I have a java application running on a server IP 1.1.1.1 port 111
I have an Apache server running on IP 1.1.1.2 port 80
Apache should be configured as a proxy.
Clients will configure their computers to point to my Apache proxy at 1.1.1.2 port 80
The question is could i configure the Apache server to redirect the requests coming from the client to the java app for processing and if the java app sees that it should deny the request then it will inform Apache and Apache by its turn should informs the client.
Am i dreaming or this could be implemented?
Any suggestions would be very helpful
Yes, this is possible. Have a look at the mod_proxy plugin for Apache. There are a few security and implementation considerations to cover, such as:
Is the site to be accessed via a new virtual host defined in Apache, or an existing one?
HTTP vs HTTPs access? (From your post, it seems like the decision is to use HTTP port 80)
What URL(s) to match on for the proxy rule to trigger?
Is the access allowed from all IP ranges or only a particular subnet?
Is there a benefit in offloading some of the static resources to the Apache server to ease the load on the backend application server, or using a mod_deflate to gzip the resources before forwarding them to the clients?
mod_proxy documentation
Related
Situation:
My client has a Java web application deployed on a JBoss server, it is accessed both via HTTPS and HTTP
The JBoss server is sitting behind a load-balancer that handles the SSL, in other words this load-balancer terminates SSL and sends requests to JBoss as plain HTTP
Problem I need to solve:
The web application deployed on JBoss needs to know what port the load-balancer is using for HTTPS, so that it can direct users to certain HTTPS urls correctly. This cannot be hard-coded because the application will be deployed on multiple clients, each of them have different configurations for the load-balancer.
My approach (which didn't work):
I am defining the port from a jspx page, via ${pageContext.request.serverPort}, but this always returns the port for HTTP because JBoss always gets the request via HTTP.
Thanks in advance. I've looked at this question but was not helpful.
There isn't really a way to determine the port if tomcat is sitting behind a load balancer. As suggested in the comments, exposing the port configuration to your clients would be the best for now.
I'm trying to setup a Solaris KSSL proxy (http://www.c0t0d0s0.org/archives/5575-Less-known-Solaris-Features-kssl.html) as a frontend to a Jetty web server.
I'm able to make KSSL work with Apache web server so that KSSL redirects all incoming SSL traffic from port 443 into an Apache web server listening on port 28080.
However the same configuration does not work when Jetty is listening on port 28080. I verified that the KSSL requests does not even reach Jetty or at least I cannot see them in the access log. Furthermore even if I set a simple Java class which just listens on a server socket, KSSL cannot redirect requests to it.
My question is what are the pre-requisites from a web server in order to be able to get requests from KSSL ?
Best regards,
Lior
There are 2 very common gotchas when working with kssl.
The first is that the apache listening IP has to be the same
as your ksslcfg command. So if you have Listen 123.123.123.123:28080 in
the httpd.conf file, then you must use a ksslcfg command with the same IP.
You cannot have it listening on ANY (*) and then list an IP in ksslcfg,
or listen on an IP and leave out the IP on ksslcfg. Whatever netstat shows
is listening on port 28080 must match the IP used in ksslcfg
(or don't use the IP it is listening on *)
The second is that you must do the operations in this order:
ksslcfg
restart apache
It doesn't not work if ksslcfg is run without restarting apache afterward.
I've seen many people on the web testing with something like
localhost in their ksslcfg command. It won't work unless you also
had localhost as the Listen IP in the apache configuration.
Thrift provides several different non-blocking server models, like TNonblockingServer, THsHaServer, and TThreadedSelectorServer. But, I'd like to enable SSL on the server. It seems SSL only works on blocking servers in Thrift.
Anyone has any clues of a non-blocking SSL server in Thrift? Java example would be highly appreciated.
One alternative to worrying about SSL in your Java App is to stand up something like nginx (http://wiki.nginx.org/SSL-Offloader) as a reverse proxy.
This has the upside of your application not needing to care about SSL but does require one more layer in your stack.
Clients will connect to the nginx server instead of directly to your client and nginx will forward those connections to your Thrift server.
You don't necessarily need two different servers for this approach, just configure your Thrift server to only listen on localhost (127.0.0.1 for ipv4) and have nginx listen on your external interfaces and forward to localhost.
Edit: client -> server in last paragraph
I have a requirement as to have a single server with both a Java application and a PHP application, running on the same Apache. Is this possible?
This question may be very silly but I have no clue about java requirements or installation procedures.
Can I do such a thing that as to have the java application running on one port and the PHP application on another port, both on the same Apache?
Yes you can do that. Essentially you have to run the Apache (+ PHP) server on one port and the Tomcat server on a different port.
You can expose the 2nd port to the outside world, and have your URLs use either port 80 for Apache / PHP or (say) 8080 for the Java server. This simple, but you may find that upstream firewalls prevent a remote web browser from connecting to any port other than 80.
You can configure your Apache server as a reverse proxy for the Java server. So for instance, the Apache server might recognize that http://site.com/javaapp/foo.html is for the Java server, and relay requests for that URL to http://localhost:8080/javaapp/foo.html.
There is a whole chapter of the Apache documentation about configuring forward and reverse proxies using mod_proxy.
Yes.
Apache HTTPd can delegate to Apache Tomcat using ModProxy or ModAJP, and can be configured to do so based on the domain, path or file extension requested. Your Apache HTTPd configuration of PHP would remain the same.
You would need to configure Apache Tomcat to not listen on port 80, and then configure the Apache HTTPd proxying solution of your choice to talk to Tomcat on a different port.
Here's a starting point for more information: Apache + Tomcat: Using mod_proxy instead of AJP
This is possible using Apache Reverse Proxy,
I configured one Apache virtual host that serves one PHP website (Drupal) and one java (tomcat, for business logic) that are stored in the same server using a reverse proxy with 2 locations, the advantage of this configuration is that it doesn't expose the port that Tomcat is using on the URL which was mandatory for me for security reasons.
This is how I achieved this:
<VirtualHost *:80>
ProxyPreserveHost On
DocumentRoot "/srv/www/htdocs/"
ErrorLog /var/log/httpd/app_error_log.log
CustomLog /var/log/httpd/app_log.log combined
ServerName myapp.com
#Drupal PHP Content, stored at / as the main front end website.
<Location />
ProxyPass http://localhost/
ProxyPassReverse http://localhost
Order allow,deny
Allow from all
</Location>
#Tomcat/java content, secondary site used to process payments and business logic:
<Location /javaApp>
ProxyPass http://localhost:8080/javaApp/
ProxyPassReverse http://localhost:8080/javaApp/
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Restart Apache:
service httpd restart;
Test your reverse proxies:
PHP/Drupal (In my case i'm using drupal but can be any PHP code):
http://yourserverip/ or http://localhost/
Java:
http://yourserverip/javaApp or http://localhost/javaApp
I hope someone can find this useful.
I had a hard time trying to figure this out. :)
Regards.
Can a sinle apache server handle both tomcat and php?
Yes, you need both apache and tomcat installed, but you can configure apache to redirect (transparently for the user) all JSP requests to tomcat using AJP protocol.
See more here:
http://www.datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_apache_server.htm
We have Tomcat application server set up at port 8080 and Apache Http Server at port 80.
httpd redirects all traffic on port 80 to port 8080.
I am looking at the tomcat server console for our site and I see several requests on port 8009. These requests stay alive for as long as 100 to 150 seconds.
We aren't making any requests to that port. Where then are these requests coming from? Why don't they finish?
8009 is the port commonly used by AJP.
The Apache JServ Protocol (AJP) is a binary protocol that can proxy
inbound requests from a web server through to an application server
that sits behind the web server.
Here's more info on AJP and its usage/configuration within Tomcat.
The AJP Connector element represents a Connector component that
communicates with a web connector via the AJP protocol. This is used
for cases where you wish to invisibly integrate Tomcat 5 into an
existing (or new) Apache installation, and you want Apache to handle
the static content contained in the web application, and/or utilize
Apache's SSL processing.