Hi,
yes SSLProxyEngine On is activated in the SSL VirtualHost. But this
doens't help.
Timo
2010/4/28 Arunkumar Janarthanan <arunkumar.webadmin@xxxxxxxxx>:
> Hi,
>
> Did you try the "sslProxyEngine On", However I have got the specific error
> in my Apache log stating have to check this one.
>
> Hope this helps.
>
> Best Regards,
> Arun Janarthanan
>
> On Wed, Apr 28, 2010 at 5:44 AM, Mauri <lain80@xxxxxxxxx> wrote:
>>
>> Hi Timo.
>>
>> i don't know ajp protocol, but I have a similar configuration.
>> this is my configuration that work fine with apache, mod_proxy as frontend
>> and a tomcat 6 with SSL (8443) as backend.
>> u don't set the end point (spike/) but only the ProxyPass. I'm using
>> another modules, also.
>> Please check my configuration. I hope it can help you.
>> Read this tutorial, it's very usefull:
>> http://www.apachetutor.org/admin/reverseproxies
>>
>> Cheers,
>> Mauri
>>
>> LoadModule ssl_module modules/mod_ssl.so
>> LoadFile /usr/lib/libxml2.so
>> LoadModule proxy_html_module modules/mod_proxy_html.so
>> LoadModule xml2enc_module modules/mod_xml2enc.so
>> LoadModule headers_module modules/mod_headers.so
>>
>> AddType application/x-httpd-php .amf
>> AddType video/x-ms-asf asf asx
>> AddType audio/x-ms-wma .wma
>> AddType application/octet-stream .doc .xls .pdf
>> AddType application/x-shockwave-flash swf
>>
>> Listen 443
>> Listen 80
>> AddType application/x-x509-ca-cert .crt
>> AddType application/x-pkcs7-crl .crl
>> SSLPassPhraseDialog builtin
>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>> SSLSessionCacheTimeout 300
>> SSLMutex default
>> SSLRandomSeed startup file:/dev/urandom 256
>> SSLRandomSeed connect builtin
>> SSLCryptoDevice builtin
>>
>> NameVirtualHost mydomain.com:443
>> <VirtualHost mydomain.com:443>
>> ServerName mydomain.com
>> ProxyRequests off
>> ProxyPass / https://10.173.90.167:8443/
>> ProxyHTMLURLMap https://10.173.90.167:8443 /
>> <Location />
>> ProxyPassReverse https://10.173.90.167:8443/
>> ProxyHTMLEnable On
>> ProxyHTMLURLMap / /
>> RequestHeader unset Accept-Encoding
>> </Location>
>> SSLEngine on
>> SSLProxyEngine on
>> SSLProtocol all -SSLv2
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /etc/httpd/cert/certificate.cer
>> SSLCertificateKeyFile /etc/httpd/cert/certificate.key
>> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> SSLOptions +StdEnvVars
>> </Files>
>> <Directory "/var/www/cgi-bin">
>> SSLOptions +StdEnvVars
>> </Directory>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>> </VirtualHost>
>>
>>
>>
>>
>> 2010/4/28 Timo Meinen <timomeinen@xxxxxxxxxxxxxx>
>>>
>>> Hi,
>>>
>>> I have a problem with our reverse proxy. I asked this question to the
>>> tomcat-users mailinglist, too, but no one could help me and I am
>>> absolutely stuck with this problem. So, I hope some of the httpd
>>> experts here, may have an idea:
>>>
>>> Our configuration is a Apache 2.2 web server, acting as a reverse
>>> proxy for Tomcat 6. This is the configuration:
>>>
>>> ServerName it.localhost.de
>>> ProxyPass / ajp://127.0.0.1:8009/spike/
>>> ProxyPassReverse / ajp://127.0.0.1:8009/spike/
>>> ProxyPassReverseCookiePath /spike /
>>>
>>> (This is the configuration in the VirtualHost entry for port 80. There
>>> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On).
>>>
>>> As you can see, the webapp is hosted under ContextPath /spike but
>>> available through the proxy via /. Everything works fine, until the
>>> webapp sends an redirect to HTTPS. This is done via SpringSecurity.
>>> The problem is, that the ProxyPassReverse directive doesn't catch the
>>> ContextPath and converts it, if it includes the complete address.
>>> These are the logs from the web browser:
>>>
>>> GET http://it.localhost.de/users/65 => 302 =>
>>> https://it.localhost.de/spike/users/65
>>>
>>> 1) Why does the ProxyPassReverse doesn't convert the /spike back to /
>>> in https://it.localhost.de/spike/users/65? Is it because the Header
>>> isn't relative? The protocol is still AJP and so the Proxy should know
>>> how to convert it, right?
>>> 1a) If so, how could the webapp switch from http to https and vice
>>> versa, when not able to send the absolute address with a new protocol?
>>>
>>> After this, I tried to set additional ProxyPassReverse directives:
>>>
>>> ProxyPassReverse / https://it.localhost.de/spike/
>>> ProxyPassReverse / http://it.localhost.de/spike/
>>>
>>> This time, the /spike/ is converted to /, but the two directives leads
>>> to an infintive loop of redirects to
>>> http://it.localhost.de/<REQUEST-URI>.
>>>
>>> 2) How can I stop this loop? or better
>>> 3) How can I configure the ProxyPassReverse correctly?
>>>
>>> Thank you very much for any help
>>> Timo
>>>
>>> Here are the debug information from httpd:
>>>
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy:
>>> APR_BUCKET_IS_EOS
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data
>>> to read (max 8186 at 4)
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0
>>> bytes of data
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>>> ajp_ilink_received 04
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>>> 04
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491):
>>> ajp_unmarshal_response: status = 302
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502):
>>> ajp_unmarshal_response: Number of headers is = 2
>>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real:
>>> ajp://127.0.0.1:9091/spike/
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>>> ajp_unmarshal_response: Header[0] [Location] =
>>> [https://it.localhost.de/spike/users/3]
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564):
>>> ajp_unmarshal_response: Header[1] [Content-Length] = [0]
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header:
>>> ajp_ilink_received 05
>>> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got
>>> 05
>>> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got
>>> response from 127.0.0.1:9091 (127.0.0.1)
>>> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has
>>> released connection for (127.0.0.1)
>>> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request
>>> received for child 9 (server it.localhost.de:80)
>>> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP:
>>> canonicalising URL //127.0.0.1:9091/spike/spike/users/3
>>> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client
>>> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/
>>> for ajp://127.0.0.1:9091/spike/spike/users/3, referer:
>>> http://it.localhost.de/
>>>
>>>
>>> Problem is that the "ajp_unmarshal_response: Header[0] [Location] =
>>> [https://it.localhost.de/spike/users/3]"; doesn't remove the /spike in
>>> the response, so that the next request will lead to the
>>> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3.
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>
>
>
--
Glück Auf
Timo
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|