I have cluster setup of Apache server . Behind this I have 2 Jboss instances which is load balanced by apache.
The configuration look somewhat like the below
<VirtualHost *:1111>
ServerAdmin admin#example.com
ServerName www.example.com
DocumentRoot "/apps"
ErrorLog "logs/https.www.example.com.-error_log"
TransferLog "logs/https.www.example.com-access_log"
LogLevel warn
<Directory "/apps">
Options -Indexes +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLProxyEngine On
SSLProxyVerify On
SSLProxyMachineCertificateFile "/apps/apache/conf/ssl/int/proxy.pem"
SSLProxyCACertificateFile "/apps/apache/conf/ssl/int/cert.pem"
RewriteEngine On
Header set Cache-Control "max-age=60, public"
<Proxy balancer://2node-aa>
BalancerMember https://app01:8089 route=node1
BalancerMember https://app02:8089 route=node2
ProxyPreserveHost On
ProxyPass /aa balancer://2node/aa stickysession=JSESSIONID|jsessionid
ProxyPass /static balancer://2node/static stickysession=JSESSIONID|jsessionid
ProxyPassReverse /aa balancer://2node/aa
ProxyPassReverse /static balancer://2node/static
ProxyPass /1/aa https://app01:8089/aa
ProxyPass /2/aa https://app02:8089/aa
ProxyPassReverse /1/aa https://app01:8089/aa
ProxyPassReverse /2/aa https://app02:8089/aa
ProxyPass /bb balancer://2node/rest stickysession=JSESSIONID|jsessionid
ProxyPassReverse /bb balancer://2node/bb
</VirtualHost>
In the url access certain part of the url i want it to be routed from second node i.e node2 of jboss.
e.g. if i am accessing http://www.example.com/aa/login/login.jsp i need this request to be process by node2 app02 only.
Rest of the request should load balance as normal access.
How do i set the apache to do it ?
I have tried lot of rewrite,<Location> and ProxyPassMatch none has worked so far.
Please Help. Thanks in advance.
I used the below statement in the configuration file which resolved the issue.
<Proxy balancer://2node-aa>
BalancerMember https://app02:8080 route=node2
</Proxy>
RewriteRule ^/aa/login/(.*)$ balancer://2node-aa%{REQUEST_URI} [P,QSA,L]
This link help me.
apache httpd mod_proxy load balancing with multiple virtual hosts url redirection
-Thanks
Related
I'm trying to expose web app via subdomain with SSL or via route.
Subdomain Method:
The webapp I'm running is on port: http://localhost:4567/
With the following configuration, the web browser tells me the app is "not secure" (non-https).
The app is generally working fine, but is non-https.
What am I doing wrong?
Are there alternative configurations?
<IfModule mod_ssl.c>
Listen 443
NameVirtualHost *:443
</IfModule>
<VirtualHost *:80>
ServerName blast.example.com
Redirect permanent / https://blast.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin me#gmail.com
ServerName blast.example.com
# ProxyPreserveHost On
ProxyRequests off
# setup the proxy
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
# ProxyPass / http://localhost:4567/
# ProxyPassReverse / http://localhost:4567/
<Location />
ProxyPass http://localhost:4567/
ProxyPassReverse http://localhost:4567/
</Location>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile ...
SSLCertificateKeyFile ...
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
I had been following the prescription given at How to configure multiple subdomain with SSL in Apache?
Path/Route Method
I had also tried exposing the app as a route path (ie https://example.com/blast)
<Location /blast/ >
ProxyPass http://localhost:4567/
ProxyPassReverse http://localhost:4567/
</Location>
but the reverse proxy didn't see to work in that, if I started with:
https://example.com/blast
And clicked whatever on the start page.
The app would generate a internal URL without the /blast part, resulting in 404:
https://example.com/blah-blah-generated-url
(should be https://example.com/blast/blah-blah-generated-url)
In general, the subdomain path seems to work better except for the non-https problem.
Setting up a path/route:
Making the application accessible with https://example.com/blast. If the application generates new routes, ProxyPassReverse is needed; otherwise; only ProxyPass is needed.
<VirtualHost *:443>
...
ProxyPass "/blast/" "http://localhost:4567/"
ProxyPassReverse "/blast/" "/"
...
Found in Example 1, here: ProxyPassReverse doesn't rewrite Location (http header)
I have a container mapped by Nginx on example.org/portia/test, structured as follow:
Container exposes only port 9001, where an Apache instance as proxy is listening.
A Django server is running on 8000, all traffic for /api and /server_capabilities is sent to him.
Another Django server is running on 9002, which handles websockets on /ws path.
a scheme of my network
I'm trying to add OpenIdConnect authentication using the mod_auth_openidc plugin for Apache, I want to protect the entire virtual host.
So far I reach the correct login page on auth-example.org, I login with my credentials and the auth server redirects me with the correct URI. Ngnix answers me with a 400 error.
request sent with a lot of cookies
The auth server is used by several application inside mydomain.org, so I guess something is wrong with my Apache configuration file.
For clarity's sake, I can't touch Nginx or the auth server confs.
apache_site.conf
<VirtualHost *:9001>
ServerAdmin webmaster#localhost
DocumentRoot /app/portiaui/dist
ServerName www.example.org
ServerAlias example.org
#ProxyRequests On
Alias /static /app/portiaui/dist
OIDCProviderMetadataURL https://www.auth-example.org/auth/realms/master/.wel$
OIDCRedirectURI https://example.org/portia/test/callback
OIDCCryptoPassphrase <much secret>
OIDCClientID portia
OIDCClientSecret <much private>
OIDCCookiePath example.org/portia/test/
OIDCCookieDomain example.org
<Location /static>
Require all granted
</Location>
<Location /api>
Require all granted
ProxyPass http://127.0.0.1:8000/api
ProxyPassReverse http://127.0.0.1:8000/api
ProxyPreserveHost On
</Location>
<Location /server_capabilities>
Require all granted
ProxyPass http://127.0.0.1:8000/server_capabilities
ProxyPassReverse http://127.0.0.1:8000/server_capabilities
ProxyPreserveHost On
</Location>
<Location /ws> # mod_proxy_wstunnel is enabled
RequestHeader set Host "127.0.0.1:9002"
ProxyPreserveHost On
ProxyPass http://127.0.0.1:9002/ws
ProxyPassReverse http://127.0.0.1:9002/ws
</Location>
<Location />
AuthType openid-connect
Require valid-user
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The cookie path setting in OIDCCookiePath only needs to contain the actual path, not the host. In fact I'd start without using any of OIDCCookiePath or OIDCCookieDomain.
The answer of Hans Z. suggests me to change also OIDCRedirectURI in a relative path.
Setting OIDCRedirectURI /callbacksolved the issue: my Apache instance doesn't receives the entire URL www.example.org/portia/test/callback but only the last part of the path. This is due to the front side Nginx instance.
I have a problem with the web sockets and my reverse proxy Apache, I have upgraded in latest release 2.4.5 and loaded the module mod_proxy_wstunnel.
The httpd.conf :
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName www.toto.fr
ServerAlias toto.fr
ProxyPass /my_app http://1X.X.X.1:8080/my_app
ProxyPassReverse /web_pmr http://1X.X.X.1:8080/my_app
ProxyPassReverseCookiePath /my_app /
ProxyPassReverseCookieDomain localhost my_app
ProxyRequests off
ProxyTimeout 15
#WEBSOCKETS
ProxyPass /my_app/BasicWebsocketServlet ws://1X.X.X.1:8080/my_app/BasicWebsocketServlet retry=0
ProxyPassReverse /my_app/BasicWebsocketServlet ws://1X.X.X.1:8080/web_pmr/BasicWebsocketServlet retry=0
ErrorLog "logs/my_app_error.log"
LogLevel debug
CustomLog "logs/my_app_access.log" combined
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
When I test in my local URL, websockets are working but with the reverse proxy Apache, there is no trace in Tomcat logs.
This line:
ProxyPass /my_app/BasicWebsocketServlet ws://1X.X.X.1:8080/my_app/BasicWebsocketServlet retry=0
needs to come before this one:
ProxyPass /my_app http://1X.X.X.1:8080/my_app
Explanation (from https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass):
Ordering ProxyPass Directives
The configured ProxyPass and ProxyPassMatch rules are checked in the order of configuration. The first rule that matches wins. So usually you should sort conflicting ProxyPass rules starting with the longest URLs first. Otherwise later rules for longer URLS will be hidden by any earlier rule which uses a leading substring of the URL. Note that there is some relation with worker sharing. In contrast, only one ProxyPass directive can be placed in a Location block, and the most specific location will take precedence.
For the same reasons exclusions must come before the general ProxyPass directives.
I have 2 web applications running under Tomcat6. Currently, I can access one of them via mod_proxy with the following config...
<VirtualHost xxx.xxx.xxx.xxx:80>
ServerAdmin email#email.com
ServerName staging.domain.com
ProxyPass /app1 http://localhost:8080/app1
ProxyPassReverse /app1 http://localhost:8080/app1
</VirtualHost>
Now, I can access app1 via http://staging.domain.com/app1. I also want to be able to access app2 the same way: http://staging.domain.com/app2. I configured a second VirtualHost however, only the first one works. Is this even possible, to proxy 2 web apps under a single domain? If so, any hints, tips, tricks would be greatly appreciated.
Ah, you're already pretty much doing it: just add extra ProxyPass/ProxyPassReverse statements.
<VirtualHost xxx.xxx.xxx.xxx:80>
ServerAdmin email#email.com
ServerName staging.domain.com
ProxyPass /app1 http://localhost:8080/app1
ProxyPassReverse /app1 http://localhost:8080/app1
ProxyPass /app2 http://localhost:8080/app2
ProxyPassReverse /app2 http://localhost:8080/app2
ProxyPass /app3 http://localhost:8080/app3
ProxyPassReverse /app3 http://localhost:8080/app3
</VirtualHost>
I'm trying to create a virtual host, dev.company.com, that routes to different applications depending on what comes after the domain. Specifically, I want:
/jenkins - to route to a Jenkins server
/apps - to route to a landing page with links to various applications
/clover - to route to a particular Jenkins build report - http://dev.company.com/jenkins/job/proj-master-clover/clover/
/ - everything else should route to a Tomcat server
I'm using the following config:
<VirtualHost *:80>
ServerName dev.company.com
ServerPath /jenkins
ProxyPass /jenkins http://easyrider:8080/jenkins
ProxyPassReverse /jenkins http://easyrider:8080/jenkins
ServerPath /clover
Redirect /clover http://dev.company.com/jenkins/job/proj-master-clover/clover/
ServerPath /apps
DocumentRoot "/usr/local/sites/developers"
<Directory "/usr/local/sites/developers">
DirectoryIndex index.html
Options Indexes MultiViews
</Directory>
ServerPath /
ProxyPass / http://tomcat_server:8080/
ProxyPassReverse / http://tomcat_server:8080/
</VirtualHost>
http://dev.company.com/jenkins works fine, but /apps and /clover always redirect to the Tomcat server. Is the right way to do this?
So using ServerPath's is mostly for legacy browsers. The trick, however, to getting an Alias and a Redirect working in a VirtualHost where you're using the catch-all:
ProxyPass / <url>
is tell ProxyPass to ignore certain paths: ProxyPass /path ! notation
So my final VirtualHost looks like this:
<VirtualHost>
ServerName dev.company.com
ProxyPass /jenkins http://easyrider:8080/jenkins
ProxyPassReverse /jenkins http://easyrider:8080/jenkins
# Tells ProxyPass to ignore these paths as they'll be handled by Alias and Redirect
ProxyPass /clover !
ProxyPass /apps !
Redirect /clover http://dev.company.com/jenkins/job/proj-master-clover/clover/
Alias /apps "/usr/local/sites/developers"
<Directory "/usr/local/sites/developers">
DirectoryIndex index.html
Options Indexes MultiViews
</Directory>
ProxyPass / http://tomcat_server:8080/
ProxyPassReverse / http://tomcat_server:8080/
</VirtualHost>
and the urls are:
http://dev.company.com/jenkins* - will proxy to jenkins http://dev.company.com/jenkins
http://dev.company.com/apps - will proxy to http://dev.company.com/apps/
http://dev.company.com/clover - will redirect to http://dev.company.com/jenkins/job/proj-master-clover/clover/
and everything else will go to tomcat at tomcat_server:8080