On Sat, Apr 18, 2020 at 1:46 AM Mark Thomas <ma...@apache.org> wrote: > > On 17/04/2020 18:15, rugman66 . wrote: > > Made correction to ProxyPass and ProxyPassReverse. > > Good. Changing the context path in the reverse proxy opens up the > possibility for all sorts of breakage and is generally best avoided if > at all possible. > > <snip/> > > > I have Apache 2.4.6 running as reverse proxy for Tomcat 7.0.96, both > > running SSL, and a functioning redirect from HTTP to HTTPS for both > > Apache and Tomcat. ( Need to use both these releases due to IT > > availability and app requirements ) > > Prior to enabling SSL on both a Json GET command made to the > > application worked. Now after enabling SSL and the Apache redirect, > > when the json calls are made to the application with the URL starting > > with HTTP:// that should be > > redirected to HTTPS:// the following errors occurs. > > > > 415 Unsupported media type > > "message": "Unsupported Media Type in Header" > > Can you tell where that error message is coming from? httpd? Tomcat? The > application? > > > When the same json GET command is issued to the same URL using > > HTTPS:// it works. It looks as if communication is breaking down > > between Apache and Tomcat. > > What URL is used with that GET? > > What appears in the access logs (httpd and Tomcat) for each of those? > > Can you also log the HTTP headers sent and received by the client for > each request? > > > Apache > > I'm no httpd expert... > > > <VirtualHost *:80> > > ServerName http://foo.domain.com > > Redirect / https://foo.domain.com/ > > </VirtualHost> > > But the above looks to be consistent with: > https://cwiki.apache.org/confluence/display/HTTPD/RedirectSSL > > > <VirtualHost _default_:443> > > SSLEngine on > > SSLProxyProtocol all > > SSLCertificateFile "/auto/foo/ssl_certificate/cert.cer" > > SSLCertificateChainFile "/auto/some-path/ssl_certificate/chain.cer" > > SSLCertificateKeyFile "/auto/some-path/ssl_certificate/some.key" > > SSLCipherSuite "ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW" > > ServerName "foo.domain.com" > > TraceEnable Off > > ProxyRequests Off > > ProxyPreserveHost Off > > SSLProxyEngine on > > AddDefaultCharset utf-8 > > AddType 'application/json; charset=UTF-8' .json > > ProxyPass "/app" "https://foo.domain.com:8443/app" > > ProxyPassReverse "/app" "https://foo.domain.com:8443/app" > > </VirtualHost> > > Hmm. I'm wondering about that AddType but it looks OK. > > > Tomcat > > > > <Connector port="8110" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="443" > > proxyName="foo.domian.com" > > ProxyPort="80" > > Will this become unnecessary once the HTTPS redirect is working? The > redirect will always happen in httpd. > > > <Connector > > port="8443" > > scheme="https" > > secure="true" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW" > > SSLCertificateFile="/auto/foo/ssl_certificate/cert.cer" > > SSLCertificateChainFile="/auto/some-path/ssl_certificate/chain.cer" > > SSLCertificateKeyFile="/auto/some-path/ssl_certificate/some.key" > > maxThreads="150" > > clientAuth="false" > > SSLProtocol="TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" > > maxHttpHeaderSize="32768" > > URIEncoding="UTF-8" > > /> > > Again, looks to be OK. > > > Appreciate any insight. > > I'd want to look at exactly what was in each request/response at each > stage of this. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Hi Mark, Answers inline below. Can you tell where that error message is coming from? httpd? Tomcat? The application? HTTPD log [Tue Apr 21 13:39:33.741636 2020] [ssl:info] [pid 38749] [client 10.24.61.248:52733] AH01964: Connection to child 0 established (server foo:443) [Tue Apr 21 13:39:33.781069 2020] [proxy:trace2] [pid 38749] proxy_util.c(1985): [client 10.24.61.248:52733] https: found worker https://foo:8443/foo for https://foo:8443/foo/api/completions.json?username=foo, referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781119 2020] [proxy:debug] [pid 38749] mod_proxy.c(1123): [client 10.24.61.248:52733] AH01143: Running scheme https handler (attempt 0), referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781150 2020] [proxy:debug] [pid 38749] proxy_util.c(2203): AH00942: HTTPS: has acquired connection for (foo.com) [Tue Apr 21 13:39:33.781476 2020] [proxy:debug] [pid 38749] proxy_util.c(2256): [client 10.24.61.248:52733] AH00944: connecting https://foo:8443/app/api/completions.json?username=foo to foo:8443, referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781553 2020] [proxy:debug] [pid 38749] proxy_util.c(2426): [client 10.24.61.248:52733] AH00947: connected /app/api/completions.json?username=foo to foo:8443, referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781706 2020] [proxy:trace2] [pid 38749] proxy_util.c(2768): HTTPS: fam 2 socket created to connect to foo.com [Tue Apr 21 13:39:33.781938 2020] [proxy:debug] [pid 38749] proxy_util.c(2802): AH02824: HTTPS: connection established with 171.71.174.236:8443 (foo.com) [Tue Apr 21 13:39:33.781971 2020] [proxy:debug] [pid 38749] proxy_util.c(2942): AH00962: HTTPS: connection complete to 171.71.174.236:8443 (foo.com) [Tue Apr 21 13:39:33.781982 2020] [ssl:info] [pid 38749] [remote 171.71.174.236:8443] AH01964: Connection to child 0 established (server foo:443) [Tue Apr 21 13:39:33.796042 2020] [proxy:debug] [pid 38749] proxy_util.c(2218): AH00943: https: has released connection for (foo.com) [Tue Apr 21 13:39:38.798293 2020] [ssl:info] [pid 38749] (70007)The timeout specified has expired: [client 10.24.61.248:52733] AH01991: SSL input filter read failed. Tomcat log (I'm trying to get more debug level logging) 2020-04-21 13:39:33 INFO app.CompletionRestController Unsupported Media Type in Header Postman 415 Unsupported Media Type GET URL http://server.com/app/api/completions.json?username=foo Both Tomcat and Apache are running SSL because all internal endpoints are required to be secure. Thanks -John --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org