All, I am setting up a frontend HTTPD load balancer to a backend Tomcat application using mod_proxy. I have not done so previously and am looking for some guidance. Here is a diagram of what it will look like:
+---------------------+ | Firewall Public | +---------------------+ +-------------------------------------------+ | +------+ +-------+ +-------+ | | | httpd| | httpd | | httpd | | | | 1 | | 2 | | 3 | | | +------+ +-------+ +-------+ | +-------------------------------------------+ +----------------------+ | Firewall Private | +----------------------+ +---------------------------------------------+ | +--------+ +---------+ +--------+ | | | tomcat | |tomcat | |tomcat| | | | 1 | | 2 | | 3 | | | +--------+ +---------+ +--------+ | +---------------------------------------------+ The HTTPD 1-3 servers are in a DMZ subnet and will proxy back to internal Tomcat application on a different subnet. I had this working without sticky sessions (which are needed) but now when I try to set up the configuration with sticky sessions I receive a 500 error in a browser. Here is what I receive in the logs: access_log: 10.37.11.14 - - [26/Feb/2018:09:48:34 -0800] "GET /favicon.ico HTTP/1.1" 500 527 "https://app.example.com/login.jsp"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "C1A3CF4AB2A4E8952C259E2F1B97A203.node1" error_log: [Mon Feb 26 09:48:34.714703 2018] [proxy:warn] [pid 37884] [client 10.37.11.14:53267] AH01144: No protocol handler was valid for the URL /favicon.ico. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: https://app.example.com/login.jsp I believe the favicon.ico 'error' is benign, but if it is I'd like to supress it. But I do receive a standard 500 error in the browser. The 'login.jsp' is a redirect from the backend application. If I go directly to one of the application servers: https://app1.example.com:9009 The page loads properly and gives the following URL in the browser: https://app1.example.com:9009/login.jsp Here is the complete httpd.conf file. I only want the proxy to listen on port 443. This system will only function as a DMZ proxy to the backend application. Ideally the configuration is as minimal as possible with no extra/unnecessary directives: Listen 443 https Include conf.modules.d/*.conf User apache Group apache ServerAdmin root@localhost <Directory /> AllowOverride none Require all denied </Directory> ErrorLog "logs/error_log" TransferLog "logs/access_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{JSESSIONID}C\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" combined </IfModule> AddDefaultCharset UTF-8 <IfModule mime_magic_module> MIMEMagicFile conf/magic </IfModule> SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> ServerName app.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/pki/tls/certs/cert.crt <Proxy balancer://mycluster> BalancerMember https://app1.example.com:9009 route=node1 BalancerMember https://app2.example.com:9009 route=node2 ProxySet lbmethod=bybusyness </Proxy> SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass / balancer://mycluster stickysession=JSESSIONID ProxyPassReverse / balancer://mycluster stickysession=JSESSIONID </VirtualHost> Any guidance is greatly appreciated. Thanks in advance.. HB
