Centos – Proxies, Apache, Tomcat – VHosts

I have a setup as so:

Internet — router -[DMZ]- pfsense — webserver

router =jenky plastic cheap-o router (my nice mikrotik/routerboard died). Has ip address of pfsense set to DMZ.

pfsense =doing basic firewalling plus proxy/reverse-proxy. The proxies are for URL forwarding to the correct webserver behind the firewall.

webserver =centos box running httpd (apache) and tomcat6 (installed separately, both from yum, but at different times, so it's not the apache+tomcat thing).

Several websites run from this particular webserver, handled by apache's virtual hosts.

ex: http://www.example.com, http://www.example1.com, etc

Tomcat runs an app on port 8080 at the extension /mywebapp.

ex: http://www.example.com:8080/mywebapp

I have configured everything appropriately in pfsense to forward all subdomains of the websites served by apache to the correct host.

I have configured /etc/httpd/conf/httpd.conf to include the virtual host config as

<VirtualHost *:80>
    ServerName mywebapp.example.com
    ProxyPass / http://www.example.com:8080/mywebapp
    ProxyPassReverse / http://www.example.com:8080/mywebapp
    ProxyRequests Off
    <Proxy http://www.example.com:8080/mywebapp*>
        Order deny,allow
        Allow from all
    </Proxy>
    ErrorLog logs/mywebapp.example.com-error_log
    CustomLog logs/mywebapp.example.com-access_log common
</VirtualHost>

I have modified my tomcat6 server.xml file and changed the first connector to include the proxyName and proxyPort.

<!-- A "Connector" represents an endpoint by which requests are received
    and responses are returned. Documentation at :
    Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
    Java AJP  Connector: /docs/config/ajp.html
    APR (HTTP/AJP) Connector: /docs/apr.html
    Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           proxyName="mywebapp.example.com"
           proxyPort="8080"
           redirectPort="8443" URIEncoding="UTF-8"/>

No matter what I try, when I put mywebapp.example.com into my browser, it redirects to mywebapp.example.com:8080/mywebapp.

when I want to access it as mywebapp.example.com and have that stay in the browser address bar. This would make url posting much more friendly, etc.

I already configured the CNAME in DNS for mywebapp.

www.example.com is unaffected by this.

logs for httpd are normal looking… logs for tomcat6 show nothing. I know the request hits the right box because www.example.com:8080/mywebapp works (along with the other websites).

iptables is disabled and so if SELinux.

What am I doing wrong? Please advise.

UPDATE: I tried adding ProxyPreserveHost On in the vhost config per one of the comments, but no dice. When this line is added and apache and tomcat are both restarted, I can't get to mywebapp.example.com nor www.example.com:8080/mywebapp. Basically adding this config makes mywebapp not accessible at all, however I know it is still running.

UPDATE 2: Adding tcpdump taken from the server. I'm showing the first connection as it's being passed from pfsense (proxy) to the webserver.

192.168.0.1 == pfsense
192.168.1.1 == webserver
192.168.2.1 == "internet"

192.168.0.1 > 192.168.1.1
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1
Cache-Control: max-age=259200

192.168.1.1 > 192.168.2.1
GET /mywebapp HTTP/1.1
Host: www.example.com:8080
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1, 192.168.0.1
Cache-Control: max-age=259200
X-Forwarded-Host: mywebapp.example.com
X-Forwarded-Server: mywebapp.example.com
Connection: Keep-Alive

192.168.2.1 > 192.168.1.1
GET /mywebapp HTTP/1.1
Host: www.example.com:8080
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1, 192.168.0.1
Cache-Control: max-age=259200
X-Forwarded-Host: mywebapp.example.com
X-Forwarded-Server: mywebapp.example.com
Connection: Keep-Alive

192.168.1.1 > 192.168.2.1
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.2.1 > 192.168.1.1
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.1.1 > 192.168.0.1
HTTP/1.1 302 Moved Temporarily
Date: Thu, 04 Apr 2013 05:14:44 GMT
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

192.168.2.1 > 192.168.1.1
GET /mywebapp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: mywebapp.example.com:8080

192.168.1.1 > 192.168.2.1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Encoding: gzip
Expires: 0
Cache-Control: no-cache,must-revalidate
X-App-Theme: default
Set-Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338; Path=/mywebapp
X-App: 1.395
X-App2: 1.508
X-App2-Session: e797c95b
X-App-CLI-Port: 36143
X-App2-CLI-Port: 36143
X-App2-CLI2-Port: 36143
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjEfz8W2LiYRfrJQYH35uwtgQBpy0g6bTvBaTuARRpVLUmi+lnEfD/nVJY4GJoSfGzgnJAQ3MSqX+e1F4y2Jg5hwa2L0jibpb//BbfIMZkYZk8CtLMrkGvLC1nB7sghXupWOUOhWnzFq+a+LHSANNqfaMs9k6xJI6rvwIDAQAB
Content-Type: text/html;charset=UTF-8
Content-Length: 3879
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.2.1 > 192.168.1.1
GET /mywebapp/static/e797c95b/css/style.css HTTP/1.1
Accept: text/css
Referer: http://mywebapp.example.com:8080/mywebapp/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com:8080
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338

192.168.1.1 > 192.168.2.1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 25 Mar 2013 20:17:34 GMT
Expires: Fri, 04 Apr 2014 05:14:44 GMT
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Type: text/css
Content-Length: 5763
Date: Thu, 04 Apr 2013 05:14:44 GMT

192.168.2.1 > 192.168.1.1
GET /mywebapp/static/e797c95b/css/color.css HTTP/1.1
Accept: text/css
Referer: http://mywebapp.example.com:8080/mywebapp/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com:8080
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338

Update 3: Adding my current /etc/httpd/conf/httpd.conf file to show updates/changes so far.

<VirtualHost *:80>
    ServerName mywebapp.example.com
    ProxyPass / http://www.example.com:8080/mywebapp/
    ProxyPassReverse / http://www.example.com:8080/mywebapp/
    ProxyRequests off
    RewriteEngine on
    RewriteRule ^(/.*) http://www.example.com:8080/mywebapp/$1 [P]
#    ProxyPreserveHost On
    <Proxy http://www.example.com:8080/mywebapp*>
        Order deny,allow
        Allow from all
    </Proxy>
    ErrorLog logs/mywebapp.example.com-error_log
    CustomLog logs/mywebapp.example.com-access_log common
</VirtualHost>