Apache reverse proxy using AJP with Tomcat 302 redirects

Question

I'm completely out of ideas with this one and think I need to enlist the help of someone with a good understanding of Apache HTTPD (2.4) and Tomcat (8.5)

I have a Spring MVC 4 web app that works perfectly well when I bypass the proxy to access it, however, it fails whenever I go via the proxy and visit a link that results in a 302 redirect.

Going direct I get redirected to the correct path, so I know it's not the web app providing the wrong URL back to the client. But going via the proxy I get redirected to a location that appears to prefix the URL with the context path - which is already present! So it appears twice and hence there is a request for a URL that doesn't exist!

When I look at Tomcats access logs I can its prefixing the path of the 302 redirect with the context path - a duplicate context path!

80.229.100.100 - - [04/Mar/2017:08:07:54 +0000] "GET /ctxPath/redirect HTTP/1.1" 302 -
80.229.100.100 - - [04/Mar/2017:08:07:54 +0000] "GET /ctxPath/ctxPath/testUrl HTTP/1.1" 404 986

This must be Tomcat's response to HTTPD - which uses the AJP connector. When accessing the page directly it goes via the HTTP connector and works fine. I updated my HTTPD config to use the HTTP connector and get the same result for 302 redirects.

So as you can see, every redirect results in a 404. Do I have to change Tomcat's configuration in some way?

Currently my HTTPD config looks like this (the port 9009 is correct as I have multiple Tomcat installations):

ProxyPass / ajp://localhost:9009/ctxPath/
ProxyPassReverse / ajp://localhost:9009/ctxPath/
ProxyPassReverseCookiePath /ctxPath /

What am I missing?

Answer 1

I know this is very old now, but I did resolve it some time ago so thought it would be worthwhile posting my fix - not sure if it's the 'correct' way, but it seems to have done the job for the last year!

# HTTP 302 redirects are not modified by the reverse proxy when using the AJP protocol.
# https://tomcat.apache.org/connectors-doc/common_howto/proxy.html
# Or perhaps Tomcat needs further configuration to support a proxy (See Connector config)
# When sending a redirect, the redirect URL is placed in the 'Location' HTTP response header.
# When the browser requests the page using the path in the Location header,
# the proxy will dutifully proxy the request to the backend - which prefixes the context path.
# This will cause the context path to appear twice and result in a 404.
# ProxyPassReverse would usually modify the Location HTTP header, but using AJP it
# appears no to, so take care of this ourselves by removing the context path from the
# URL in the Location header before passing it back to the client.
# Spring Security uses redirects during authentication
Header edit Location /ctxPath/(.*)$ /$1