Re: Apache httpd / tomcat AJP connector(s?)
Am 08.05.2019 um 10:14 schrieb Mark Thomas: On 07/05/2019 13:37, André Warnier (tomcat) wrote: Hi. On 26.04.2019 18:16, Mark Thomas wrote: On 24/04/2019 10:58, André Warnier (tomcat) wrote: Hi. This is somewhat of an arcane question and somewhat straddling httpd and tomcat, so if I'm on the wrong list for this, just let me know. Here is fine. We can always move the thread if necessary. The question is : is there any particular reason why the combination mod_proxy + mod_proxy_ajp (in httpd), does not seem to follow the ProxyPreserveHost directive, when proxying something from httpd to tomcat ? None that I am aware of. I've complete a quick test with httpd 2.4.34 and Tomcat 9.0.x and I see the host header is passed via AJP as expected. I suggest wireshark to look at what is on the wire. I haven't done a wireshark trace yet. But as a cheap approximation for now, I tried to use the (tomcat) Access Log to see what was going on, and there I hit another (but I believe related) issue : According to : http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve some patterns available are : - %p - Local port on which this request was received. and - %{xxx}p write local (server) port (xxx==local) or remote (client) port (xxx=remote) So if I understand this right, "%{local}p" should print the same as "%p", and both should be "the local port on which this request was received". When using AJP the original values as received by httpd and passed by AJP are injected into the Tomcat request so things like redirects are generated correctly without additional configuration. It is one of those scenarios where things happen by "magic" which are great when it works bur can make debugging more complicated. Mark Don't know whether it really helps, but long time ago I but some infos on http://tomcat.apache.org/connectors-doc/common_howto/proxy.html Concerning %p versus %{local}p and %{remote}p: I think the idea is %p is just the originally supported format and now also the short form of %{local}p. The various sub types of %p (local and remote) IMHO were added later similar to what the Apache web server supports. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache httpd / tomcat AJP connector(s?)
On 07/05/2019 13:37, André Warnier (tomcat) wrote: > Hi. > > On 26.04.2019 18:16, Mark Thomas wrote: >> On 24/04/2019 10:58, André Warnier (tomcat) wrote: >>> Hi. >>> >>> This is somewhat of an arcane question and somewhat straddling httpd and >>> tomcat, so if I'm on the wrong list for this, just let me know. >> >> Here is fine. We can always move the thread if necessary. >> >>> The question is : is there any particular reason why the combination >>> mod_proxy + mod_proxy_ajp (in httpd), does not seem to follow the >>> ProxyPreserveHost directive, when proxying something from httpd to >>> tomcat ? >> >> None that I am aware of. >> >> I've complete a quick test with httpd 2.4.34 and Tomcat 9.0.x and I see >> the host header is passed via AJP as expected. >> >> I suggest wireshark to look at what is on the wire. > > I haven't done a wireshark trace yet. > But as a cheap approximation for now, I tried to use the (tomcat) Access > Log to see what was going on, and there I hit another (but I believe > related) issue : > > According to : > http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve > some patterns available are : > - %p - Local port on which this request was received. > and > - %{xxx}p write local (server) port (xxx==local) or remote (client) port > (xxx=remote) > > So if I understand this right, "%{local}p" should print the same as > "%p", and both should be "the local port on which this request was > received". When using AJP the original values as received by httpd and passed by AJP are injected into the Tomcat request so things like redirects are generated correctly without additional configuration. It is one of those scenarios where things happen by "magic" which are great when it works bur can make debugging more complicated. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache httpd / tomcat AJP connector(s?)
Hi. On 26.04.2019 18:16, Mark Thomas wrote: On 24/04/2019 10:58, André Warnier (tomcat) wrote: Hi. This is somewhat of an arcane question and somewhat straddling httpd and tomcat, so if I'm on the wrong list for this, just let me know. Here is fine. We can always move the thread if necessary. The question is : is there any particular reason why the combination mod_proxy + mod_proxy_ajp (in httpd), does not seem to follow the ProxyPreserveHost directive, when proxying something from httpd to tomcat ? None that I am aware of. I've complete a quick test with httpd 2.4.34 and Tomcat 9.0.x and I see the host header is passed via AJP as expected. I suggest wireshark to look at what is on the wire. I haven't done a wireshark trace yet. But as a cheap approximation for now, I tried to use the (tomcat) Access Log to see what was going on, and there I hit another (but I believe related) issue : According to : http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve some patterns available are : - %p - Local port on which this request was received. and - %{xxx}p write local (server) port (xxx==local) or remote (client) port (xxx=remote) So if I understand this right, "%{local}p" should print the same as "%p", and both should be "the local port on which this request was received". However, - in our tomcat 8.5 setup, there is /only/ the AJP Connector enabled, on port 8009. So this would be the only local port on which a request /can/ be received. (There is also a single , the default "localhost"). - correspondingly, in the front-end Apache httpd, some requests are proxied to tomcat, via a directive like Proxypass /zzz/ ajp://locahost:8009/zzz/ (and no other Proxy directives to any other port than 8009) - in httpd, there is also a directive which forces the "Host" header of the proxied requests, to be (edited) SetEnvIf Request_URI "^/zzz/" isMyReq=yes RequestHeader set Host "www.myhost.com:8083" env=isMyReq (*)(**) (So the net result is, that any request coming in for "^/zzz/", gets proxied to localhost's Tomcat's AJP port 8009, but with a "Host" header which mentions a different hostname:port) and the surprising thing is : In the tomcat access log, both "%p" and "%{local}p" print "8083" as the port. (and I have not found a way to print "8009", which is the /real/ local port on which this request is received, which can only be "8009") So it looks as if, in any case that I have tested, the "port" part of the "Host" header of the request received by tomcat, *overrides* the "local port" part of both "%p" and "%{local}p", which does not seem to be the original intention (otherwise, why have separate "%p" and "%{local}p" format specifiers ?) It also seems that there is no format pattern available which prints a clue about the real Connector/port on which the request was received. (That's more of an enhancement request, but this is really missing (for debugging) in some complicated configuration/usage scenarios). Additional note/disclaimer : I apologise for not having had the occasion so far to configure and perform some real exhaustive test scenarios (in this case I am working on customer systems, and they also want to use them sometimes). I have also experienced some similar phenomenons (or confusion) like the above regarding the "hostname" part of the requests (and for example the "proxyName/proxyPort" attributes of the Connector, and/or the "Alias" tag inside the ). It could be just the documentation that is somewhat confusing; it feels like some things are a bit "out of sync", but it is hard to tell if one should start from the documentation and check if the code matches it, or in reverse. (*) there are more sets like that one, with different host:port combinations. (**) the reason for this complicated setup, is that there are 2 front-end proxies in sequence before tomcat (plus a tomcat application which generates its own self-referencing links). Plus some clients which access the application through SSH tunnels on different ports. And, we need tomcat to return links which reference the *first* of the front-line proxies (which is the "public" host for the application), but also the port to which the client issued its own original request. So it makes for some interesting URL-rewriting and Proxy rules, of which the above is only a small sample. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache httpd / tomcat AJP connector(s?)
On 24/04/2019 10:58, André Warnier (tomcat) wrote: > Hi. > > This is somewhat of an arcane question and somewhat straddling httpd and > tomcat, so if I'm on the wrong list for this, just let me know. Here is fine. We can always move the thread if necessary. > The question is : is there any particular reason why the combination > mod_proxy + mod_proxy_ajp (in httpd), does not seem to follow the > ProxyPreserveHost directive, when proxying something from httpd to tomcat ? None that I am aware of. I've complete a quick test with httpd 2.4.34 and Tomcat 9.0.x and I see the host header is passed via AJP as expected. I suggest wireshark to look at what is on the wire. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache httpd / tomcat AJP connector(s?)
Hi. This is somewhat of an arcane question and somewhat straddling httpd and tomcat, so if I'm on the wrong list for this, just let me know. The question is : is there any particular reason why the combination mod_proxy + mod_proxy_ajp (in httpd), does not seem to follow the ProxyPreserveHost directive, when proxying something from httpd to tomcat ? Re : - http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost quote : "When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line." - https://httpd.apache.org/docs/current/mod/mod_proxy_ajp.html quote : "Note that usually no ProxyPassReverse directive is necessary. The AJP request includes the original host header given to the proxy, and the application server can be expected to generate self-referential headers relative to this host, so no rewriting is necessary." - http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Proxy_Support case : Apache/2.4.25 (Debian) Apache Tomcat/8.5.14 (Debian) (on the same host "debx-dev") (Note: the configuration listed below is fictitious, interpreted/anonymised/summarised for the sake of example. I may thus have committed some typo/error; but I hope it provides a clear enough idea). # uname -a Linux debx-dev 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux On "debx-dev" : /etc/hosts : 127.0.0.1 localhost myvhost.com mytomcathost.com httpd config : ... Servername myvhost.com ... ProxyPass /mypath ajp://mytomcathost.com:8009/mypath ProxyPassReverse / ajp://mytomcathost.com:8009/ ProxyPreserveHost on ... tomcat server.xml : ... ... ... myvhost.com mytomcathost.com ... Request sent to httpd with URL like : http://myvhost.com/mypath Received "Host" header in httpd : Host: myvhost.com Request proxied to tomcat according to above config. Received "Host" header in tomcat : Host: mytomcathost.com ? - Setting "ProxyPreserveHost off" in httpd does not change the behaviour in any obvious way - removing or modifying the "proxyName" attribute in the Connector does not change the content of the received Host header in any way (*); neither do the directives inside the According to the documentation referenced above, I would expect that the Host header as received by tomcat would be Host: myvhost.com but that does not seem to be the case. So is this a case of the documentation being wrong, or me misunderstanding it, or a feature in mod_proxy/mod_proxy_ajp, or a bug in mod_proxy/mod_proxy_ajp, or something else ? (*) this may well be changing the result of request.getServerName() and request.getServerPort() methods in tomcat, and I have not tested that. But the point here concerns the received "Host" header itself. (**) I have not really tested this right now, but I believe that when using mod_proxy + mod_proxy_http, to proxy requests to tomcat over HTTP, the ProxyPreserveHost directive *does* change the request Host header content. (It definitely does when the back-end system proxied-to is another Apache httpd instead of tomcat) - Note : in a more general sense, I would suggest this additionally : (I am mentioning this here, just in case such options would be handled by mod_proxy_ajp rather than mod_proxy per se, and could be looked at at the same time as the main issue above). In httpd, the "ProxyPass" directive admits a series of "options" such as ProxyPass [path] !|url [key=value [key=value ...]] [nocanon] [interpolate] [noquery] These have an effect on /this/ ProxyPass directive only (as opposed to /all/ ProxyPass directives). The "ProxyPreserveHost" on the other hand seems "global" in effect, which seems to not allow doing this selectively, maybe depending on the request URI or the back-end host being proxied to. It would seem more flexible (and clear) to implement the ProxyPreserveHost selectively, as one of the options of the ProxyPass directive, like e.g. ProxyPass /mypath ajp://mytomcathost.com:8009/mypath preservehost=[on|off] (It may even be possible to handle this in such a way as to "override" the global ProxyPreserveHost directive, so as to preserve backward configuration compatibility). Thank you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org