Apache / Tomcat AJP DNS failures when tunneling

I have a situation where I can access a private NAT-ed apache2.4 / tomcat7.0 railo4.2 server directly from the host or local network but when tunneling in through an SSH remote port forward the application breaks with the error:

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.

Reason: DNS lookup failure for: server-dev:5555

The obvious answer would be that server-dev is an unresolvable hostname but that shouldn't the case here because lynx server-dev:80 works locally on the server or from a LAN machine on the subnet (the name is resolved through /etc/hosts on the client and server). Also static pages served by apache work, the error appears to be on the Tomcat side or in the AJP connector. I compiled the apache myself from 2.4.9 sources with apr 1.5.1. The only seems to manifest when port forwarding.

Apache error log shows:

[Tue Jun 24 22:37:06.911541 2014] [proxy:error] [pid 16858] [client 10.10.10.15:63398] AH00898: DNS lookup failure for: server-dev:5555 returned by /

There is nothing of note in catalina.out or any other logs I can see.

Relevant apache config is:

<VirtualHost *:80>
    ServerName server-dev
    UseCanonicalName On

    RewriteCond %{REQUEST_FILENAME} /[^/:]+\.cfml*($|/)
    RewriteRule (.*) ajp://%{HTTP_HOST}:8009$1 [P,L]
</VirtualHost>

The SSH tunnel is created from a third "man in the middle" system (10.10.10.15) using PuTTY with the following settings:

Remote: 5555
Local: 10.10.10.101:80

Relevant /etc/hosts entry on server (it has no bind/dnsmasq):

10.10.10.101  server-dev  # servers private ip

It's seems to be that either the hosts file is being ignored and DNS resolution is being attempted or the 5555 port number is confusing it somehow (like it thinks it's part of the hostname) though I can't think of a good reason for either thing to happen.

Best Answer

I found the problem. It looks like %{HTTP_HOST} contains the port number as well in cases where the port isn't 80 so the rule is evaluated as RewriteRule (.*) ajp://server-dev:5555:8009$1 [P,L].

Simple solution: Looks like the %{SERVER_NAME} variable does not contain the port.

So the rule that works is

RewriteRule (.*) ajp://%{SERVER_NAME}:8009$1 [P,L]

CAVEAT: I forgot the HTTP_HOST and SERVER_NAME are different based on what domain the client browser sends. I actually need HTTP_HOST but just not the port so the actual solution is https://stackoverflow.com/questions/11553939/rewriterule-using-http-host-and-a-different-port

RewriteCond %{HTTP_HOST} ^([^:]+)(:[0-9]+)?$
RewriteRule ^ http://%1:12345/ [R,L]

Best Answer

Related Solutions

Tomcat – How to redirect Apache to different ports on a GlassFish server

Tomcat – Apache UseCanonicalName On isnt passing ServerName to CGI

Related Topic