Apache LoadBalancing, sticky session, and Spring security framework - apache2

I have a public facing Apache 2.2 webserver that I've configured to proxy and balance requests to back-end web applications deployed on Tomcat 6.0. I am using Spring FW + Spring security framework as technology stack, therefore the application is using a cookie with jsessionid. The snippet below is from the Apache configuration:
ServerName abc.mydomain.com
ProxyRequests Off
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID|jsessionid nofailover=On scolonpathdelim=On
ProxyPassReverse / balancer://mycluster/
<Proxy balancer://mycluster >
BalancerMember http://10.179.40.165:8080/abc
</Proxy>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
The problem is that Spring Security will redirect to invalid session url on any request after a successful login. What can I do to solve the problem?
Thanks
Peter

i just had this issue as well.
found the answer in https://stackoverflow.com/a/9951315/1211174
here is my configuration:
<VirtualHost vm1.mydomain.com:443>
ServerName public.domain.name
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyTimeout 5400
#should be the otherway. white list instead of black list
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Proxy balancer://mybalancername>
BalancerMember ajp://localhost:8209
BalancerMember ajp://localhost:8210
ProxySet lbmethod=bytraffic
ProxySet stickysession=JSESSIONID
</Proxy>
ProxyPass / balancer://mybalancername/
#check out http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html for more info
ProxyPassReverse / balancer://mybalancername/
ProxyPassReverseCookieDomain balancer://mybalancername https://public.domain.name
</IfModule>
seems like that with out
ProxySet lbmethod=bytraffic
ProxySet stickysession=JSESSIONID
spring security doesnt get the right cookie

Related

application configured to with keycloak sso ,keycloak is behind apache proxy server gives too many redirects

I have a wildfly application configured to work with keycloak sso , this application works fine,
now we have to have a apache server acting as proxy before the keycloak and wildflyserver.this is the configuration file for apache , when hit in browser it gives too many redirects , do I need to configure anything in keycloak side or apache side ?
#NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin postmaster#xxx.yyy.icg
DocumentRoot "c:\xampp\htdocs\xxx.yyy.com"
ServerName xxx.yyy.com
ServerAlias www.xxx.yyy.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLEngine on
SSLCertificateFile "conf/ssl.crt/app.pem"
SSLCertificateKeyFile "conf/ssl.key/cert.key"
ErrorLog "logs/xxx.yyy.com-error.log"
CustomLog "logs/xxx.yyy.com-error.log" combined
ProxyPass "/" "http://10.0.144.246:8060/app1"
ProxyPassReverse "/" "http://10.0.144.246:8060/app1"
<Location /app1>
ProxyPass http://http://10.0.144.246:8060/app1
ProxyPassReverse http://10.0.144.246:8060/app1
Order Allow,Deny
Allow from all
</Location>
</VirtualHost>
We experienced the exact same issue with the similar setup of Keycloak and NGINX and we managed to fix it by enabling the sticky session on NGINX.

Apache - exposing webapp on port using subdomain / route with SSL

I'm trying to expose web app via subdomain with SSL or via route.
Subdomain Method:
The webapp I'm running is on port: http://localhost:4567/
With the following configuration, the web browser tells me the app is "not secure" (non-https).
The app is generally working fine, but is non-https.
What am I doing wrong?
Are there alternative configurations?
<IfModule mod_ssl.c>
Listen 443
NameVirtualHost *:443
</IfModule>
<VirtualHost *:80>
ServerName blast.example.com
Redirect permanent / https://blast.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin me#gmail.com
ServerName blast.example.com
# ProxyPreserveHost On
ProxyRequests off
# setup the proxy
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
# ProxyPass / http://localhost:4567/
# ProxyPassReverse / http://localhost:4567/
<Location />
ProxyPass http://localhost:4567/
ProxyPassReverse http://localhost:4567/
</Location>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile ...
SSLCertificateKeyFile ...
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
I had been following the prescription given at How to configure multiple subdomain with SSL in Apache?
Path/Route Method
I had also tried exposing the app as a route path (ie https://example.com/blast)
<Location /blast/ >
ProxyPass http://localhost:4567/
ProxyPassReverse http://localhost:4567/
</Location>
but the reverse proxy didn't see to work in that, if I started with:
https://example.com/blast
And clicked whatever on the start page.
The app would generate a internal URL without the /blast part, resulting in 404:
https://example.com/blah-blah-generated-url
(should be https://example.com/blast/blah-blah-generated-url)
In general, the subdomain path seems to work better except for the non-https problem.
Setting up a path/route:
Making the application accessible with https://example.com/blast. If the application generates new routes, ProxyPassReverse is needed; otherwise; only ProxyPass is needed.
<VirtualHost *:443>
...
ProxyPass "/blast/" "http://localhost:4567/"
ProxyPassReverse "/blast/" "/"
...
Found in Example 1, here: ProxyPassReverse doesn't rewrite Location (http header)

mod_auth_openidc error 400 Bad Request - too many cookies (?)

I have a container mapped by Nginx on example.org/portia/test, structured as follow:
Container exposes only port 9001, where an Apache instance as proxy is listening.
A Django server is running on 8000, all traffic for /api and /server_capabilities is sent to him.
Another Django server is running on 9002, which handles websockets on /ws path.
a scheme of my network
I'm trying to add OpenIdConnect authentication using the mod_auth_openidc plugin for Apache, I want to protect the entire virtual host.
So far I reach the correct login page on auth-example.org, I login with my credentials and the auth server redirects me with the correct URI. Ngnix answers me with a 400 error.
request sent with a lot of cookies
The auth server is used by several application inside mydomain.org, so I guess something is wrong with my Apache configuration file.
For clarity's sake, I can't touch Nginx or the auth server confs.
apache_site.conf
<VirtualHost *:9001>
ServerAdmin webmaster#localhost
DocumentRoot /app/portiaui/dist
ServerName www.example.org
ServerAlias example.org
#ProxyRequests On
Alias /static /app/portiaui/dist
OIDCProviderMetadataURL https://www.auth-example.org/auth/realms/master/.wel$
OIDCRedirectURI https://example.org/portia/test/callback
OIDCCryptoPassphrase <much secret>
OIDCClientID portia
OIDCClientSecret <much private>
OIDCCookiePath example.org/portia/test/
OIDCCookieDomain example.org
<Location /static>
Require all granted
</Location>
<Location /api>
Require all granted
ProxyPass http://127.0.0.1:8000/api
ProxyPassReverse http://127.0.0.1:8000/api
ProxyPreserveHost On
</Location>
<Location /server_capabilities>
Require all granted
ProxyPass http://127.0.0.1:8000/server_capabilities
ProxyPassReverse http://127.0.0.1:8000/server_capabilities
ProxyPreserveHost On
</Location>
<Location /ws> # mod_proxy_wstunnel is enabled
RequestHeader set Host "127.0.0.1:9002"
ProxyPreserveHost On
ProxyPass http://127.0.0.1:9002/ws
ProxyPassReverse http://127.0.0.1:9002/ws
</Location>
<Location />
AuthType openid-connect
Require valid-user
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The cookie path setting in OIDCCookiePath only needs to contain the actual path, not the host. In fact I'd start without using any of OIDCCookiePath or OIDCCookieDomain.
The answer of Hans Z. suggests me to change also OIDCRedirectURI in a relative path.
Setting OIDCRedirectURI /callbacksolved the issue: my Apache instance doesn't receives the entire URL www.example.org/portia/test/callback but only the last part of the path. This is due to the front side Nginx instance.

Access Geoserver From Internet Ubuntu Server 14.04.1

i'm triying to getup geoserver on IBM Server with Ubuntu Server 14.04.1, i have try making a file in /etc/apache2/sites-available/geoserver.conf and the information in it was:
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /geoserver "http://localhost:8080/geoserver"
ProxyPassReverse /geoserver "http://localhost:8080/geoserver"
I access to my server via a subdomain in NO-IP, but a i can't make it work the geoserver, like this; my.subdomain.com/geoserver
A will give any information you need, i really need some help with this.
Thanks.
Well after a lot of research and try lot of things, I understood where I have to put this lines, to set up ProxyPass for GeoServer public data access:
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /geoserver "http://localhost:8080/geoserver"
ProxyPassReverse /geoserver "http://localhost:8080/geoserver"
In almost every tutorial that I read, they all explain how to access via internet to GeoServer, using httpd sever, where you have to add the lines of ProxyPass in the archive httpd.conf, in the route:
/etc/httpd/conf/httpd.conf
But since I'm using apache2 server instead of the httpd server, the code to use ProxyPass must be put in in the file 000-default.conf and the route is:
/etc/apache2/sites-avaible/000-default.conf
The code have to be between the labels:
<VirtualHost *:80>
"some code and comments"
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /geoserver "http://localhost:8080/geoserver"
ProxyPassReverse /geoserver "http://localhost:8080/geoserver"
</VirtualHost>
Hope this helps.
Any errors you see from me feel free to comment.
Greetings to all.

Obtain part of url in proxy balancer from one balancer member

I have cluster setup of Apache server . Behind this I have 2 Jboss instances which is load balanced by apache.
The configuration look somewhat like the below
<VirtualHost *:1111>
ServerAdmin admin#example.com
ServerName www.example.com
DocumentRoot "/apps"
ErrorLog "logs/https.www.example.com.-error_log"
TransferLog "logs/https.www.example.com-access_log"
LogLevel warn
<Directory "/apps">
Options -Indexes +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLProxyEngine On
SSLProxyVerify On
SSLProxyMachineCertificateFile "/apps/apache/conf/ssl/int/proxy.pem"
SSLProxyCACertificateFile "/apps/apache/conf/ssl/int/cert.pem"
RewriteEngine On
Header set Cache-Control "max-age=60, public"
<Proxy balancer://2node-aa>
BalancerMember https://app01:8089 route=node1
BalancerMember https://app02:8089 route=node2
ProxyPreserveHost On
ProxyPass /aa balancer://2node/aa stickysession=JSESSIONID|jsessionid
ProxyPass /static balancer://2node/static stickysession=JSESSIONID|jsessionid
ProxyPassReverse /aa balancer://2node/aa
ProxyPassReverse /static balancer://2node/static
ProxyPass /1/aa https://app01:8089/aa
ProxyPass /2/aa https://app02:8089/aa
ProxyPassReverse /1/aa https://app01:8089/aa
ProxyPassReverse /2/aa https://app02:8089/aa
ProxyPass /bb balancer://2node/rest stickysession=JSESSIONID|jsessionid
ProxyPassReverse /bb balancer://2node/bb
</VirtualHost>
In the url access certain part of the url i want it to be routed from second node i.e node2 of jboss.
e.g. if i am accessing http://www.example.com/aa/login/login.jsp i need this request to be process by node2 app02 only.
Rest of the request should load balance as normal access.
How do i set the apache to do it ?
I have tried lot of rewrite,<Location> and ProxyPassMatch none has worked so far.
Please Help. Thanks in advance.
I used the below statement in the configuration file which resolved the issue.
<Proxy balancer://2node-aa>
BalancerMember https://app02:8080 route=node2
</Proxy>
RewriteRule ^/aa/login/(.*)$ balancer://2node-aa%{REQUEST_URI} [P,QSA,L]
This link help me.
apache httpd mod_proxy load balancing with multiple virtual hosts url redirection
-Thanks

Resources