I'm searching for a solution to be able to run a Spring application behind an Apache SSL proxy. I tried a lot of configurations without success. All Spring responses go to http causing a Not Found error.
The following is apache configuration:
SetEnv proxy-initial-not-pooled 1
ProxyPreserveHost On
KeepAlive On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ServerName server.mydomain.dom
ProxyTimeout 600
ProxyPass /excluded !
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPass / http://127.0.0.1:8081/
ProxyPassReverse / http://127.0.0.1:8081/
These are the Spring options:
server.port=8081
server.forward-headers-strategy=NATIVE
#server.tomcat.redirect-context-root=false
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
server.tomcat.internal-proxies=.*
I'm using Spring Boot 2.5.6 on Apache Tomcat/9.0.54. The OS Apache is a 2.4.25 version running on a Debian 9.13.
The problem seems to happen after login into the application and logout. If I substitute http to https after the login action, I'm able to navigate into the application. All links works fine until I logout. When I logout the application goes again to http.
I solve the problem. The first step was to add
server.tomcat.use-relative-redirects=true
in the application.properties. With this directive, the proxy works fine.
In the end, I configure the apache/application to use AJP.
Related
Keycloak is running on Docker image jboss/keycloak and environment variable PROXY_ADDRESS_FORWARDING is set to true. I would like to setup Keycloak behind Apache2 webserver as subresource. When I my Apache configuration is:
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
I have access to KeyCloak, however I'm loosing access to another resources on the server, for example /panel or /wordpress. I've tried to do the following:
ProxyPass /keycloak/ http://127.0.0.1:8080/
ProxyPassReverse /keycloak/ http://127.0.0.1:8080/
But with above configuration I'm redirected to /auth on a server instead of Keycloak's auth.
Could you help me to configure Keycloak as a subresource on Apache2 webserver?
I found a way to make it work. I created the following Dockerfile:
FROM jboss/keycloak
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
after rebuilding an image I've changed my Apache2 configuration as follows:
ProxyPass /keycloak/ http://127.0.0.1:8080/keycloak/
ProxyPassReverse /keycloak/ http://127.0.0.1:8080/keycloak/
Now KeyCloak works from the same domain as a subresource.
I have a fresh Ubuntu 16.04 server and a simple html website running with apache 2.
An SSL certificate is also installed. Apache2 is already configured to forward automatically to https.
Furthermore I have a java application running on Glassfish 4 under contextroot myApp. I can access it under http://mydomain.io:8080/myApp
How can I configure apache to forward all requests https://mydomain.io/myApp/ to Glassfish. I don't want to use mod_jk, just apache.
Thanks
UPDATE
In the mean time I tried with mod_rewrite this:
ProxyPass /myApp/ http://localhost:8080/myApp/
ProxyPassReverse /myApp/ http://localhost:8080/myApp/
in /etc/apache2/sites-enabled/000-default.conf
but it's not working!
Finally I solved the problem by inserting following lines
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
in the VirtualHost configuration file located in /etc/apache2/sites-available/. Like suggested in this website.
I have a Java web app built with Spring MVC running on Tomcat proxied with Apache Httpd running on an EC2 instance at AWS and configured a load balancer with SSL.
The request
https://some_domain/first_uri
first goes to load-balancer, load-balancer redirects the connection to Apache as (https to http because SSL is configured for the load-balancer)
http://some_domain/first_uri
Apache redirects to the localhost (Tomcat).
When the controller for "/first_uri" makes a redirect like
redirect:https://sub.some_domain/some_uri
I see the result at browser as
https://localhost/first_uri
I just couldn't figure out what I must configure here, configure the Spring? configure the Apache HTTPD or the Load Balancer?
If someone faced the same issue please help.
Not: Also using Spring Security.
Not2: I just tried without SSL (using http) and the same thing happens, I think this is not related to the https usage.
Update: This problem may occur only where I try to redirect to a subdomain
The following worked for me:
In tomcat server.xml:
(mostly at /opt/tomcat/conf/server.xml)
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
proxyName="localhost"
proxyPort="443"
scheme="https"/>
Here proxyName is "localhost".
Change proxyName to your required domain.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
proxyName="mydomain.com"
proxyPort="443"
scheme="https"/>
Refer: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy_Support
Solution: ProxyPreserveHost must be turned off!
Reason: If it is switched on, the response headers returned by the proxy backend will contain “localhost” or the real domain without the port number (or 80). So the ProxyPassReverse pattern does not match (because of the different port and if another domain name is used, also the domain name will not match).
Config:
<VirtualHost localhost:80>
ProxyPreserveHost Off
ProxyPass / http://localhost:8080/WebApp/
ProxyPassReverse / http://localhost:8080/WebApp/
</VirtualHost>
But this works only via http, not via ajp (I don’t know why).
If you still want to use ajp you could use the following workaround - Let Apache do another redirect after the wrong redirect:
<VirtualHost localhost:80>
ProxyPass /WebApp !
ProxyPass / ajp://localhost:8009/WebApp/
ProxyPassReverse / ajp://localhost:8009/WebApp/
RedirectMatch 301 ^/WebApp/(.*)$ /$1
RedirectMatch 301 ^/WebApp$ /
</VirtualHost>
The ProxyPass /WebApp ! directive is needed to exclude the path from further processing in mod_proxy (because proxy directives are evaluated before redirect directives)
Then the RedirectMatch directives redirect everything stating with /WebApp/... respectively /WebApp to the URL without /WebApp at the beginning.
The only drawback is that you must not have any sub folder named WebApp in your web application
After viewing this answer, I set the below setting on my httpd.conf (at the end of the document):
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
And after that configuration, spring started to redirect to the proper domain again :) I hope this will help to many like me, thanks to all!
Assuming I have a domain name called "stackoverflow.com"
I have apache tomcat 7 running an application with context root as /mainsite
I can access this locally as http://stackoverflow.com:8080/mainsite
Apache tomcat is running on 8080 port.
I have apache web server running two more PHP applications on port number 80
one of the Apache application is blog
antoher apache application is forum
my url to access blog is "https://stackoverflow.com/blog"
my url to access forum is "https://stackoverflow.com/forum"
I want to send all requests with url like https://stackoverflow.com/* to mainsite on tomcat
Any url with https://stackoverflow.com/blog or https://stackoverflow.com/forum to be served by apache.
Please let me know how to do this.
I tried some thing like this in httpd.conf
but it is sending every call made to /mainsite.
ProxyPass /blog https://stackoverflow.com/wordpress-3.8.2/wordpress/
ProxyPassReverse /blog https://stackoverflow.com/wordpress-3.8.2/wordpress/
ProxyPass /forum http://localhost/phpBB3/
ProxyPassReverse /forum http://localhost/phpBB3/
ProxyPass / http://localhost:8080/mainsite/
ProxyPassReverse / http://localhost:8080/mainsite/
Thanks in advance for your help.
Do the others work if you remove the last two lines? Proxying the root directory could be a problem, because that also includes the subdirs. I suggest you rewrite the last lines to
ProxyPass /mainsite http://localhost:8080/mainsite/
ProxyPassReverse /mainsite http://localhost:8080/mainsite/
And then add a permanent redirect in the index.html of the apache running at port 80.
I have just upgraded from Sonar 3.2.1 to Sonar 3.6. I was able to configure Sonar 3.2.1 to use https by placing a jetty.xml file in SONAR_HOME. The same approach does not seem to work for Sonar 3.6 and from looking at the source for org.sonar.application.JettyEmbedder I think the https port is hard-coded to 8443. FYI, The embedded jetty version is 7.6.11.
The relevant Sonar FAQ reads thus :
Can SonarQube run in HTTPS mode
No. But you can run SonarQube in a standard HTTPS infrastructure using reverse proxy (in this case the reverse proxy must be configured to set the value 'X_FORWARDED_PROTO: https' in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP).
If this is true then Sonar has taken a step backwards security-wise. Is there an alternative way to configure Sonar/Jetty to run on https ?
You can install Apache on the same machine and set reverse proxy.
Your http://your-sonar-host.com address needs to run on port 80. Apache will forward it to 9000 (sonar runs on port 9000)
After installing Apache, open the configuration and type the following:
<Location />
ProxyPass http://your-sonar-host.com:9000/
ProxyPassReverse http://your-sonar-host.com:9000/
RequestHeader set X_FORWARDED_PROTO 'https'
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
There is nothing else you need to do.