On port 80 I have normal apache web server.
On port 8080 I have tomcat with client and server side stuff.
My goal is:
www.mydomain.com renders a static and SEO friendly index.html while javascript stuff is loading.
In the header of this index.html I load www.mydomain.com:8080/myapp/stuff.js
stuff.js is compiled with gwt and calls a RootLayoutPanel.get().add(nice_panel) which will remove static content and show dynamic widgets. It also calls servlets (server side code).
Problem: for security reasons, browsers wont let me load www.mydomain.com:8080/myapp/stuff.js because it is on a different port.
Wrong attempt: I tried to create a symlink from "normal" apache web server directory to the tomcat webapp containing stuff.js. I am now able to load stuff.js because its url is: www.mydomain.com/mysymlink_to_tomcat/stuff.js. But stuff.js is not able anymore to call servlets on server side again because of browsers security rules ("XMLHttpRequest cannot load ... origin ...is not allowed by Access-Control-Allow-Origin").
I would like to avoid the "crazy" solution of redirect from index.html to tomcat with header('location: http://mydomain.com:8080/another_index_on_tomcat.html'). This solution works but it has many drawbacks (SEO...)
What would be the best approach ?
Thanks.
You have basically two solutions:
make it work with the 2 origins: use the xsiframe linker in GWT to allow the page on :80 to load the script from :8080 (for readers: it's not about loading, it's about what the script does).
Add the following to your `gwt.xml:
<add-linker name='xsiframe' />
That unfortunately won't solve your issue with GWT-RPC (o whatever you use to talk to the server). For that, there's CORS.
use a single origin: use Apache's mod_proxy (or mod_jk) to proxy your Tomcat through your Apache. Nobody will ever use :8080, everything will go through :80. See Using Tomcat with Apache HTTPD and a proxy at https://developers.google.com/web-toolkit/doc/latest/DevGuideServerCommunication#DevGuideRPCDeployment
And of course there's also the solution of ditching the HTTPD and serving everything with Tomcat (recent Java and Tomcat versions have fixed their slowness issues).
I'm not sure if this would avoid the security error, but you could try an iframe. On apache, you have the index and an iframe to the tomcat, where the JS loads inside the iframe. Dunno if that will help with the SEO problem.
The best solution would be to redirect the port 80 calls to 8080 on apache when the client call is asking for a tomcat application.
Install mod_jk on apache and configure it to mount a context on the path you want
example: (edit /mods_enabled/jk.conf)
# Configure access to jk-status and jk-manager
# If you want to make this available in a virtual host,
# either move this block into the virtual host
# or copy it logically there by including "JkMountCopy On"
# in the virtual host.
# Add an appropriate authentication method here!
<Location /jk-status>
# Inside Location we can omit the URL in JkMount
JkMount jk-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location /jk-manager>
# Inside Location we can omit the URL in JkMount
JkMount jk-manager
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
JkMount /*/myAppDir/* ajp13
Then add a virtual host in your site settings (edit /apache2/sites-enabled/)
<VirtualHost *:80>
. Here is the rest of the
. of the config of
. the host
# Tomcat jk connector settings
JkMount /*.jsp ajp13_worker
JkMount /myAppDir/* ajp13_worker
JkMount /myAppDir* ajp13_worker
JKMount /manager* ajp13_worker
JkMount /manager/* ajp13_worker
</VirtualHost>
And you should also edit the server.xml file and inside the tag write and comment the previous Host name="localhost"
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Host name="localhost" appBase="webapps" unpackWARs="true"
autoDeploy="true" >
<Context path="/" docBase="/var/lib/tomcat7/webapps/myAppDir/"
debug="0" reloadable="true" />
<!-- please notes on logs down below -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/var/lib/tomcat7/logs" prefix="tomcat_access_"
suffix=".log" pattern="common" resolveHosts="false" />
</Host>
The only thing left to do is edit the workers.properties file and add
worker.myapp2.port=8009
worker.myapp2.host=localhost
worker.myapp2.type=ajp13
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker
Then you should be set to work, and when a url containing the myAppDir appears, the apache server will redirect the calls to tomcat the answer will come back from apache.
Related
I have a Tomcat 7 (JBoss EWS 2.0) app with HAProxy Web Load Balancer. Https works fine when there is only one server running but as soon as I add another one (by setting minimum number of gears to 2), a problem occurs.
I have checked out the GEAR cookie when connecting and as soon as it is the local gear local-569aaabf0c1e661db1000004 the connection is established, but the 569aadaa89f5cff3c9000058-petrfox GEAR cookie makes trouble.
The problem is that every attempt to connect, which is redirected (by the load balancer) to the newly started gear, ends in 302 redirect loop (by accessing https://dftestapp-petrfox.rhcloud.com/ I get 302 with header Location:https://dftestapp-petrfox.rhcloud.com/).
You can try it on the link above - if the page loads, just remove the GEAR cookie and refresh, you will be most probably redirected to the other one gear this time.
Generated HAProxy configuration (haproxy.cfg) is
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
#log 127.0.0.1 local2
maxconn 256
# turn on stats unix socket
stats socket /var/lib/openshift/569aaabf0c1e661db1000004/haproxy//run/stats level admin
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
#option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 128
listen stats 127.7.244.3:8080
mode http
stats enable
stats uri /
listen express 127.7.244.2:8080
cookie GEAR insert indirect nocache
option httpchk GET /
http-check expect rstatus 2..|3..|401
balance leastconn
server gear-569aadaa89f5cff3c9000058-petrfox ex-std-node827.prod.rhcloud.com:56761 check fall 2 rise 3 inter 2000 cookie 569aadaa89f5cff3c9000058-petrfox
server local-gear 127.7.244.1:8080 check fall 2 rise 3 inter 2000 cookie local-569aaabf0c1e661db1000004
I tried to turn off forcing https in my app (by removing <intercept-url pattern="/**" requires-channel="https"/> in applicationContext-security.xml), used just http and it worked. Therefore I assume there must be some more https configuration needed. But my question is where and what do I need to configure? I find it strange that it doesn't work with the generated configuration, because load balancing is something why one chooses Openshift and https is in some circumstances a must have. It is also strange to me that everything goes well when you are redirected to the local-gear.
I didn't find any material which would be any of help. Could you please help me with this problem?
UPDATE: I don't know where the problem is, but it could be in settings of the server. Here is the config file server.xml (which I had never changed)
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="-1" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector address="${OPENSHIFT_JBOSSEWS_IP}"
port="${OPENSHIFT_JBOSSEWS_HTTP_PORT}"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="false" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- RemoteIp valve, pass protocol header from proxy. -
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
-->
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
protocolHeader="x-forwarded-proto"
/>
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
-->
</Host>
</Engine>
</Service>
</Server>
I had a similar problem with Too many redirects and the scalable Tomcat gear.
You can try to configure your server.xml and web.xml as the Technical FAQ suggests for Tomcat:
How do I redirect traffic to HTTPS.
Unfortunately, it didn't quite worked well for me. Everything was running ok if my app had only one gear - http traffic was being redirected to https. However, when I turned on the application scaling and the second gear was started, the Too many redirects error was appearing after every redeploy.
I was unable to resolve this. I've ended up in using the default Tomcat config and redirecting the unsecure traffic to https in my application's controllers (inspired by the Technical FAQ's answer for Node.js here). Everything works fine now.
I am using Jboss 5.1 in windows 64 bit. I have also deployed an application in the server.
The application is accessible via https using the port 443.I am not using any front-end web server.
I want the URL http://example.com/context_root to get re-directed to https://example.com/contextroot. It means the re-direction is from the default http port 80 to default https port 443.
When I hit the URL with the application's context root, I am getting the following error:
The page can't be displayed.
I have made the changes in server.xml file too for port re-direction:
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector protocol="HTTP/1.1" port="80" address="${jboss.bind.address}"
connectionTimeout="20000" redirectPort="443" />
Can someone suggest me an optimal solution please?
For the redirect to https you need add in web.xml of the application the following lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
See: Specifying a Secure Connection
The documentation The HTTP Connector say:
redirect-port
If this Connector is supporting non-SSL requests, and a request is
received for which a matching <security-constraint> requires SSL
transport, Catalina will automatically redirect the request to the
port number specified here.
I analysed and found a way to redirect the requests from 80 to 443.
In the bindings.xml file (C:\Jboss\jboss-5.0.1.GA\server\default\conf\bootstrap) of the windows server, change the port from 8080 to 80 as this file will have a reference to server.xml file.
<bean class="org.jboss.services.binding.ServiceBindingMetadata">
<property name="serviceName">jboss.web:service=WebServer</property>
<property name="port">80</property>
After making the above change , I restarted the server once and hit the URL using the default port. It got redirected to https(443).
This helps in forcing all the non-ssl requests to be redirected in a secure way.
I am trying to run my first Perl Catalyst application using Apache and fastcgi.
Starting the server is fine, I can see the application's main page. All images/javascripts are loaded correctly (so, I assume the static content is served correctly).
For reasons I don't understand the dynamic content gives me a 404: e.g. when trying to go to www.webapp.org/search, I get "The requested URL /search was not found on this server."
Ok, here is how I set the aliases for the static content and
Alias /static /webapp/root/static/
Alias / /webapp/script/webapp_fastcgi.pl
I set the documentroot with
DocumentRoot /webapp/
Furthermore, I have a
<Location />
Options +ExecCGI
Order allow,deny
Allow from all
AddHandler fcgid-script .pl
</Location>
and a directive
<Files /webapp/script/webapp_fastcgi.pl>
PassEnv PERL5LIB
SetHandler fastcgi-script
</Files>
There is nothing else in the config file.
How can I add a directive to allow serving dynamic content (www.webapp.com/search)?
Thanks a lot in advance!
I see a space in AddHandler section. Please check your config file for typo's.
AddHandler fcgid-script .pl
Also please read this if you not did it already:
http://wiki.catalystframework.org/wiki/deployment/apache_fastcgi
For development work you could use catalyst without apache hassle: http://search.cpan.org/~mramberg/Catalyst-Runtime-5.80012/lib/Catalyst/Engine/FastCGI.pm#Standalone_FastCGI_Server
Assuming apxs installed mod_fastcgi.so into /usr/local/apache/libexec, add the following to an Apache .conf file:
LoadModule fastcgi_module libexec/mod_fastcgi.so
<IfModule mod_fastcgi.c>
FastCgiExternalServer /tmp/myapp.fcgi -host myhost:8081
Alias /myapp/ /tmp/myapp.fcgi/
</IfModule>
I have Jboss server in Linux boxes. And I configured apache server in windows machine. I am able to see all the jboss server nodes in my modcluster manager console.
I have deployed one camel application on all the jboss servers. And I have done the performance test with 2,4,6 nodes. But there is no performance difference.......
Find the jboss configuration
<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
<mod-cluster-config proxy-list="x.x.x.x:6666" advertise="false">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
For parallel execution of nodes, whether I have to do any other configurations...
Thanks in advance................
1 - download last version of mod_cluster at this link and extract it..
2 - configure your mod_cluster at the httpd.conf file like above..
Listen ##PUT THE BALANCER IP HERE##:80
############### mod_cluster Setting - STARTED ###############
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# MOD_CLUSTER_ADDS
# Adjust to you hostname and subnet.
<IfModule manager_module>
Listen ##PUT THE BALANCER IP HERE##:6666
ManagerBalancerName mycluster
<VirtualHost ##PUT THE MACHINE IP HERE##:6666>
<Location />
Order deny,allow
Deny from all
Allow from 192.168.0
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
AdvertiseFrequency 5
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 192.168.0
</Location>
</VirtualHost>
</IfModule>
############### mod_cluster Setting - ENDED ###############
3 - Set each of your jboss node's name
<server name="node1" xmlns="urn:jboss:domain:1.2">
4 - Add the instance-id attribute in web subsystem as shown below in both the standalone nodes
<subsystem xmlns="urn:jboss:domain:web:1.1" instance-id="${jboss.node.name}" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
.
.
.
</subsystem>
5 - Add the proxy-list in the attribute in mod-cluster-config of modcluster subsystem, which would be having IP Address and Port on which your Apache server (the balancer) is running so that JBoss server can communicate with it, as shown below in both the standalone nodes
<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
<mod-cluster-config advertise-socket="modcluster" proxy-list="##PUT THE BALANCER IP HERE##:80">
.
.
.
</mod-cluster-config>
</subsystem>
6 - Now you can go to http://BALANCER_IP:80 and test it and to manage the jboss instances with mod_cluster go to http://BALANCER_IP:6666/mod_cluster_manager
**Obs: if you want to run jboss in standalone mode you CANNOT use the "-b" flag with the ip 0.0.0.0 that listens requests from all IPs.. I recommend you use the IP of the machine that's running the jboss itself
with sticky-session="true" (default), balancer keeps sending requests to the particular node to whom the session belongs as long as it is healthy.
If you tell me how did you test, especially: how many clients vs. how many requests, or not etc., I will be able to help you.
Furthermore, consider editing capacity attribute of load-metric element.
BTW: "busyness" considers threads in thread pool being occupied with serving requests. You might find that this is not the bottleneck of your system. You might want to add heap, requests or other metrics. See http://docs.jboss.org/mod_cluster/1.2.0/html_single/
I have basic configuration for Spring SEcurity. The logout button works perfectly fine over HTTP but problem appears when dealing with HTTPS. My security config looks like this:
<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint"
access-denied-page="/accessDenied">
<intercept-url pattern="/**" access="hasRole('AA_ACCESS')" requires-channel="any"/>
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter"/>
<session-management>
<concurrency-control max-sessions="1" expired-url="/sessionExpired"/>
</session-management>
<logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
The logout button:
Logout
As I said, everything works fine over HTTP, but not HTTPS.
I get error 404 Page not found. Ports the app is running is: 11501 for JBoss AS, while HTTPS is Apache with ajp connector to JBoss, apache is 16000, ajp 8009.
Luke Taylor was right. It's not Spring Secuiry issue. Remember kids, check everything twice after your colleagues. In my case, Apache VirtualHost was wrongly configured:
<VirtualHost *:11600>
ServerName localhost
DocumentRoot "/apache/htdocs/aa"
SSLEngine on
SSLCertificateFile "/apache/conf/server.crt"
SSLCertificateKeyFile "/apache/conf/server.key"
ProxyPass /admin ajp://localhost:8009/admin/ <--- HERE
<Directory "/apache/htdocs/aa">
DirectoryIndex index.html
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ErrorLog "logs/error_log"
CustomLog "logs/access_log" common
LogLevel debug
</VirtualHost>
Notice additional slash at the end of ProxyPass, that was the problem
Not sure why it works on http so i dont know if this will help but you can try to set the logout-success-url on the logout configuration, in case that the 404 error is due to a missing page where you are redirected after the logout is complete.
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-logout