mod_proxy - sticky sessions configuration help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



All,

I am setting up a frontend HTTPD load balancer to a backend Tomcat application using mod_proxy.  I have not done so previously and am looking for some guidance.  Here is a diagram of what it will look like:

+---------------------+
|   Firewall Public   |
+---------------------+
+-------------------------------------------+
|      +------+   +-------+  +-------+      |
|      | httpd|   | httpd |  | httpd   |      |
|      |    1 |       |   2   |  |   3       |      |
|      +------+   +-------+  +-------+      |
+-------------------------------------------+
+----------------------+
|   Firewall Private   |
+----------------------+
+---------------------------------------------+
|    +--------+  +---------+  +--------+      |
|    | tomcat |  |tomcat   |  |tomcat|      |
|    |   1       |  |    2      |  |   3        |      |
|    +--------+  +---------+  +--------+      |
+---------------------------------------------+

The HTTPD 1-3 servers are in a DMZ subnet and will proxy back to internal Tomcat application on a different subnet.  I had this working without sticky sessions (which are needed) but now when I try to set up the configuration with sticky sessions I receive a 500 error in a browser.


Here is what I receive in the logs:

access_log:

10.37.11.14 - - [26/Feb/2018:09:48:34 -0800] "GET /favicon.ico HTTP/1.1" 500 527 "https://app.example.com/login.jsp" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "C1A3CF4AB2A4E8952C259E2F1B97A203.node1"

error_log:

[Mon Feb 26 09:48:34.714703 2018] [proxy:warn] [pid 37884] [client 10.37.11.14:53267] AH01144: No protocol handler was valid for the URL /favicon.ico. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: https://app.example.com/login.jsp


I believe the favicon.ico 'error' is benign, but if it is I'd like to supress it.  But I do receive a standard 500 error in the browser.

The 'login.jsp' is a redirect from the backend application.  If I go directly to one of the application servers:

https://app1.example.com:9009

The page loads properly and gives the following URL in the browser:

https://app1.example.com:9009/login.jsp


Here is the complete httpd.conf file.  I only want the proxy to listen on port 443.  This system will only function as a DMZ proxy to the backend application.  Ideally the configuration is as minimal as possible with no extra/unnecessary directives:



Listen 443 https

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

ErrorLog        "logs/error_log"
TransferLog     "logs/access_log"
LogLevel        warn

<IfModule log_config_module>

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{JSESSIONID}C\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    </IfModule>

        CustomLog "logs/access_log" combined

</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>

    MIMEMagicFile conf/magic

</IfModule>

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost _default_:443>

        ServerName app.example.com

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

        SSLCertificateFile /etc/pki/tls/certs/cert.crt

<Proxy balancer://mycluster>

        BalancerMember https://app1.example.com:9009 route=node1
        BalancerMember https://app2.example.com:9009 route=node2
        ProxySet lbmethod=bybusyness

</Proxy>

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPass / balancer://mycluster stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster stickysession=JSESSIONID

</VirtualHost>

Any guidance is greatly appreciated.  Thanks in advance..

HB

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux