We are using websockets in one of our projects. Our setup has an Apache Web Server and a different server with Tomcat instance. Apache is on TLS but the tomcat instance does not have TLS.
We are trying to tunnel the websockets through the apache (wss) to tomcat instance (ws).
Is this possible ? The initial handshake is successful and we get a 101 Response status. After that when we try to send data through the web socket, it does not reach the tomcat instance.
Any help would be greatly appreciated.
Below is the section of configuration used for websockets from the httpd.config file.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule ssl_module modules/mod_ssl.so
ProxyPass wss://apache/ws/connect ws://tomcatinstance/wsapp/connect
ProxyPassReverse wss://apache/ws/connect ws://tomcatinstance/wsapp/connect
Related
I am new to Apache configuration with Jboss EAP 7 as web server. I am using Jboss EAP 7 as the web server where i deployed my application which is working good. Its listening to http with port no as 8080. When i try to access the application from Apache with http , its working well. But the same from https is not working. Apache version is 2.4.43 . The below is my configuration.
<VirtualHost x.x.x.x:80>
ProxyPass /Hello http://x.x.x.x:8080/Hello
ProxyPassReverse /Hello http://x.x.x.x:8080/Hello
</VirtualHost>
The above works fine.
But the below is not working
<VirtualHost x.x.x.x:443>
ProxyPass /Hello http://x.x.x.x:8080/Hello
ProxyPassReverse /Hello http://x.x.x.x:8080/Hello
</VirtualHost>
Getting the following error. Not sure what could be the issue?The following is the error logd from Apache server:
[proxy:error] (70007)The timeout specified has expired: AH01084: pass request body failed to x.x.x.x:8080
[proxy_http:error] AH01097: pass request body failed to x.x.x.x:8080
From the browser, i get 504 error message like below.
The gateway did not receive a timely response from the upstream server or application.
Can anyone help me on this issue?
Thanks,
Suresh
It seems to be issue with my certificates. The same configuration is working fine with valid certificate in other environments.
I am using java application to send request to a URL. I have an apache server in the middle. So my application sends request to the apache server and the apache server then sends request to the actual server with which I want to communicate.
The server side has sent us a .cer certificate file which should be presented at the time of SSL handshake. The server side is not ready to share the private key (.key) file with us. How do I configure the certificate in the apache httpd config.
Currently I have below configuration at httpd side
httpd.conf
< VirtualHost apache-server-IP:443 >
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/httpd/conf/test.cer (certificate file provided by server side)
ProxyPass /api https://ServerIP:ServerPort/api/oauth/token
ProxyPassReverse /api https://ServerIP:ServerPort/api/oauth/token
< /VirtualHost >
I make a hit to the apache server using the URL (http://apache-server-ip:443/api/oauth/token) , which in turn sends request on https to actual server using proxypass.
I'm getting internal server error 500 from the server side.
Can anyone suggest how to configure the certificate in apache without using private key but only for presenting the certificate to the server.
I am deploying Angular on Nginx & Apache http server (as reverse proxy web servers) in my UAT environment with the backend being on spring boot on Apache Tomcat (encrypted with https for the java REST apis), I have noticed that Nginx was configured as reverse proxy much easier than Apache BUT that was largely because Apache didn't trust the Java APIs certificate (as it is self signed, so this seems correct)
Can someone explain why this happened? I trust that Nginx is secure but I want to know why it allowed this self signed certificate while Apache by default blocked it (only allowed it with SSLProxyVerify none)?
Nginx config (related part):
location /api {
proxy_pass https://192.168.170.78:7002/;
}
Apache config (the related part):
# SSL proxy config
SSLProxyEngine on
# Why this must be present for the apache to connect to the backend but not for nginx?
SSLProxyCheckPeerName off
# the (proxy) redirection rules for the server
ProxyPass /api/ https://192.168.170.78:7002/
ProxyPassReverse /api/ https://192.168.170.78:7002/
I downloaded mod_cluster native bundles with httpd from http://mod-cluster.jboss.org/mod_cluster/downloads/1-2-6-Final-bin like below. So I did not need to do any configuration for httpd since this tar file contain httpd and related mod_cluster modules.
mod_cluster-1.2.6.Final-linux2-x64.tar.gz
Then I downloaded tomcat7 and do the following two things.
1 . add <Listener className="org.jboss.modcluster.container.catalina.standalone.ModClusterListener" proxyList="192.168.91.128:80" advertise="true"/> to tomcat7/conf/server.xml
2.download mod_cluster-parent-1.2.6.Final-bin.tar.gz from jboss site and extract the jars to tomcat7/lib directory.
I referred all above steps from http://docs.jboss.org/mod_cluster/1.2.0/html/Quick_Start_Guide.html#d0e250.
But after I started up httpd, tomcat7, I found there are error messages in catalina.out generated again and again like below.
ERROR: MODCLUSTER000042: Error null sending INFO command to 192.168.91.128/192.168.91.128:80, configuration will be reset: nul
I pasted the critical configuration from httpd.conf.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<IfModule manager_module>
Listen 192.168.91.128:6666
ManagerBalancerName mycluster
<VirtualHost 192.168.91.128:6666>
<Location />
Order deny,allow
Deny from all
Allow from 192.168.91
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
AdvertiseFrequency 5
#AdvertiseSecurityKey secret
#AdvertiseGroup #ADVIP#:23364
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 192.168.91
</Location>
</VirtualHost>
</IfModule>
ServerName localhost
Error
Communication between Apache HTTP Server and Tomcat is bidirectional, i.e. Tomcat's mod_cluster library needs to talk to a VirtualHost configured in your Apache HTTP Server -- the exactly one VirtualHost where you have EnableMCPMReceive set. In this case, please, follow Federico's advice and change the proxyList to match your EnableMCPMReceiveVirtualHost IP and port.
Advertising
Furthermore, is it intentional that you use both advertising (Apache HTTP Server using UDP multicast to advertise its presence to Tomcats) and you have proxyList set at the same time? You can get about without one or the other, depending on your desired setup and environment.
Do not use mod_cluster 1.2.6, please
mod_clister 1.2.6 is desperately obsolete; it contains not only severe performance issue but also CVE and several noteworthy bugs. Please, upgrade to mod_cluster 1.3.1.
See http://modcluster.io for 1.3.1.Final release bits or alternatively http://mod-cluster.jboss.org.
Regarding Apache HTTP Server 2.2.x vs 2.4.x
The aforementioned mod_cluster 1.3.1.Final is offered with httpd 2.4.x. Do you have any special desire for older httpd 2.2.x? It is possible to compile mod_cluster 1.3.1 with httpd 2.2.x, it's just not what we do regularly as noted in my comment on the subject.
Happy mod_clustering!
K.
How does HTTP frontend server (remote) communicate to Websphere?
I have read that WAS plugin installed in the HTTP frontend server will route the requests to Websphere based on plugin-cfg.xml settings.
Will the routing be on HTTP protocol or some other binary protocol?
What are the implications on Firewall settings in this case? What ports should be kept open on the application server machine?
Will the routing be on HTTP protocol or some other binary protocol?
Plugin uses HTTP / HTTPS protocol to communicate with WebSphere. HTTPS is used, if request comes via https and plugin is configured to communicate using htts with WebSphere (has root WebSphere cert added to trusted signers).
What are the implications on Firewall settings in this case?
What ports should be kept open on the application server machine?
After you'll generate plugin-cfg.xml, you will see for each of servers, that plugin needs to communicate following fragment:
<Server CloneID="s111111" LoadBalanceWeight="1" ConnectTimeout="0" ExtendedHandshake="false" MaxConnections="-1" Name="custTestNode_server1" ServerIOTimeout="0" WaitForContinue="false">
<Transport Hostname="server1" Port="9080" Protocol="http"/>
<Transport Hostname="server1" Port="9443" Protocol="https">
<Property Name="keyring" Value="/config/webserver1/plugin-key.kdb"/>
<Property Name="stashfile" Value="/config/webserver1/plugin-key.sth"/>
</Transport>
</Server>
There are ports, in this case 9080 and 9443, which will be used to communicate with that server, and that needs to be opened in firewall.