I have a setup as so:
Internet — router -[DMZ]- pfsense — webserver
router =
jenky plastic cheap-o router (my nice mikrotik/routerboard died). Has ip address of pfsense set to DMZ.
pfsense =
doing basic firewalling plus proxy/reverse-proxy. The proxies are for URL forwarding to the correct webserver behind the firewall.
webserver =
centos box running httpd (apache) and tomcat6 (installed separately, both from yum, but at different times, so it's not the apache+tomcat thing).
Several websites run from this particular webserver, handled by apache's virtual hosts.
ex: http://www.example.com, http://www.example1.com, etc
Tomcat runs an app on port 8080 at the extension /mywebapp.
ex: http://www.example.com:8080/mywebapp
I have configured everything appropriately in pfsense
to forward all subdomains of the websites served by apache to the correct host.
I have configured /etc/httpd/conf/httpd.conf to include the virtual host config as
<VirtualHost *:80>
ServerName mywebapp.example.com
ProxyPass / http://www.example.com:8080/mywebapp
ProxyPassReverse / http://www.example.com:8080/mywebapp
ProxyRequests Off
<Proxy http://www.example.com:8080/mywebapp*>
Order deny,allow
Allow from all
</Proxy>
ErrorLog logs/mywebapp.example.com-error_log
CustomLog logs/mywebapp.example.com-access_log common
</VirtualHost>
I have modified my tomcat6 server.xml
file and changed the first connector to include the proxyName
and proxyPort
.
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
proxyName="mywebapp.example.com"
proxyPort="8080"
redirectPort="8443" URIEncoding="UTF-8"/>
No matter what I try, when I put mywebapp.example.com
into my browser, it redirects to mywebapp.example.com:8080/mywebapp
.
when I want to access it as mywebapp.example.com
and have that stay in the browser address bar. This would make url posting much more friendly, etc.
I already configured the CNAME
in DNS
for mywebapp
.
www.example.com
is unaffected by this.
logs for httpd
are normal looking… logs for tomcat6 show nothing. I know the request hits the right box because www.example.com:8080/mywebapp
works (along with the other websites).
iptables
is disabled and so if SELinux
.
What am I doing wrong? Please advise.
UPDATE:
I tried adding ProxyPreserveHost On
in the vhost config per one of the comments, but no dice. When this line is added and apache and tomcat are both restarted, I can't get to mywebapp.example.com
nor www.example.com:8080/mywebapp
. Basically adding this config makes mywebapp not accessible at all, however I know it is still running.
UPDATE 2:
Adding tcpdump taken from the server. I'm showing the first connection as it's being passed from pfsense
(proxy) to the webserver
.
192.168.0.1 == pfsense
192.168.1.1 == webserver
192.168.2.1 == "internet"
192.168.0.1 > 192.168.1.1
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1
Cache-Control: max-age=259200
192.168.1.1 > 192.168.2.1
GET /mywebapp HTTP/1.1
Host: www.example.com:8080
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1, 192.168.0.1
Cache-Control: max-age=259200
X-Forwarded-Host: mywebapp.example.com
X-Forwarded-Server: mywebapp.example.com
Connection: Keep-Alive
192.168.2.1 > 192.168.1.1
GET /mywebapp HTTP/1.1
Host: www.example.com:8080
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Via: 1.1 proxy.somecompany.com (squid/3.1.20)
X-Forwarded-For: 192.168.2.1, 192.168.0.1
Cache-Control: max-age=259200
X-Forwarded-Host: mywebapp.example.com
X-Forwarded-Server: mywebapp.example.com
Connection: Keep-Alive
192.168.1.1 > 192.168.2.1
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Date: Thu, 04 Apr 2013 05:14:44 GMT
192.168.2.1 > 192.168.1.1
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Date: Thu, 04 Apr 2013 05:14:44 GMT
192.168.1.1 > 192.168.0.1
HTTP/1.1 302 Moved Temporarily
Date: Thu, 04 Apr 2013 05:14:44 GMT
Server: Apache-Coyote/1.1
Location: http://mywebapp.example.com:8080/mywebapp/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
192.168.2.1 > 192.168.1.1
GET /mywebapp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: mywebapp.example.com:8080
192.168.1.1 > 192.168.2.1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Encoding: gzip
Expires: 0
Cache-Control: no-cache,must-revalidate
X-App-Theme: default
Set-Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338; Path=/mywebapp
X-App: 1.395
X-App2: 1.508
X-App2-Session: e797c95b
X-App-CLI-Port: 36143
X-App2-CLI-Port: 36143
X-App2-CLI2-Port: 36143
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjEfz8W2LiYRfrJQYH35uwtgQBpy0g6bTvBaTuARRpVLUmi+lnEfD/nVJY4GJoSfGzgnJAQ3MSqX+e1F4y2Jg5hwa2L0jibpb//BbfIMZkYZk8CtLMrkGvLC1nB7sghXupWOUOhWnzFq+a+LHSANNqfaMs9k6xJI6rvwIDAQAB
Content-Type: text/html;charset=UTF-8
Content-Length: 3879
Date: Thu, 04 Apr 2013 05:14:44 GMT
192.168.2.1 > 192.168.1.1
GET /mywebapp/static/e797c95b/css/style.css HTTP/1.1
Accept: text/css
Referer: http://mywebapp.example.com:8080/mywebapp/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com:8080
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338
192.168.1.1 > 192.168.2.1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 25 Mar 2013 20:17:34 GMT
Expires: Fri, 04 Apr 2014 05:14:44 GMT
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Type: text/css
Content-Length: 5763
Date: Thu, 04 Apr 2013 05:14:44 GMT
192.168.2.1 > 192.168.1.1
GET /mywebapp/static/e797c95b/css/color.css HTTP/1.1
Accept: text/css
Referer: http://mywebapp.example.com:8080/mywebapp/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: mywebapp.example.com:8080
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=81CE83D61454A8E75C222759FA118338
Update 3:
Adding my current /etc/httpd/conf/httpd.conf
file to show updates/changes so far.
<VirtualHost *:80>
ServerName mywebapp.example.com
ProxyPass / http://www.example.com:8080/mywebapp/
ProxyPassReverse / http://www.example.com:8080/mywebapp/
ProxyRequests off
RewriteEngine on
RewriteRule ^(/.*) http://www.example.com:8080/mywebapp/$1 [P]
# ProxyPreserveHost On
<Proxy http://www.example.com:8080/mywebapp*>
Order deny,allow
Allow from all
</Proxy>
ErrorLog logs/mywebapp.example.com-error_log
CustomLog logs/mywebapp.example.com-access_log common
</VirtualHost>
Best Answer
Don't have a box available for testing right now, but what you are seeing is a 302 redirect coming from your tomcat. Always happens that way if you request a directory index without the trailing slash.
Try the following ProxyPass and ProxyPassReverse configuration:
Note the trailing slash. That should avoid the 302 temporary redirect.
Edit: for the static stuff, try adding:
This basically says to take every request from the root of your webserver and hand it over to the proxy module.