Proxies, Apache, Tomcat - VHosts

Question

I have a setup as so:

Internet -- router -[DMZ]- pfsense -- webserver

router =jenky plastic cheap-o router (my nice mikrotik/routerboard died). Has ip address of pfsense set to DMZ.

pfsense =doing basic firewalling plus proxy/reverse-proxy. The proxies are for URL forwarding to the correct webserver behind the firewall.

webserver =centos box running httpd (apache) and tomcat6 (installed separately, both from yum, but at different times, so it's not the apache+tomcat thing).

Several websites run from this particular webserver, handled by apache's virtual hosts.

ex: http://www.example.com, http://www.example1.com, etc

Tomcat runs an app on port 8080 at the extension /mywebapp.

ex: http://www.example.com:8080/mywebapp

I have configured everything appropriately in pfsense to forward all subdomains of the websites served by apache to the correct host.

I have configured /etc/httpd/conf/httpd.conf to include the virtual host config as

<VirtualHost *:80>
    ServerName mywebapp.example.com
    ProxyPass / http://www.example.com:8080/mywebapp
    ProxyPassReverse / http://www.example.com:8080/mywebapp
    ProxyRequests Off
    <Proxy http://www.example.com:8080/mywebapp*>
        Order deny,allow
        Allow from all
    </Proxy>
    ErrorLog logs/mywebapp.example.com-error_log
    CustomLog logs/mywebapp.example.com-access_log common
</VirtualHost>

I have modified my tomcat6 server.xml file and changed the first connector to include the proxyName and proxyPort.

<!-- A "Connector" represents an endpoint by which requests are received
    and responses are returned. Documentation at :
    Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
    Java AJP  Connector: /docs/config/ajp.html
    APR (HTTP/AJP) Connector: /docs/apr.html
    Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           proxyName="mywebapp.example.com"
           proxyPort="8080"
           redirectPort="8443" URIEncoding="UTF-8"/>

No matter what I try, when I put mywebapp.example.com into my browser, it redirects to mywebapp.example.com:8080/mywebapp.

when I want to access it as mywebapp.example.com and have that stay in the browser address bar. This would make url posting much more friendly, etc.

I already configured the CNAME in DNS for mywebapp.

www.example.com is unaffected by this.

logs for httpd are normal looking... logs for tomcat6 show nothing. I know the request hits the right box because www.example.com:8080/mywebapp works (along with the other websites).

iptables is disabled and so if SELinux.

What am I doing wrong? Please advise.

UPDATE: I tried adding ProxyPreserveHost On in the vhost config per one of the comments, but no dice. When this line is added and apache and tomcat are both restarted, I can't get to mywebapp.example.com nor www.example.com:8080/mywebapp. Basically adding this config makes mywebapp not accessible at all, however I know it is still running.

UPDATE 2: Adding tcpdump taken from the server. I'm showing the first connection as it's being passed from pfsense (proxy) to the webserver.

192.168.0.1 == pfsense
192.168.1.1 == webserver
192.168.2.1 == "internet"

192.168.0.1 > 192.168.1.1
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1
Cache-Control: max-age=259200

192.168.1.1 > 192.168.2.1
GET /mywebapp HTTP/1.1
Host: www.example.com:8080
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1, 192.168.0.1
Cache-Control: max-age=259200
X-Forwarded-Host: mywebapp.example.com
X-Forwarded-Server: mywebapp.example.com
Connection: Keep-Alive

192.168.2.1 > 192.168.1.1
GET /mywebapp HTTP/1.1
Host: www.example.com:8080
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1, 192.168.0.1
Cache-Control: max-age=259200
X-Forwarded-Host: mywebapp.example.com
X-Forwarded-Server: mywebapp.example.com
Connection: Keep-Alive

192.168.1.1 > 192.168.2.1
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.2.1 > 192.168.1.1
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.1.1 > 192.168.0.1
HTTP/1.1 302 Moved Temporarily
Date: Thu, 04 Apr 2013 05:14:44 GMT
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

192.168.2.1 > 192.168.1.1
GET /mywebapp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: mywebapp.example.com:8080

192.168.1.1 > 192.168.2.1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Encoding: gzip
Expires: 0
Cache-Control: no-cache,must-revalidate
X-App-Theme: default
Set-Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338; Path=/mywebapp
X-App: 1.395
X-App2: 1.508
X-App2-Session: e797c95b
X-App-CLI-Port: 36143
X-App2-CLI-Port: 36143
X-App2-CLI2-Port: 36143
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjEfz8W2LiYRfrJQYH35uwtgQBpy0g6bTvBaTuARRpVLUmi+lnEfD/nVJY4GJoSfGzgnJAQ3MSqX+e1F4y2Jg5hwa2L0jibpb//BbfIMZkYZk8CtLMrkGvLC1nB7sghXupWOUOhWnzFq+a+LHSANNqfaMs9k6xJI6rvwIDAQAB
Content-Type: text/html;charset=UTF-8
Content-Length: 3879
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.2.1 > 192.168.1.1
GET /mywebapp/static/e797c95b/css/style.css HTTP/1.1
Accept: text/css
Referer: http://mywebapp.example.com:8080/mywebapp/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com:8080
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338

192.168.1.1 > 192.168.2.1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 25 Mar 2013 20:17:34 GMT
Expires: Fri, 04 Apr 2014 05:14:44 GMT
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Type: text/css
Content-Length: 5763
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.2.1 > 192.168.1.1
GET /mywebapp/static/e797c95b/css/color.css HTTP/1.1
Accept: text/css
Referer: http://mywebapp.example.com:8080/mywebapp/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com:8080
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338

Update 3: Adding my current /etc/httpd/conf/httpd.conf file to show updates/changes so far.

<VirtualHost *:80>
    ServerName mywebapp.example.com
    ProxyPass / http://www.example.com:8080/mywebapp/
    ProxyPassReverse / http://www.example.com:8080/mywebapp/
    ProxyRequests off
    RewriteEngine on
    RewriteRule ^(/.*) http://www.example.com:8080/mywebapp/$1 [P]
#    ProxyPreserveHost On
    <Proxy http://www.example.com:8080/mywebapp*>
        Order deny,allow
        Allow from all
    </Proxy>
    ErrorLog logs/mywebapp.example.com-error_log
    CustomLog logs/mywebapp.example.com-access_log common
</VirtualHost>

Vincent De Baere · Answer 1 · 2013-04-04T16:35:12.230

2

Don't have a box available for testing right now, but what you are seeing is a 302 redirect coming from your tomcat. Always happens that way if you request a directory index without the trailing slash.

Try the following ProxyPass and ProxyPassReverse configuration:

ProxyPass / http://www.somesite.com:8080/mywebapp/
ProxyPassReverse / http://www.somesite.com:8080/mywebapp/

Note the trailing slash. That should avoid the 302 temporary redirect.

Edit: for the static stuff, try adding:

RewriteEngine on 
RewriteRule ^(/.*) http://www.somesite.com:8080/mywebapp/$1 [P]

This basically says to take every request from the root of your webserver and hand it over to the proxy module.

edited Apr 04 '13 at 16:35

answered Apr 04 '13 at 15:35

Vincent De Baere

1,793
10
10

I added the trailing slash, and now I can load a page on `mywebapp.somesite.com` -- however it is horribly broken. It appears none of the content from `/mywebapp/static/.......` is loading. Any suggestions? (so close!) – SnakeDoc Apr 04 '13 at 16:15
is it purposeful to leave out the `www` in the `RewriteRule`? I get a 503 page (served up by apache, not tomcat) now once I add the `RewriteRule`. – SnakeDoc Apr 04 '13 at 16:34
nope, it's a typo :) – Vincent De Baere Apr 04 '13 at 16:34
hmm... still same thing even after I added the `www`. The 503 is gone (yes!), but I get the loaded (but broken) page (no images, css, etc). So I think the `/mywebapp/static` directory is still not loading. – SnakeDoc Apr 04 '13 at 16:42
see edit to my OP for current `/etc/httpd/conf/httpd.conf` file settings. – SnakeDoc Apr 04 '13 at 16:45
I confirmed, it is attempting to load from `mywebapp.somesite.com/mywebapp/static/...`, which does not really exist (it's really at `www.somesite.com:8080/mywebapp/static/...`). – SnakeDoc Apr 04 '13 at 17:02
@SnakeDoc Do you want the client downloading those resources directly via port 8080, or through the proxy? – Shane Madden Apr 05 '13 at 04:23
@ShaneMadden whichever will allow the user to type `mywebapp.somesite.com` into their browser, and have it appear to stay there. The `:8080/mywebapp` is just causing confusion, and it's not "clean" to post as a link. – SnakeDoc Apr 05 '13 at 06:26
Still don't have a box to test with, but what happens if you use [L,PT] instead of [P]? That should force the rewritten URL to go through the URL handling pipeline... . – Vincent De Baere Apr 05 '13 at 08:55

score 1 · Answer 2 · answered Apr 04 '13 at 15:33

1

Why you need the Proxy section?

<Proxy http://www.somesite.com:8080/mywebapp*>
    Order deny,allow
    Allow from all
</Proxy>

answered Apr 04 '13 at 15:33

Marcel

1,730
10
15

1

can you explain? I followed a couple a guide provided by the webapp that said to add that section to my apache vhost config... – SnakeDoc Apr 04 '13 at 16:16
@SnakeDoc That section is unnecessary. – Shane Madden Apr 05 '13 at 04:24

score 0 · Answer 3 · answered Apr 03 '13 at 05:41

0

Seems like that redirect is a generated URL from the Tomcat side.

Try adding ProxyPreserveHost On to your <VirtualHost *:80> config?

answered Apr 03 '13 at 05:41

Shane Madden

114,520
13
181
251

no dice... same effect. :/ – SnakeDoc Apr 03 '13 at 06:38
@SnakeDoc Can you run a tcpdump capture on the system to verify that the Tomcat application is where the redirect is being generated? Is there any kind of URL config within the application that might be involved in generating the redirect URL? – Shane Madden Apr 03 '13 at 16:00
I'll try running a tcpdump after work today. I'm pretty confident the redirect is happening at the Apache side, since it's a `VHOST` in apache that sets the proxy to send the request over to tomcat on `port 8080`. It just seems that it wants to replace the friendly url with the unfriendly "true" url. – SnakeDoc Apr 03 '13 at 16:04
@Shane_Madden I just updated with a tcp_dump and my understanding of what's going on. – SnakeDoc Apr 04 '13 at 06:23

Proxies, Apache, Tomcat - VHosts

3 Answers3