Re: [OT] secure reverse proxy to my tomcat server HELP NEEDED
André Warnier wrote: Jeff Haferman wrote: Jeff Top-Posting is not Bad because you have to scroll to the bottom to see what you're after Haferman wrote: [...] quote : A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Bottom-posting preserves the logical order of the replies and is consistent with the Western reading direction from top to bottom. unquote. My comment was not meant to start a flame war, just to remind you (and gently, at that) of what the usage rules of this list are. Even if for your own personal communications elsewhere you prefer to use another style, when you are going somewhere in order to get free help in resolving a problem of yours, and you obtain such help freely given, it would seem just mere politeness to abide by the customs of the place, no ? [snip] ...you will note that I subsequently *did* bottom-post. This is an endless debate that has been going on for a couple of decades. I will abide by the mailing list rules, that does not mean I have to agree with the rationale. End of story. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Andr? Warnie (was Re: secure reverse proxy to my tomcat server)
Oh geez... really? We're going to have a top-post vs bottom-post flame-war?? Netiquette dictates that you email me privavtely if your posting is off-topic... André Warnier wrote: Hi. On this list, it is preferred (strongly) if you do not top-post, but respond in the text or below the question. It just makes it easier to follow what is going on. I have moved your previous response, to the logival order. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure reverse proxy to my tomcat server HELP NEEDED
Christopher Schultz wrote: Jeff, On 3/3/14, 6:25 PM, Jeff Haferman wrote: What actually happens is that, just for https://my.webserver.com/, I get served the pages that are at the apache root, *not* what is being served by tomcat at port 8443. Ok. Let's take a look at your original configuration you posted: VirtualHost *:80 ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse /app http://localhost:8080/ /VirtualHost VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / http://my.webserver.com:8443/ ProxyPassReverse /app http://localhost:8443/ /VirtualHost You also had proxy elements outside of the above. Those are configured differently than the ProxyPass/ProxyPassReverse you have above. What were those proxy elements supposed to do? Also, you are likely confusing yourself id you are using ProxyPass and ProxyPassReverse with different URL prefixes (/ vs /app). Why are you doing that? Chris - This came up in a previous response, when I edited my domain name in my posting, I actually fat-fingered a couple of things... the config looks like Listen 80 ProxyRequests Off ProxyPreserveHost on VirtualHost *:80 ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse / http://localhost:8080/ /VirtualHost proxy http://my.webserver.com:8080/ AllowOverride None Order Deny,Allow Allow from all /proxy Listen 443 VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / https://my.webserver.com:8443/ ProxyPassReverse / https://localhost:8443/ /VirtualHost proxy https://my.webserver.com:8443/ AllowOverride None Order Deny,Allow Allow from all /proxy I do get the tomcat pages if I explicitly add the port, i.e. https://my.webserver.com:8443/ So, the reverse proxy seems to be broken for https only. Sounds plausible. The reverse proxy works fine for http, i.e. http://my.webserver.com/ gets the tomcat pages served at http://my.webserver.com:8080/ You don't have multiple interfaces (IP addresses) on this machine, do you? No, I do not. - -chris Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure reverse proxy to my tomcat server HELP NEEDED
Jeff Top-Posting is not Bad because you have to scroll to the bottom to see what you're after Haferman wrote: Listen 80 ProxyRequests Off ProxyPreserveHost on VirtualHost *:80 ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse / http://localhost:8080/ /VirtualHost proxy http://my.webserver.com:8080/ AllowOverride None Order Deny,Allow Allow from all /proxy Listen 443 VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / https://my.webserver.com:8443/ ProxyPassReverse / https://localhost:8443/ /VirtualHost proxy https://my.webserver.com:8443/ AllowOverride None Order Deny,Allow Allow from all /proxy Problem solved. The config listed is good. It was getting borked by some garbage in an included extra/httpd-ssl.conf file. Most helpful resource I found was the apache mod_proxy documentation...I thought it might have been a tomcat connector problem but not so... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
secure reverse proxy to my tomcat server HELP NEEDED
The subject says it, I need help getting a secure reverse proxy to my tomcat server working. There is a lot of doc on the web, and it seems like I have everything configured properly, but I can't quite get the reverse proxy to work on the https side of things. Here is my config: Apache2.4.2 Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-24-generic x86_64) Tomcat 7.0.33 I simply want the reverse proxy to work so that https://my.webserver.com gets https://my.webserver.com:8443 (which is the secure tomcat server URL). I have the reverse proxy working so that http://my.webserver.com redirects the traffic on port 80 to the normal tomcat server on port 8080, and I also seem to have the secure tomcat server working because I can browse to https://my.webserver.com:8443 However when I bring up https://my.webserver.com, I get the contents of the Apache Root document at port 80. I'm using a self-signed cert. My httpd.conf file basically looks like (at least these are the important lines) Listen 80 ProxyRequests Off ProxyPreserveHost on VirtualHost *:80 ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse /app http://localhost:8080/ /VirtualHost proxy http://my.webserver.com:8080/ AllowOverride None Order Deny,Allow Allow from all /proxy Listen 443 VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / http://my.webserver.com:8443/ ProxyPassReverse /app http://localhost:8443/ /VirtualHost proxy https://my.webserver.com:8443/ AllowOverride None Order Deny,Allow Allow from all /proxy And my tomcat config (server.xml) connectors are defined like Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol maxHttpHeaderSize=8192 useBodyEncodingForURI=true maxThreads=1000 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=443 acceptCount=100 compression=on compressionMinSize=2048 compressableMimeType=text/html,text/xml,text/javascript,text/css,text/plain connectionTimeout=2 disableUploadTimeout=true URIEncoding=UTF-8/ Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=false proxyPort=443 proxyName=my.webserver.com keystoreType= PKCS12 keystoreFile=/path/to/server.p12 keystorePass=changeit clientAuth=false sslProtocol=TLSv1 / I fire up tomcat and apache, I have debug loglevel set, and I don't see any real clues. The certificate files seem to be read fine and match my domain name. When I do the https://my.company.com/ request however, I see a debug line that says my client has obtained an HTTP connection to my.company.com. A few lines down, I see a line that says The timeout specified has expired: [client xxx.xxx.xxx.xxx:xxx] AH01991: SSL input filter read failed. But I also see the timeout messsage when I do a (successful) connection to https://my.company.com:8443 Currently no firewall rules set up, so nothing should be blocked. I'm not sure what to try at this point. The logfiles don't seem to any info that appears helpful. ANY suggestions would be appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure reverse proxy to my tomcat server HELP NEEDED
Sorry, I made a couple of typos when I copied my stuff over and edited out my actual FQDN... I do have VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / https://my.webserver.com:8443/ ProxyPassReverse / https://my.webserver.com:8443/ /VirtualHost which I think is what you are suggesting? J Java wrote: --089e0160d0b63bc50904f3b99c68 Content-Type: text/plain; charset=ISO-8859-1 Can you change and retry below lines : ProxyPass / http://my.webserver.com:8443/ toProxyPass / https://my.webserver.com:8443/ http://my.webserver.com:8443/ ProxyPassReverse /app http://localhost:8443/ to ProxyPassReverse /app https://localhost:8443/ http://localhost:8443/ Thanks, Shailesh On Tue, Mar 4, 2014 at 1:44 AM, Jeff Haferman j...@haferman.com wrote: The subject says it, I need help getting a secure reverse proxy to my tomcat server working. There is a lot of doc on the web, and it seems like I have everything configured properly, but I can't quite get the reverse proxy to work on the https side of things. Here is my config: Apache2.4.2 Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-24-generic x86_64) Tomcat 7.0.33 I simply want the reverse proxy to work so that https://my.webserver.comgets https://my.webserver.com:8443 (which is the secure tomcat server URL). I have the reverse proxy working so that http://my.webserver.comredirects the traffic on port 80 to the normal tomcat server on port 8080, and I also seem to have the secure tomcat server working because I can browse to https://my.webserver.com:8443 However when I bring up https://my.webserver.com, I get the contents of the Apache Root document at port 80. I'm using a self-signed cert. My httpd.conf file basically looks like (at least these are the important lines) Listen 80 ProxyRequests Off ProxyPreserveHost on VirtualHost *:80 ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse /app http://localhost:8080/ /VirtualHost proxy http://my.webserver.com:8080/ AllowOverride None Order Deny,Allow Allow from all /proxy Listen 443 VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / http://my.webserver.com:8443/ ProxyPassReverse /app http://localhost:8443/ /VirtualHost proxy https://my.webserver.com:8443/ AllowOverride None Order Deny,Allow Allow from all /proxy And my tomcat config (server.xml) connectors are defined like Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol maxHttpHeaderSize=8192 useBodyEncodingForURI=true maxThreads=1000 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=443 acceptCount=100 compression=on compressionMinSize=2048 compressableMimeType=text/html,text/xml,text/javascript,text/css,text/plain connectionTimeout=2 disableUploadTimeout=true URIEncoding=UTF-8/ Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=false proxyPort=443 proxyName=my.webserver.com keystoreType= PKCS12 keystoreFile=/path/to/server.p12 keystorePass=changeit clientAuth=false sslProtocol=TLSv1 / I fire up tomcat and apache, I have debug loglevel set, and I don't see any real clues. The certificate files seem to be read fine and match my domain name. When I do the https://my.company.com/ request however, I see a debug line that says my client has obtained an HTTP connection to my.company.com. A few lines down, I see a line that says The timeout specified has expired: [client xxx.xxx.xxx.xxx:xxx] AH01991: SSL input filter read failed. But I also see the timeout messsage when I do a (successful) connection to https://my.company.com:8443 Currently no firewall rules set up, so nothing should be blocked. I'm not sure what to try at this point. The logfiles don't seem to any info that appears helpful. ANY suggestions would be appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --089e0160d0b63bc50904f3b99c68-- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure reverse proxy to my tomcat server HELP NEEDED
Yes, for development httpd and tomcat are on the same physical machine. Eventually they will be on different machines. But, even if I try browser --- HTTPS -- httpd -- HTTP -- Tomcat by just changing the ProxyPass and ProxyPassReverse directives to use the unencrypted URLs as follows VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse / http://my.webserver.com:8080/ /VirtualHost the reverse proxy still does not serve the tomcat pages as I would expect. André Warnier wrote: Jeff Haferman wrote: The subject says it, I need help getting a secure reverse proxy to my tomcat server working. Maybe one question here would be : why ? browser --- HTTPS -- httpd -- HTTPS -- Tomcat The browser encrypts and sends to httpd. httpd decrypts. httpd then re-encrypts and sends to Tomcat. Tomcat decrypts. and vice-versa on the way back. That is quite inefficient. And as your example configuration seems to show, httpd and Tomcat are running inside the same physical host, so the httpd -- Tomcat information does not circulate outside (of the physical host). What is the point then of this double encryption/decryption ? It is more usual in such a configuration to terminate HTTPS at the httpd level, like : browser --- HTTPS -- httpd -- HTTP -- Tomcat or browser --- HTTPS -- httpd -- AJP -- Tomcat and use non-encrypted data between httpd and Tomcat, saving yourself 2 encryption/decryption cycles for each request/response. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure reverse proxy to my tomcat server HELP NEEDED
Hi Chris - Sorry for the HELP NEEDED. What actually happens is that, just for https://my.webserver.com/, I get served the pages that are at the apache root, *not* what is being served by tomcat at port 8443. I do get the tomcat pages if I explicitly add the port, i.e. https://my.webserver.com:8443/ So, the reverse proxy seems to be broken for https only. The reverse proxy works fine for http, i.e. http://my.webserver.com/ gets the tomcat pages served at http://my.webserver.com:8080/ Jeff Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeff, On 3/3/14, 5:11 PM, Jeff Haferman wrote: Yes, for development httpd and tomcat are on the same physical machine. Eventually they will be on different machines. But, even if I try browser --- HTTPS -- httpd -- HTTP -- Tomcat by just changing the ProxyPass and ProxyPassReverse directives to use the unencrypted URLs as follows VirtualHost *:443 SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key ServerName my.webserver.com ProxyPass / http://my.webserver.com:8080/ ProxyPassReverse / http://my.webserver.com:8080/ /VirtualHost the reverse proxy still does not serve the tomcat pages as I would expect. Given the above setup, what /actually/ happens when you try to request a resource that should go to Tomcat? does not serve pages as I expect is not a good description. Oh, and everyone posting NEEDS HELP to it's not necessary to add HELP NEEDED or similar text to your subjects. - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org