Hi Timo.
i don't know ajp protocol, but I have a similar configuration.
this is my configuration that work fine with apache, mod_proxy as frontend and a tomcat 6 with SSL (8443) as backend.
u don't set the end point (spike/) but only the ProxyPass. I'm using another modules, also.
Please check my configuration. I hope it can help you.
Read this tutorial, it's very usefull: http://www.apachetutor.org/admin/reverseproxies
Cheers,
Mauri
LoadModule ssl_module modules/mod_ssl.so
LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule headers_module modules/mod_headers.so
AddType application/x-httpd-php .amf
AddType video/x-ms-asf asf asx
AddType audio/x-ms-wma .wma
AddType application/octet-stream .doc .xls .pdf
AddType application/x-shockwave-flash swf
Listen 443
Listen 80
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost mydomain.com:443
<VirtualHost mydomain.com:443>
ServerName mydomain.com
ProxyRequests off
ProxyPass / https://10.173.90.167:8443/
ProxyHTMLURLMap https://10.173.90.167:8443 /
<Location />
ProxyPassReverse https://10.173.90.167:8443/
ProxyHTMLEnable On
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
</Location>
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/cert/certificate.cer
SSLCertificateKeyFile /etc/httpd/cert/certificate.key
SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
2010/4/28 Timo Meinen <timomeinen@xxxxxxxxxxxxxx>
Hi,
I have a problem with our reverse proxy. I asked this question to the
tomcat-users mailinglist, too, but no one could help me and I am
absolutely stuck with this problem. So, I hope some of the httpd
experts here, may have an idea:
Our configuration is a Apache 2.2 web server, acting as a reverse
proxy for Tomcat 6. This is the configuration:
ServerName it.localhost.de
ProxyPass / ajp://127.0.0.1:8009/spike/
ProxyPassReverse / ajp://127.0.0.1:8009/spike/
ProxyPassReverseCookiePath /spike /
(This is the configuration in the VirtualHost entry for port 80. There
is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
As you can see, the webapp is hosted under ContextPath /spike but
available through the proxy via /. Everything works fine, until the
webapp sends an redirect to HTTPS. This is done via SpringSecurity.
The problem is, that the ProxyPassReverse directive doesn't catch the
ContextPath and converts it, if it includes the complete address.
These are the logs from the web browser:
GET http://it.localhost.de/users/65 => 302 =>
https://it.localhost.de/spike/users/65
1) Why does the ProxyPassReverse doesn't convert the /spike back to /
in https://it.localhost.de/spike/users/65? Is it because the Header
isn't relative? The protocol is still AJP and so the Proxy should know
how to convert it, right?
1a) If so, how could the webapp switch from http to https and vice
versa, when not able to send the absolute address with a new protocol?
After this, I tried to set additional ProxyPassReverse directives:
ProxyPassReverse / https://it.localhost.de/spike/
ProxyPassReverse / http://it.localhost.de/spike/
This time, the /spike/ is converted to /, but the two directives leads
to an infintive loop of redirects to
http://it.localhost.de/<REQUEST-URI>.
2) How can I stop this loop? or better
3) How can I configure the ProxyPassReverse correctly?
Thank you very much for any help
Timo
Here are the debug information from httpd:
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
APR_BUCKET_IS_EOS
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
to read (max 8186 at 4)
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
bytes of data
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
ajp_ilink_received 04
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got 04
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
ajp_unmarshal_response: status = 302
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
ajp_unmarshal_response: Number of headers is = 2
[Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
ajp://127.0.0.1:9091/spike/
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
ajp_unmarshal_response: Header[0] [Location] =
[https://it.localhost.de/spike/users/3]
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
ajp_unmarshal_response: Header[1] [Content-Length] = [0]
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
ajp_ilink_received 05
[Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got 05
[Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
response from 127.0.0.1:9091 (127.0.0.1)
[Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
released connection for (127.0.0.1)
[Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
received for child 9 (server it.localhost.de:80)
[Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
canonicalising URL //127.0.0.1:9091/spike/spike/users/3
[Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
http://it.localhost.de/
Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
[https://it.localhost.de/spike/users/3]" doesn't remove the /spike in
the response, so that the next request will lead to the
doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|