James, On 4/8/2020 3:27 PM, James H. H. Lampert wrote: > Dear Mr. Eggers, et al.: > > Well, after running test installations of Tomcat on a whole string of > EC2 spot instances, I went ahead and installed it on the target server. > I've got it running, and enabled to start automatically, and I've added > a security group to temporarily open 8080 to my office IP address, so > that I can reach it directly and verify that it works (it does). And > I've also verified that mod_proxy and mod_proxy_http are enabled (they > already were; I didn't have to lift a finger) > > On 4/6/20 2:13 PM, Mark Eggers wrote: >> # Secure your proxy - localhost for now - this is IMPORTANT >> <Proxy "*"> >> Require ip 127 >> </Proxy> >> >> # Map applications >> # You could just use / if you're proxying all requests >> # Pick the correct Apache Tomcat port >> >> ProxyPass "/foo" "http://127.0.0.1:8080/foo"; >> ProxyPassReverse "/foo" "http://127.0.0.1:8080/foo"; > > Now I'm not sure I understand the <Proxy "*"> container and its > contents. The httpd and Tomcat servers are both running on the same box. > "Require ip 127" sounds like it's specifying an incomplete IP address. > > I can sort-of understand the ProxyPass and ProxyPassReverse directives. > Given that all requests to this particular VirtualHost ("qux.baz.com" to > speak metasyntactically) should be going to Tomcat (which will have a > root context and at least four [including manager] named contexts), > would this be: > > ProxyPass "/" "http://127.0.0.1:8080/"; > ProxyPassReverse "/" "http://127.0.0.1:8080"; > > ??? > > Conversely, none of the other VirtualHosts would be proxying Tomcat (or > anything else), so should all this be within the VirtualHost? > > -- > JHHL >
See the following for IP address configuration in Apache HTTPD 2.4: https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html I think putting the proxy restriction in the virtual host would be OK, but I'm a belt and suspenders kind of person. Putting it in the default host makes sure that someone doesn't inadvertently open up your server later. You can always override it at the virtual host level if you wish. Finally, one of my pet peeves concerning vendor-supplied Apache HTTPD installations is that they turn on a lot of modules by default. The first thing I do with such an installation is to turn off everything that is not being used in an installation. This usually includes all of the _dav, _user, and proxy_ modules. . . . just my two cents /mde/
signature.asc
Description: OpenPGP digital signature
