All,
I am setting up a frontend HTTPD load balancer to a backend Tomcat application using mod_proxy. I have not done so previously and am looking for some guidance. Here is a diagram of what it will look like:
+---------------------+
| Firewall Public |
+---------------------+
+-------------------------------------------+
| +------+ +-------+ +-------+ |
| | httpd| | httpd | | httpd | |
| | 1 | | 2 | | 3 | |
| +------+ +-------+ +-------+ |
+-------------------------------------------+
+----------------------+
| Firewall Private |
+----------------------+
+---------------------------------------------+
| +--------+ +---------+ +--------+ |
| | tomcat | |tomcat | |tomcat| |
| | 1 | | 2 | | 3 | |
| +--------+ +---------+ +--------+ |
+---------------------------------------------+
The HTTPD 1-3 servers are in a DMZ subnet and will proxy back to internal Tomcat application on a different subnet. I had this working without sticky sessions (which are needed) but now when I try to set up the configuration with sticky sessions I receive a 500 error in a browser.
Here is what I receive in the logs:
access_log:
10.37.11.14 - - [26/Feb/2018:09:48:34 -0800] "GET /favicon.ico HTTP/1.1" 500 527 "
https://app.example.com/login.jsp" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "C1A3CF4AB2A4E8952C259E2F1B97A203.node1"
error_log:
[Mon Feb 26 09:48:34.714703 2018] [proxy:warn] [pid 37884] [client
10.37.11.14:53267] AH01144: No protocol handler was valid for the URL /favicon.ico. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer:
https://app.example.com/login.jsp
I believe the favicon.ico 'error' is benign, but if it is I'd like to supress it. But I do receive a standard 500 error in the browser.
The 'login.jsp' is a redirect from the backend application. If I go directly to one of the application servers:
The page loads properly and gives the following URL in the browser:
Here is the complete httpd.conf file. I only want the proxy to listen on port 443. This system will only function as a DMZ proxy to the backend application. Ideally the configuration is as minimal as possible with no extra/unnecessary directives:
Listen 443 https
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
ErrorLog "logs/error_log"
TransferLog "logs/access_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{JSESSIONID}C\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/cert.crt
<Proxy balancer://mycluster>
ProxySet lbmethod=bybusyness
</Proxy>
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / balancer://mycluster stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster stickysession=JSESSIONID
</VirtualHost>
Any guidance is greatly appreciated. Thanks in advance..
HB
