Re: [users@httpd] balancing best practices - mod_proxy_balancer
Not sure if this is still the case, but I don't believe that mod_jk allows SSL connections between Apache and Tomcat. This is why mod_proxy_httpd is often used. If that bit of security is important to your organization, something to keep in mind. If this is not the case for mod_jk, I would love to know since I would prefer to use mod_jk. =G= On Tue, Mar 6, 2018 at 2:03 PM, Herb Burnswell wrote: > Daniel, > > Thanks. I'm reading the docs on sticky sessions. There is a lot of > conflicting "how to's" out there but I'm making progress. > > HB > > On Wed, Feb 28, 2018 at 12:21 PM, Daniel Ferradal > wrote: > >> > 3: Regarding my inquiry about potential better options, I was more >> referring >> > to the idea of maybe using Tomcat as a proxy to Tomcat backend >> application. >> > I've read it can be done was wondering if the like to like might provide >> > advantages. I am personally not as familiar with Tomcat as I am with >> HTTPD >> > and therefore would prefer using HTTPD if there are no significant >> reasons >> > to use Tomcat --> Tomcat. >> >> IMO it is better to leave the application server to do what it is >> supposed to do, handle dynamic content generation. While leaving >> static content as well as balancing to httpd, which is what it does >> best. >> >> > >> > 4: The sticky sessions need makes sense. >> > >> > I have attempted to set up the sticky sessions configuration in HTTPD >> but >> > unfortunately I must not have it set up properly. It's probably best >> if I >> > create a new thread for that issue and will do so. >> >> Sticky sessions can be very tricky to setup correctly. >> >> In mod_proxy_balancer docs it documents very well that you probably >> need to set all these three elements correctly according to how tomcat >> was setup: >> >> stickysession (the most obvious) >> scolonpathdelim >> route - according to the value jvmroute the tomcats have setup. >> >> >> >> > >> > Thanks again for your guidance. >> > >> > HB >> > >> > On Fri, Feb 23, 2018 at 12:57 AM, Daniel Ferradal > > >> > wrote: >> >> >> >> Hello, >> >> >> >> I'll try to answer point by point the best I can. >> >> >> >> 1º You can only use one balancer method, so choose the best strategy >> >> for your case. There is plenty on the description for each in the docs >> >> (TL to explain here). >> >> 2º No, it does not, you choose one and use only one that suites you >> >> best for a specific balancer. >> >> 3º Inside httpd the only non-third party choice that I know is >> >> mod_proxy_balancer, so yes, by all means use it. Unless you find a >> >> more suitable product for your needs. >> >> 4º That will precisely mean you need to use sticky sessions and define >> >> how to properly handle them at the balancer level, why? because as >> >> long as nodes are up and running you want to deliver the session to >> >> the specific node dealing with that session or session will be lost. >> >> It is when that backend node is down that httpd should look for other >> >> nodes to deliver the session. Afaik is called session persistence. Or >> >> at least this is the usual way to balance with sessions dealt by a >> >> backend cluster. >> >> >> >> About docs you can also visit: >> >> http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html >> >> and mod_proxy itself: http://httpd.apache.org/docs/2 >> .4/mod/mod_proxy.html >> >> >> >> Cheers! >> >> >> >> 2018-02-23 1:48 GMT+01:00 Herb Burnswell > >: >> >> > All, >> >> > >> >> > I am looking for some guidance on using HTTPD as a proxy and load >> >> > balancer >> >> > to a backend Tomcat application. Specifically, I'm interested in >> how to >> >> > best handle the balancing of requests. The configuration would be >> very >> >> > much >> >> > like the 'typical implementation' shown in this Reverse Proxy Guide: >> >> > https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html (I'm >> using >> >> > version 2.4.6): >> >> > >> >> > +- + >> >> > | Firewall Public | >> >> > +- + >> >> > +---+ >> >> > | +--+ +---+ +---+ | >> >> > | | httpd| | httpd | | httpd | | >> >> > | |1 | | 2 | | 3 | | >> >> > | +--+ +---+ +---+ | >> >> > +---+ >> >> > +-- + >> >> > | Firewall Private | >> >> > +-- + >> >> > +-+ >> >> > |++ +-+ ++ | >> >> > || tomcat| |tomcat | |tomcat | | >> >> > || 1 | |2 | | 3 | | >> >> > |++ +-+ ++ | >> >> > +-+ >> >> > >> >> > >> >> > We have this working fine with a vanity URL to a VIP on our public >> >> > firewall >> >> > --> to the 3 httpd proxy load balancer pool --> to one of the 3 >> backend >> >> > To
Re: [users@httpd] Assistance with file + ldap auth config moving from httpd 2.2 to 2.4
Eduardo, It looks like you're trying to get it working with Xymon so you might want to ask on that list as well. I had a heck of a time getting it to work but I ended up using mod_authnz_external.c to configure it to use PAM. This is the config I use: # Require SSL connection for password protection. SSLRequireSSL AuthBasicProvider external file AuthExternal pwauth AuthGroupFile /etc/xymon/xymongroups GroupExternal unixgroup # "valid-user" restricts access to anyone who is logged in. Require valid-user # "group xymon" restricts access to users who have logged in, AND # are members of the "xymon" group in xymongroups. Require group xymon While not exactly what you're doing, I hope this helps nudge you in the right direction. =G= On Fri, Oct 13, 2017 at 12:10 PM, Eric Covener wrote: > Can you crank up the loglevel to trace8? I believe there are some > spurious error messages when authz modules are reporting their > individual results vs. getting rolled up to RequireAny. > > On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral > wrote: > > Hi, Eric, > > > > Thanks for your fast answer. The reason for the provider aliases is > > that once I get this config working I would like to re-use it for about > > 6 different directories. > > > > However, I have tried to flatten the configuration according to your > > suggestion. I repeated the tests, exact same result. Flattened config > > follows: > > > > AuthType Basic > > AuthName "Xymon user" > > > > AuthBasicProvider file ldap > > AuthBasicAuthoritative off > > > > AuthLDAPURL "ldap://REDACTED:3268 > > REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE > > AuthLDAPBindDN "redac...@arsyslan.es" > > AuthLDAPBindPassword "REDACTED" > > AuthLDAPGroupAttributeIsDN on > > AuthLDAPGroupAttribute member > > AuthLDAPMaxSubGroupDepth 3 > > > > AuthUserFile /etc/xymon/xymonusers.htpasswd > > AuthGroupFile /etc/xymon/xymongroups.htpasswd > > > > > > > > Require group XymonUsers > > Require ldap-group > > cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es > > > > > > > > Eduardo Mayoral Jimeno (emayo...@arsys.es) > > Administrador de sistemas. Departamento de Plataformas. Arsys internet. > > +34 941 620 145 ext. 5153 > > > > On 13/10/17 16:47, Eric Covener wrote: > >> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral > wrote: > >>> Hi, > >>> > >>> I am trying to move a web application from httpd 2.2 to httpd 2.4 , > >> I don't think all of those provider-aliases are necessary. Did you a > >> try a more simpler/direct port of the config? > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >> For additional commands, e-mail: users-h...@httpd.apache.org > >> > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > -- > Eric Covener > cove...@gmail.com > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[users@httpd] mod_authz_core and http response 451
Hello, I've googled a bit and I can't find a way to handle this without using a rewrite rule. I'm setting up a rule using mod_geoip to block embargoed countries. I set up the config as follows: # Blocking a client based on country SetEnvIf GEOIP_COUNTRY_CODE CU BlockCountry SetEnvIf GEOIP_COUNTRY_CODE IR BlockCountry SetEnvIf GEOIP_COUNTRY_CODE KP BlockCountry SetEnvIf GEOIP_COUNTRY_CODE SY BlockCountry Require all granted Require env BlockCountry This works but returns a 403. I'd like for it to return a 451. Is this possible? Or am I going to have to stick with using a rewrite rule (without the require block)? RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CU|IR|KP|SY)$ RewriteRule ^(.*)$ https://example.com/$1 [NE,R=451,L] If there is a preferred way to handle this, I'd be interested in that as well. thanks =G=