working fine, I have added alot of entries to a database which the nanohttpd web server returns on some endpoints
I have figured out that is has todo with the length of the site being returned since when I move entries from one status to another, the one with alot of entries will always give me this error.
I already looked around a bit and think it may be a timeout issue but I have added timeouts to my virtual host and this problem still persists
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /foo
Reason: Error reading from remote server
Apache/2.4.10 (Debian) Server at foo.foo.foo Port 443
My current VirtualHost file for this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/directory
ServerName foo.foo.foo
ServerAlias foo.foo.foo
ProxyPass "/" "http://foo.com:8080/"
ProxyPassReverse "/" "http://foo.com:8080/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/path/options-ssl-apache.conf
SSLCertificateFile /etc/path/foo.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/path/foo.com-0001/privkey.pem
</VirtualHost>
</IfModule>
What I had tried earlier was adding timeout=x and connectiontimeout=x behind ProxyPass but this didnt seem to help
Edit:
Since there is still no answer here is some more info, I will add a bounty once eligible.
As you can see in my VirtualHost file I am using Apache Reverse Proxy to enable SSL for my application
So my little nanohttpd server basically returns a very simplistic html page with a table and a row for each database entry. If the specific category has more than around 100 entries I will get the Proxy Error message.
At this point I am very certain that it has todo with something timeing out but I have went through so many posts and tried to add configs to mine and (yes I restarted Apache2 after every change) nothing worked so far.
Could it be something on my nanohttpd server that I am missing?
A simple Header or Cookie, I am sending none of those as of now.
If any required information is missing please let me know.
Some of your input may have been malformed.
Well funnily enough I figured it out and I feel horrible now..
The table data I was inserting included a dollar sign and apparently I did not think of escaping the replacement String
Is it possible at all to do what I'm trying to do?
I have a domain - example.com - installed on a webserver Ubuntu 16.04/Apache.
Behind Apache I'm running a standard Glassfish (Payara actually) on standard port 8080.
On Payara I have a webapp - myWebapp - deployed on root context /
when i point my broser directly to port 8080 it shows my web app as i expect:
http://example.com:8080/ => webapp shown.
1) first i want to hide my Payara behind apache and make sure when people write
http://example.com/ the are redirected to
https://example.com => myWebapp is shown.
This part works using AJP and my certificates are all in place.
In my default.conf in the
<VirtualHost *:80>
have inserted the following line:
Redirect permanent / https://example.com
it takes care of the redirection to HTTPS. But i'm in doubt if this is the right way to do it.
Everything else in the conf file is standard.
in my ssl.conf file in the
<virtualHost *.443>
I have inserted
ServerName example.com
and paths to SSL certificates. It's working as expected.
further more i have added
ProxyPass / ajp://127.0.0.1:8009
ProxyPassReverse / ajp://127.0.0.1:8009
Again, this works well. If i write
http://example.com
I'm redirected to
https://example.com/ => myWebapp is shown.
This is perfect.
but if i write
http://example.com/phpmyadmin
for instance I'm not shown the phpmyadmin page.
How can i accomplish this and is it possible at all?
thanks for any help.
Kim
You have a conflict in the following configuration:
ProxyPass / ajp://127.0.0.1:8009
ProxyPassReverse / ajp://127.0.0.1:8009
This sends all http requests, also http://example.com/phpmyadmin to your Payara server
What you need instead is something like
ProxyPass /myWebapp ajp://127.0.0.1:8009
ProxyPassReverse /myWebapp ajp://127.0.0.1:8009
so that only relative URLs that start with /myWebapp are redirected to your Payara server and /phpmyadmin is still hosted by Apache.
The Apache documentation mentions:
Only specific URIs can be proxied, as shown in this example:
ProxyPass "/images" "http://www.example.com/"
ProxyPassReverse "/images" "http://www.example.com/"
In the above, any requests which start with the /images path with be proxied to the specified backend, otherwise it will be handled locally.
I have my application developed in Java and located in my host as http://myhost.com:8080/myapp. I am using bluehost for my hosing service.
I want to access this app when I am hitting http://myhost.com..
I went to lot of articles in this but confused a lot. Also there is no clear documentations for this.
How to do this? can anyone assist me?
use apache server as a proxy server which will use your server name ( http://myhost.com) and redirect that request to your running app url ( http://myhost.com:8080/myapp). ie port forwarding concept.
like,
use following in your apache configuration file.
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName www.myhost.com
ServerAlias myhost.com
ProxyPass / http://myhost.com:8080/myapp/
ProxyPassReverse / http://myhost.com:8080/myapp/
</VirtualHost>
To acheive this you need to configure so many things.so read any appropriate documentation.
I did it using htaccess file.
Found htaccess file in my hosting server and create redirection for my domain, now everything looks good.
Hope it will help others in future.
I've been running a site for the past 3 years with out any issues. The current SSL certificate was applied the past December. It is running on the FreeBSD 10 operating system. Apache is configured as a reverse proxy passing to Tomcat 6.0. As of this week the initial loading of pages has become extremely slow and does not leave any messages for the user. Nothing seems to stand out in my logs either. I will try to post the configuration below in hopes someone with a fresh set of eyes sees something I'm overlooking. There have been no modifications to the configuration since the site was stood up. If you need any additional info I'll be happy to provide.
Thanks
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache-tomcat-6.0/webapps"
ServerName hsc.myissinc.com
ServerAdmin support#myissinc.com
ServerSignature Off
Timeout 60
#KeepAlive On
ErrorLog /var/log/apache2/ajp.error.log
LogLevel warn
CustomLog /var/log/apache2/ajp.log combined
RewriteEngine On
#RewriteOptions inherit
ProxyVia On
ProxyRequests Off
ProxyPreserveHost Off
#ProxyPassReverseCookieDomain localhost hsc.myissinc.com
ProxyPass /easehsc/PublicTempStorage/ http://localhost:8080/easehsc/PublicTempStorage/ retry=10 acquire=3000 connectiontimeout=300 timeout=300 Keepalive=on
ProxyPassReverse /easehsc/PublicTempStorage/ http://localhost:8080/easehsc/PublicTempStorage/
ProxyPass /easehsc/ http://localhost:8080/easehsc/ retry=10 acquire=3000 connectiontimeout=300 timeout=300 Keepalive=on
ProxyPassReverse /easehsc/ http://localhost:8080/easehsc/
ProxyPass / http://localhost:8080/ retry=10 acquire=3000 connectiontimeout=300 timeout=300 Keepalive=on
ProxyPassReverse / https://localhost:8080/
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProxyEngine on
# Server Certificate:
SSLCertificateFile "/root/sslCA/myissinc.cer"
# Server Private Key:
SSLCertificateKeyFile "/root/sslCA/myissinc.key"
# Server Chain File (Intermediate Cert)
SSLCertificateChainFile "/root/sslCA/myissincint.cer"
</VirtualHost>
Turns out the issue was not with the Apache configuration nor tomcat at all. The web app was calling a REST API that was suddenly taken offline due to getting DDoS attack. We commented this call out and all works great. Thanks for those who looked at this and made suggestions.