Hi Felix,
hope you are doing well!
On 02.08.2010 11:46, Felix Schumacher wrote:
Hi Rainer,
On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jung<rainer.j...@kippdata.de>
wrote:
On 02.08.2010 06:31, Leon Kolchinsky wrote:
Hello,
I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http
(v.2.2.3 ) using mod_jk.
We have 2 of those Tomcat servers running on different machines.
We also configured load balancer (CISCO CSM) which we want to use for
SSL
offloading and LB.
Load balancer serves https requests and forwards them to http (on the
above
servers).
The problem is that links given by apache - the generated html pages
(by
Sakai app.) appeared to include http://....
And this is a major problem since we can't even serve forms from https
URL's
(the URL of the page is https://..... but links inside the HTML page
itself
are from http://.... format)
I've been thinking to try to resolve this with ProxyHTMLURLMAp
(mod_proxy_html) but I have no experience with this module.
Can someone give me a sample syntax that I can try to include in my
vhost
configuration?
Below is my virt. host configuration:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName servername.com
ServerAdmin leo...@servername.com
ServerAlias sakai-server
# if not specified, the global error log is used
ErrorLog /var/log/httpd/servername.com-error_log
CustomLog /var/log/httpd/servername.com-access_log combined
HostnameLookups Off
UseCanonicalName Off
# Add index.jsp to DirectoryIndex files
DirectoryIndex index.php index.html index.htm index.shtml index.php4
index.php3 index.phtml index.cgi index.jsp
JkMount /* worker1
It might be worthwhile finding out, why sakai produces wrong links. E.g.
if you are using mod_jk to connect Apache to Tomcat, and you are talking
HTTPS to Apache, then the calls the isSecure(), getScheme(),
getProtocol() will return the information as seen by Apache, so the
webapp is able to find out that https is used and it seems to be a bug
in sakai.
as I understood the issue, the problems arise from using a loadbalancer in
front of the apache httpd servers, which are using mod_jk to communicate
with the tomcats. The loadbalancers are terminating the ssl connection and
presumably
changing hostnames too.
Ah OK, missed that.
But given the documentation link you gave below, it should be easy to
configure
the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic)
by
setting JkEnvVar for scheme, hostname and port if necessary.
If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
correctly, one could
use proxyPort, proxyName and scheme in the ajp-connector.
If using mod_jk, you can tell mod_jk, that it should derive the
information, whether SSL is used or not from some Apache environment
variable. You can the set the variable as you like e.g. depending on the
client IP is the connection coming from the loadbalancer) or some other
params.
So you would use
JkHTTPSIndicator MyHTTPSIndicator
to let mod_jk check the variable "MyHTTPSIndicator" instead of the
Apache builtin "HTTPS" variable, whether HTTPS is used.
Then you have to set the env var to "On" for each request you know, that
it is actually using https from the client point of view, e.g.
SetEnvIf Remote_Addr "10\.0\.0\.27" MyHTTPSIndicator=On
where e.g. 10.0.27 is the address of the load balancer (if the requests
arrive actually with this IP, see the acess log).
Or you use a separate port and vhost in Apache where you connect the LB
to and you know everything on this port was originally HTTPS, then you
could simply set MyHTTPSIndicator always to On in this vhost.
Regards,
Rainer
See for instance:
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
If you are using http between Apache and Tomcat (not AJP13), then there
are connector settings for Tomcat to let the webapp know, that you are
actually using HTTPS on the proxy.
If you can't fix it like this but instead really have to parse response
pages and replace links in them, three Apache module choices are
mod_proxy_html (which you already mentioned), mod_substitute and
mod_sed.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
