Re: Fwd: Reverse proxy and SSL redirect
On Wed, Jul 1, 2020 at 3:26 AM Mark Thomas wrote: > > On 01/07/2020 00:41, rugman66 . wrote: > > On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas wrote: > >> > >> On 22/04/2020 00:11, rugman66 . wrote: > >> > >> > >> > >>>Tomcat log (I'm trying to get more debug level logging) > >>> 2020-04-21 13:39:33 INFO app.CompletionRestController > >>> Unsupported Media Type in Header > >>> > >>> Postman > >>>415 Unsupported Media Type > >>> > >>> GET URL > >>> http://server.com/app/api/completions.json?username=foo > >>> > >>> Both Tomcat and Apache are running SSL because all internal endpoints > >>> are required to be secure. > >> > >> Looks like the app is generating the error. That moves us forwards. > >> > >> Try enabling the RequestDumperFilter. That should dump the full set of > >> request headers received which will hopefully help explain what is going on. > >> > >> Mark > > > > Hi Mark, > > > > Was on unplanned leave for the past few months, but back. > > > > I did try to enable RequestDumperFilter, however the file was created > > but no log entries created. I did find something interesting. When I > > test in Postman with > > HTTP it does redirect to HTTPD but throws the error. However when I > > change the URL in Postman using HTTPD I get the expected reply and see > > the > > proxy is indeed working. It's only throwing the error when the > > redirect occurs. Seems to me the issue lies there, but I still can't > > find a resolution. Any > > suggestions would be appreciated. > > You need to find a way to see the full traffic for both client<->httpd > and httpd<->Tomcat. > > Wireshark is one option. You'll need to configure it to decrypt the TLS. > > The access logs will also confirm whether requests are passed to Tomcat > or handled by httpd. > > Mark Unfortunately I cannot use wireshark as this is in one of our data centers, and information security would flag packet sniffing as malicious. However I did record the Apache access log entry for one attempt and Apache error log entries from three separate attempts. Interestingly enough all three differ in length. Also included the catalina.out log entry. Below are the log snipents. Appreciate your time -John *Tomcat* catalina.out: 2020-07-01 13:18:59 INFO app.CompletionRestController Unsupported Media Type in Header *Apache* access log: 10.24.36.111 - - [01/Jul/2020:13:18:59 -0700] "GET /app/api/completions.json?username=me HTTP/1.1" 415 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0" error log: [Wed Jul 01 10:42:24.994833 2020] [ssl:info] [pid 4874] [client 10.24.36.111:54100] AH01964: Connection to child 2 established (server englearn-app3.foo.com:443) [Wed Jul 01 10:42:25.011695 2020] [proxy:debug] [pid 72913] proxy_util.c(1843): AH00925: initializing worker proxy:reverse shared [Wed Jul 01 10:42:25.011740 2020] [proxy:debug] [pid 72913] proxy_util.c(1885): AH00927: initializing worker proxy:reverse local [Wed Jul 01 10:42:25.011903 2020] [proxy:debug] [pid 72913] proxy_util.c(1936): AH00931: initialized single connection worker in child 72913 for (*) [Wed Jul 01 10:42:25.011912 2020] [proxy:debug] [pid 72913] proxy_util.c(1843): AH00925: initializing worker https://englearn-app3.foo.com:8443/app shared [Wed Jul 01 10:42:25.011917 2020] [proxy:debug] [pid 72913] proxy_util.c(1885): AH00927: initializing worker https://englearn-app3.foo.com:8443/app local [Wed Jul 01 10:42:25.011934 2020] [proxy:debug] [pid 72913] proxy_util.c(1936): AH00931: initialized single connection worker in child 72913 for (englearn-app3.foo.com) [Wed Jul 01 10:42:25.041766 2020] [proxy:trace2] [pid 4874] proxy_util.c(1985): [client 10.24.36.111:54100] https: found worker https://englearn-app3.foo.com:8443/app for https://englearn-app3.foo.com:8443/app/api/completions.json?username=me, referer: http://englearn-app3.foo.com/app/api/completions.json?username=me [Wed Jul 01 10:42:25.041787 2020] [proxy:debug] [pid 4874] mod_proxy.c(1123): [client 10.24.36.111:54100] AH01143: Running scheme https handler (attempt 0), referer: http://englearn-app3.foo.com/app/api/completions.json?username=me [Wed Jul 01 10:42:25.041804 2020] [proxy:debug] [pid 4874] proxy_util.c(2203): AH00942: HTTPS: has acquired connection for ( englearn-app3.foo.com) [Wed Jul 01 10:42:25.041826 2020] [proxy:debug] [pid 4874] proxy_util.c(2256): [client 10.24.36.111:54100] AH00944: connecting https://englearn-app3.foo.com:8443/app/api/completions.json?username=me to englearn-app3.foo.com:8443, referer: http://englearn-app3.foo.com/app/api/completions.json?username=me [Wed Jul 01 10:42:25.042535 2020] [proxy:debug] [pid 4874] proxy_util.c(2426): [client 10.24.36.111:54100] AH00947: connected /app/api/completions.json?username=me to englearn-app3.foo.com:8443, referer: http://englearn-app3.foo.com/app/api/completions.json?username=me [Wed Jul 01 10:42:25.042561 2020] [proxy:trace2] [pid 4874] proxy_util.c(2768): HTTPS:
Re: Fwd: Reverse proxy and SSL redirect
On 01/07/2020 00:41, rugman66 . wrote: > On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas wrote: >> >> On 22/04/2020 00:11, rugman66 . wrote: >> >> >> >>>Tomcat log (I'm trying to get more debug level logging) >>> 2020-04-21 13:39:33 INFO app.CompletionRestController >>> Unsupported Media Type in Header >>> >>> Postman >>>415 Unsupported Media Type >>> >>> GET URL >>> http://server.com/app/api/completions.json?username=foo >>> >>> Both Tomcat and Apache are running SSL because all internal endpoints >>> are required to be secure. >> >> Looks like the app is generating the error. That moves us forwards. >> >> Try enabling the RequestDumperFilter. That should dump the full set of >> request headers received which will hopefully help explain what is going on. >> >> Mark > > Hi Mark, > > Was on unplanned leave for the past few months, but back. > > I did try to enable RequestDumperFilter, however the file was created > but no log entries created. I did find something interesting. When I > test in Postman with > HTTP it does redirect to HTTPD but throws the error. However when I > change the URL in Postman using HTTPD I get the expected reply and see > the > proxy is indeed working. It's only throwing the error when the > redirect occurs. Seems to me the issue lies there, but I still can't > find a resolution. Any > suggestions would be appreciated. You need to find a way to see the full traffic for both client<->httpd and httpd<->Tomcat. Wireshark is one option. You'll need to configure it to decrypt the TLS. The access logs will also confirm whether requests are passed to Tomcat or handled by httpd. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: Reverse proxy and SSL redirect
On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas wrote: > > On 22/04/2020 00:11, rugman66 . wrote: > > > > >Tomcat log (I'm trying to get more debug level logging) > > 2020-04-21 13:39:33 INFO app.CompletionRestController > > Unsupported Media Type in Header > > > > Postman > >415 Unsupported Media Type > > > > GET URL > > http://server.com/app/api/completions.json?username=foo > > > > Both Tomcat and Apache are running SSL because all internal endpoints > > are required to be secure. > > Looks like the app is generating the error. That moves us forwards. > > Try enabling the RequestDumperFilter. That should dump the full set of > request headers received which will hopefully help explain what is going on. > > Mark Hi Mark, Was on unplanned leave for the past few months, but back. I did try to enable RequestDumperFilter, however the file was created but no log entries created. I did find something interesting. When I test in Postman with HTTP it does redirect to HTTPD but throws the error. However when I change the URL in Postman using HTTPD I get the expected reply and see the proxy is indeed working. It's only throwing the error when the redirect occurs. Seems to me the issue lies there, but I still can't find a resolution. Any suggestions would be appreciated. Regards -John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: Reverse proxy and SSL redirect
On 22/04/2020 00:11, rugman66 . wrote: >Tomcat log (I'm trying to get more debug level logging) > 2020-04-21 13:39:33 INFO app.CompletionRestController > Unsupported Media Type in Header > > Postman >415 Unsupported Media Type > > GET URL > http://server.com/app/api/completions.json?username=foo > > Both Tomcat and Apache are running SSL because all internal endpoints > are required to be secure. Looks like the app is generating the error. That moves us forwards. Try enabling the RequestDumperFilter. That should dump the full set of request headers received which will hopefully help explain what is going on. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: Reverse proxy and SSL redirect
On Sat, Apr 18, 2020 at 1:46 AM Mark Thomas wrote: > > On 17/04/2020 18:15, rugman66 . wrote: > > Made correction to ProxyPass and ProxyPassReverse. > > Good. Changing the context path in the reverse proxy opens up the > possibility for all sorts of breakage and is generally best avoided if > at all possible. > > > > > I have Apache 2.4.6 running as reverse proxy for Tomcat 7.0.96, both > > running SSL, and a functioning redirect from HTTP to HTTPS for both > > Apache and Tomcat. ( Need to use both these releases due to IT > > availability and app requirements ) > > Prior to enabling SSL on both a Json GET command made to the > > application worked. Now after enabling SSL and the Apache redirect, > > when the json calls are made to the application with the URL starting > > with HTTP:// that should be > > redirected to HTTPS:// the following errors occurs. > > > > 415 Unsupported media type > > "message": "Unsupported Media Type in Header" > > Can you tell where that error message is coming from? httpd? Tomcat? The > application? > > > When the same json GET command is issued to the same URL using > > HTTPS:// it works. It looks as if communication is breaking down > > between Apache and Tomcat. > > What URL is used with that GET? > > What appears in the access logs (httpd and Tomcat) for each of those? > > Can you also log the HTTP headers sent and received by the client for > each request? > > > Apache > > I'm no httpd expert... > > > > >ServerName http://foo.domain.com > >Redirect / https://foo.domain.com/ > > > > But the above looks to be consistent with: > https://cwiki.apache.org/confluence/display/HTTPD/RedirectSSL > > > > > SSLEngine on > > SSLProxyProtocol all > > SSLCertificateFile "/auto/foo/ssl_certificate/cert.cer" > > SSLCertificateChainFile "/auto/some-path/ssl_certificate/chain.cer" > > SSLCertificateKeyFile "/auto/some-path/ssl_certificate/some.key" > > SSLCipherSuite "ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW" > > ServerName "foo.domain.com" > > TraceEnable Off > > ProxyRequests Off > > ProxyPreserveHost Off > > SSLProxyEngine on > > AddDefaultCharset utf-8 > > AddType 'application/json; charset=UTF-8' .json > > ProxyPass "/app" "https://foo.domain.com:8443/app"; > > ProxyPassReverse"/app" "https://foo.domain.com:8443/app"; > > > > Hmm. I'm wondering about that AddType but it looks OK. > > > Tomcat > > > > >connectionTimeout="2" > >redirectPort="443" > >proxyName="foo.domian.com" > >ProxyPort="80" > > Will this become unnecessary once the HTTPS redirect is working? The > redirect will always happen in httpd. > > > > port="8443" > > scheme="https" > > secure="true" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW" > > SSLCertificateFile="/auto/foo/ssl_certificate/cert.cer" > > SSLCertificateChainFile="/auto/some-path/ssl_certificate/chain.cer" > > SSLCertificateKeyFile="/auto/some-path/ssl_certificate/some.key" > > maxThreads="150" > > clientAuth="false" > > SSLProtocol="TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" > > maxHttpHeaderSize="32768" > > URIEncoding="UTF-8" > > /> > > Again, looks to be OK. > > > Appreciate any insight. > > I'd want to look at exactly what was in each request/response at each > stage of this. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Hi Mark, Answers inline below. Can you tell where that error message is coming from? httpd? Tomcat? The application? HTTPD log [Tue Apr 21 13:39:33.741636 2020] [ssl:info] [pid 38749] [client 10.24.61.248:52733] AH01964: Connection to child 0 established (server foo:443) [Tue Apr 21 13:39:33.781069 2020] [proxy:trace2] [pid 38749] proxy_util.c(1985): [client 10.24.61.248:52733] https: found worker https://foo:8443/foo for https://foo:8443/foo/api/completions.json?username=foo, referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781119 2020] [proxy:debug] [pid 38749] mod_proxy.c(1123): [client 10.24.61.248:52733] AH01143: Running scheme https handler (attempt 0), referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781150 2020] [proxy:debug] [pid 38749] proxy_util.c(2203): AH00942: HTTPS: has acquired connection for (foo.com) [Tue Apr 21 13:39:33.781476 2020] [proxy:debug] [pid 38749] proxy_util.c(2256): [client 10.24.61.248:52733] AH00944: connecting https://foo:8443/app/api/completions.json?username=foo to foo:8443, referer: http://foo/app/api/completions.json?username=foo [Tue Apr 21 13:39:33.781553 2020] [proxy:debug] [pid 38749] proxy_util.c(2426): [client 10.24.61.248:
Re: Fwd: Reverse proxy and SSL redirect
On 17/04/2020 18:15, rugman66 . wrote: > Made correction to ProxyPass and ProxyPassReverse. Good. Changing the context path in the reverse proxy opens up the possibility for all sorts of breakage and is generally best avoided if at all possible. > I have Apache 2.4.6 running as reverse proxy for Tomcat 7.0.96, both > running SSL, and a functioning redirect from HTTP to HTTPS for both > Apache and Tomcat. ( Need to use both these releases due to IT > availability and app requirements ) > Prior to enabling SSL on both a Json GET command made to the > application worked. Now after enabling SSL and the Apache redirect, > when the json calls are made to the application with the URL starting > with HTTP:// that should be > redirected to HTTPS:// the following errors occurs. > > 415 Unsupported media type > "message": "Unsupported Media Type in Header" Can you tell where that error message is coming from? httpd? Tomcat? The application? > When the same json GET command is issued to the same URL using > HTTPS:// it works. It looks as if communication is breaking down > between Apache and Tomcat. What URL is used with that GET? What appears in the access logs (httpd and Tomcat) for each of those? Can you also log the HTTP headers sent and received by the client for each request? > Apache I'm no httpd expert... > >ServerName http://foo.domain.com >Redirect / https://foo.domain.com/ > But the above looks to be consistent with: https://cwiki.apache.org/confluence/display/HTTPD/RedirectSSL > > SSLEngine on > SSLProxyProtocol all > SSLCertificateFile "/auto/foo/ssl_certificate/cert.cer" > SSLCertificateChainFile "/auto/some-path/ssl_certificate/chain.cer" > SSLCertificateKeyFile "/auto/some-path/ssl_certificate/some.key" > SSLCipherSuite "ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW" > ServerName "foo.domain.com" > TraceEnable Off > ProxyRequests Off > ProxyPreserveHost Off > SSLProxyEngine on > AddDefaultCharset utf-8 > AddType 'application/json; charset=UTF-8' .json > ProxyPass "/app" "https://foo.domain.com:8443/app"; > ProxyPassReverse"/app" "https://foo.domain.com:8443/app"; > Hmm. I'm wondering about that AddType but it looks OK. > Tomcat > > connectionTimeout="2" >redirectPort="443" >proxyName="foo.domian.com" >ProxyPort="80" Will this become unnecessary once the HTTPS redirect is working? The redirect will always happen in httpd. > port="8443" > scheme="https" > secure="true" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW" > SSLCertificateFile="/auto/foo/ssl_certificate/cert.cer" > SSLCertificateChainFile="/auto/some-path/ssl_certificate/chain.cer" > SSLCertificateKeyFile="/auto/some-path/ssl_certificate/some.key" > maxThreads="150" > clientAuth="false" > SSLProtocol="TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" > maxHttpHeaderSize="32768" > URIEncoding="UTF-8" > /> Again, looks to be OK. > Appreciate any insight. I'd want to look at exactly what was in each request/response at each stage of this. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org