Hi, Did you try the "sslProxyEngine On", However I have got the specific error in my Apache log stating have to check this one.
Hope this helps. Best Regards, Arun Janarthanan On Wed, Apr 28, 2010 at 5:44 AM, Mauri <lai...@gmail.com> wrote: > Hi Timo. > > i don't know ajp protocol, but I have a similar configuration. > this is my configuration that work fine with apache, mod_proxy as frontend > and a tomcat 6 with SSL (8443) as backend. > u don't set the end point (spike/ <http://127.0.0.1:8009/spike/>) but only > the ProxyPass. I'm using another modules, also. > Please check my configuration. I hope it can help you. > Read this tutorial, it's very usefull: > http://www.apachetutor.org/admin/reverseproxies > > Cheers, > Mauri > > LoadModule ssl_module modules/mod_ssl.so > LoadFile /usr/lib/libxml2.so > LoadModule proxy_html_module modules/mod_proxy_html.so > LoadModule xml2enc_module modules/mod_xml2enc.so > LoadModule headers_module modules/mod_headers.so > > AddType application/x-httpd-php .amf > AddType video/x-ms-asf asf asx > AddType audio/x-ms-wma .wma > AddType application/octet-stream .doc .xls .pdf > AddType application/x-shockwave-flash swf > > Listen 443 > Listen 80 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > SSLPassPhraseDialog builtin > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > SSLSessionCacheTimeout 300 > SSLMutex default > SSLRandomSeed startup file:/dev/urandom 256 > SSLRandomSeed connect builtin > SSLCryptoDevice builtin > > NameVirtualHost mydomain.com:443 > <VirtualHost mydomain.com:443> > ServerName mydomain.com > ProxyRequests off > ProxyPass / https://10.173.90.167:8443/ > ProxyHTMLURLMap https://10.173.90.167:8443 / > <Location /> > ProxyPassReverse https://10.173.90.167:8443/ > ProxyHTMLEnable On > ProxyHTMLURLMap / / > RequestHeader unset Accept-Encoding > </Location> > SSLEngine on > SSLProxyEngine on > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLCertificateFile /etc/httpd/cert/certificate.cer > SSLCertificateKeyFile /etc/httpd/cert/certificate.key > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > SSLOptions +StdEnvVars > </Files> > <Directory "/var/www/cgi-bin"> > SSLOptions +StdEnvVars > </Directory> > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > </VirtualHost> > > > > > 2010/4/28 Timo Meinen <timomei...@googlemail.com> > > Hi, >> >> I have a problem with our reverse proxy. I asked this question to the >> tomcat-users mailinglist, too, but no one could help me and I am >> absolutely stuck with this problem. So, I hope some of the httpd >> experts here, may have an idea: >> >> Our configuration is a Apache 2.2 web server, acting as a reverse >> proxy for Tomcat 6. This is the configuration: >> >> ServerName it.localhost.de >> ProxyPass / ajp://127.0.0.1:8009/spike/ >> ProxyPassReverse / ajp://127.0.0.1:8009/spike/ >> ProxyPassReverseCookiePath /spike / >> >> (This is the configuration in the VirtualHost entry for port 80. There >> is a second VHost for SSL with SSLProxyEngine On and SSLEngine On). >> >> As you can see, the webapp is hosted under ContextPath /spike but >> available through the proxy via /. Everything works fine, until the >> webapp sends an redirect to HTTPS. This is done via SpringSecurity. >> The problem is, that the ProxyPassReverse directive doesn't catch the >> ContextPath and converts it, if it includes the complete address. >> These are the logs from the web browser: >> >> GET http://it.localhost.de/users/65 => 302 => >> https://it.localhost.de/spike/users/65 >> >> 1) Why does the ProxyPassReverse doesn't convert the /spike back to / >> in https://it.localhost.de/spike/users/65? Is it because the Header >> isn't relative? The protocol is still AJP and so the Proxy should know >> how to convert it, right? >> 1a) If so, how could the webapp switch from http to https and vice >> versa, when not able to send the absolute address with a new protocol? >> >> After this, I tried to set additional ProxyPassReverse directives: >> >> ProxyPassReverse / https://it.localhost.de/spike/ >> ProxyPassReverse / http://it.localhost.de/spike/ >> >> This time, the /spike/ is converted to /, but the two directives leads >> to an infintive loop of redirects to >> http://it.localhost.de/<REQUEST-URI>. >> >> 2) How can I stop this loop? or better >> 3) How can I configure the ProxyPassReverse correctly? >> >> Thank you very much for any help >> Timo >> >> Here are the debug information from httpd: >> >> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(239): proxy: >> APR_BUCKET_IS_EOS >> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(244): proxy: data >> to read (max 8186 at 4) >> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0 >> bytes of data >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header: >> ajp_ilink_received 04 >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got >> 04 >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(491): >> ajp_unmarshal_response: status = 302 >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(502): >> ajp_unmarshal_response: Number of headers is = 2 >> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(1071): ppr: real: >> ajp://127.0.0.1:9091/spike/ >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564): >> ajp_unmarshal_response: Header[0] [Location] = >> [https://it.localhost.de/spike/users/3] >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(564): >> ajp_unmarshal_response: Header[1] [Content-Length] = [0] >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(652): ajp_read_header: >> ajp_ilink_received 05 >> [Tue Apr 27 16:54:39 2010] [debug] ajp_header.c(662): ajp_parse_type: got >> 05 >> [Tue Apr 27 16:54:39 2010] [debug] mod_proxy_ajp.c(498): proxy: got >> response from 127.0.0.1:9091 (127.0.0.1) >> [Tue Apr 27 16:54:39 2010] [debug] proxy_util.c(2062): proxy: AJP: has >> released connection for (127.0.0.1) >> [Tue Apr 27 16:54:39 2010] [info] Initial (No.1) HTTPS request >> received for child 9 (server it.localhost.de:80 <http://it.localhost.de/> >> ) >> [Tue Apr 27 16:54:44 2010] [debug] mod_proxy_ajp.c(45): proxy: AJP: >> canonicalising URL //127.0.0.1:9091/spike/spike/users/3 >> [Tue Apr 27 16:54:44 2010] [debug] proxy_util.c(1488): [client >> 85.183.135.210] proxy: ajp: found worker ajp://127.0.0.1:9091/spike/ >> for ajp://127.0.0.1:9091/spike/spike/users/3, referer: >> http://it.localhost.de/ >> >> >> Problem is that the "ajp_unmarshal_response: Header[0] [Location] = >> [https://it.localhost.de/spike/users/3]"; doesn't remove the /spike in >> the response, so that the next request will lead to the >> doubled-context-path: ajp://127.0.0.1:9091/spike/spike/users/3. >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> " from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
