On Sat, Apr 18, 2020 at 1:46 AM Mark Thomas <ma...@apache.org> wrote:
>
> On 17/04/2020 18:15, rugman66 . wrote:
> > Made correction to ProxyPass and ProxyPassReverse.
>
> Good. Changing the context path in the reverse proxy opens up the
> possibility for all sorts of breakage and is generally best avoided if
> at all possible.
>
> <snip/>
>
> > I have Apache 2.4.6 running as reverse proxy for Tomcat 7.0.96, both
> > running SSL, and a functioning redirect from HTTP to HTTPS for both
> > Apache and Tomcat. ( Need to use both these releases due to IT
> > availability and app requirements )
> > Prior to enabling SSL on both a Json GET command made to the
> > application worked. Now after enabling SSL and the Apache redirect,
> > when the json calls are made to the application with the URL starting
> > with HTTP:// that should be
> > redirected to HTTPS:// the following errors occurs.
> >
> > 415 Unsupported media type
> > "message": "Unsupported Media Type in Header"
>
> Can you tell where that error message is coming from? httpd? Tomcat? The
> application?
>
> > When the same json GET command is issued to the same URL using
> > HTTPS:// it works. It looks as if communication is breaking down
> > between Apache and Tomcat.
>
> What URL is used with that GET?
>
> What appears in the access logs (httpd and Tomcat) for each of those?
>
> Can you also log the HTTP headers sent and received by the client for
> each request?
>
> > Apache
>
> I'm no httpd expert...
>
> > <VirtualHost *:80>
> > ServerName http://foo.domain.com
> > Redirect / https://foo.domain.com/
> > </VirtualHost>
>
> But the above looks to be consistent with:
> https://cwiki.apache.org/confluence/display/HTTPD/RedirectSSL
>
> > <VirtualHost _default_:443>
> > SSLEngine on
> > SSLProxyProtocol all
> > SSLCertificateFile "/auto/foo/ssl_certificate/cert.cer"
> > SSLCertificateChainFile "/auto/some-path/ssl_certificate/chain.cer"
> > SSLCertificateKeyFile "/auto/some-path/ssl_certificate/some.key"
> > SSLCipherSuite "ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
> > ServerName "foo.domain.com"
> > TraceEnable Off
> > ProxyRequests Off
> > ProxyPreserveHost Off
> > SSLProxyEngine on
> > AddDefaultCharset utf-8
> > AddType 'application/json; charset=UTF-8' .json
> > ProxyPass "/app" "https://foo.domain.com:8443/app";
> > ProxyPassReverse "/app" "https://foo.domain.com:8443/app";
> > </VirtualHost>
>
> Hmm. I'm wondering about that AddType but it looks OK.
>
> > Tomcat
> >
> > <Connector port="8110" protocol="HTTP/1.1"
> > connectionTimeout="20000"
> > redirectPort="443"
> > proxyName="foo.domian.com"
> > ProxyPort="80"
>
> Will this become unnecessary once the HTTPS redirect is working? The
> redirect will always happen in httpd.
>
> > <Connector
> > port="8443"
> > scheme="https"
> > secure="true"
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > SSLEnabled="true"
> > SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
> > SSLCertificateFile="/auto/foo/ssl_certificate/cert.cer"
> > SSLCertificateChainFile="/auto/some-path/ssl_certificate/chain.cer"
> > SSLCertificateKeyFile="/auto/some-path/ssl_certificate/some.key"
> > maxThreads="150"
> > clientAuth="false"
> > SSLProtocol="TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
> > maxHttpHeaderSize="32768"
> > URIEncoding="UTF-8"
> > />
>
> Again, looks to be OK.
>
> > Appreciate any insight.
>
> I'd want to look at exactly what was in each request/response at each
> stage of this.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
Hi Mark,
Answers inline below.
Can you tell where that error message is coming from? httpd? Tomcat?
The application?
HTTPD log
[Tue Apr 21 13:39:33.741636 2020] [ssl:info] [pid 38749]
[client 10.24.61.248:52733] AH01964: Connection to child 0 established
(server foo:443)
[Tue Apr 21 13:39:33.781069 2020] [proxy:trace2] [pid 38749]
proxy_util.c(1985): [client 10.24.61.248:52733] https: found worker
https://foo:8443/foo for
https://foo:8443/foo/api/completions.json?username=foo, referer:
http://foo/app/api/completions.json?username=foo
[Tue Apr 21 13:39:33.781119 2020] [proxy:debug] [pid 38749]
mod_proxy.c(1123): [client 10.24.61.248:52733] AH01143: Running scheme
https handler (attempt 0), referer:
http://foo/app/api/completions.json?username=foo
[Tue Apr 21 13:39:33.781150 2020] [proxy:debug] [pid 38749]
proxy_util.c(2203): AH00942: HTTPS: has acquired connection for
(foo.com)
[Tue Apr 21 13:39:33.781476 2020] [proxy:debug] [pid 38749]
proxy_util.c(2256): [client 10.24.61.248:52733] AH00944: connecting
https://foo:8443/app/api/completions.json?username=foo to foo:8443,
referer: http://foo/app/api/completions.json?username=foo
[Tue Apr 21 13:39:33.781553 2020] [proxy:debug] [pid 38749]
proxy_util.c(2426): [client 10.24.61.248:52733] AH00947: connected
/app/api/completions.json?username=foo to foo:8443, referer:
http://foo/app/api/completions.json?username=foo
[Tue Apr 21 13:39:33.781706 2020] [proxy:trace2] [pid 38749]
proxy_util.c(2768): HTTPS: fam 2 socket created to connect to foo.com
[Tue Apr 21 13:39:33.781938 2020] [proxy:debug] [pid 38749]
proxy_util.c(2802): AH02824: HTTPS: connection established with
171.71.174.236:8443 (foo.com)
[Tue Apr 21 13:39:33.781971 2020] [proxy:debug] [pid 38749]
proxy_util.c(2942): AH00962: HTTPS: connection complete to
171.71.174.236:8443 (foo.com)
[Tue Apr 21 13:39:33.781982 2020] [ssl:info] [pid 38749] [remote
171.71.174.236:8443] AH01964: Connection to child 0 established
(server foo:443)
[Tue Apr 21 13:39:33.796042 2020] [proxy:debug] [pid 38749]
proxy_util.c(2218): AH00943: https: has released connection for
(foo.com)
[Tue Apr 21 13:39:38.798293 2020] [ssl:info] [pid 38749] (70007)The
timeout specified has expired: [client 10.24.61.248:52733] AH01991:
SSL input filter read failed.
Tomcat log (I'm trying to get more debug level logging)
2020-04-21 13:39:33 INFO app.CompletionRestController
Unsupported Media Type in Header
Postman
415 Unsupported Media Type
GET URL
http://server.com/app/api/completions.json?username=foo
Both Tomcat and Apache are running SSL because all internal endpoints
are required to be secure.
Thanks
-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
