On 7/24/2016 5:20 PM, Mark Eggers wrote: > On 7/24/2016 1:13 PM, Paul Roubekas wrote: >> On 7/23/2016 3:44 PM, Paul Roubekas wrote: >>> On 7/23/2016 3:15 PM, Paul Roubekas wrote: >>>> On 7/23/2016 2:57 PM, Christopher Schultz wrote: >>>>> Paul, >>>>> >>>>> On 7/23/16 8:39 AM, Paul Roubekas wrote: >>>>>> http://www.myDomain.com gets me to Tomcat where my ROOT webapp is >>>>>> deployed. Thank you very much!!! >>>>>> A few things that still need correction... >>>>>> Not all my webpages/servlets are https, just one is https. >>>>> No problem. You'll need an HTTPS and HTTP listener in httpd, which it >>>>> seems you already have working. >>>>> >>>>>> I can navigate to any page on the site, except the https page, and >>>>>> the prefix stays at http://. >>>>> Good. >>>>> >>>>>> But once I hit the https page/servlet two things happen: 1) The >>>>>> prefix stays at https:// for any other page in the site, even >>>>>> though the other pages were severed up as http:// in the past. >>>>> That's generally because your pages are using relative links, which >>>>> preserve the protocol. Is this a problem? Or do you just want to >>>>> understand why it's not reverting back to HTTP when HTTPS is not needed? >>>> I would like to fix it. >> What do I need to do to stop this behavior? >>>>>> 2) The port number 8443 now shows in the address bar and does not >>>>>> go away. What still needs to be done to fix the above two issues.? >>>>> If the port number shows 8443 then the proxying isn't quite set up >>>>> correctly. Since you are using httpd, you are probably using port 443 >>>>> for HTTPS traffic. I'm not quite sure how TomEE does configuration, >>>>> but I suspect it's quite similar to Tomcat. For Tomcat, you'd have a >>>>> configuration containing a <Connector> which has all kinds of >>>>> attributes on it. Specifically, there will be one called >>>>> "redirectPort". By default, that value is set to "8443" because >>>>> Tomcat's default HTTPS port is 8443. Since you are using httpd, you'll >>>>> want to change redirectPort to "443". That should stick you to httpd >>>>> instead of having TomEE serve the requests over port 8443. >>>> These are the three <Connector> XML configuration elements in my >>>> server.xml for Tomee >>>> <Connector port="8080" protocol="HTTP/1.1" >>>> connectionTimeout="20000" >>>> redirectPort="8443" xpoweredBy="false" server="Apache >>>> TomEE" proxyName="www.myDomain.com" proxyPort="80" /> >>>> >>>> <Connector port="8443" maxHttpHeaderSize="8192" >>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>> maxThreads="150" minSpareThreads="25" >>>> maxSpareThreads="75" enableLookups="false" >>>> disableUploadTimeout="true" acceptCount="100" >>>> SSLEnabled="true" scheme="https" secure="true" >>>> keyAlias="server" keystoreFile="[redacted]" >>>> keystorePass="[redacted]" >>>> clientAuth="false" sslProtocol="TLS" xpoweredBy="false" >>>> server="Apache TomEE" proxyName="www.myDomain.com" proxyPort="80"/> >>>> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >>>> proxyName="www.myDomain.com" proxyPort="80"/> >>> Changing the redirectPort= on both <Connector> XML elements to 443 >>> causes the https page to have a "Unable to connect" error. >> What should I try next? >>>>> BTW if you aren't using TomEE for HTTPS directly, you can remove that >>>>> <Connector> entirely. If you are using AJP to proxy from httpd -> >>>>> TomEE, then you need no other connectors besides the AJP one. It will >>>>> make your TomEE configuration simpler, use fewer resources, and cause >>>>> less confusion (like what was happening above, because TomEE was >>>>> handling the requests, not httpd). >> I tested just having the AJP <Connector>. That did not work for the >> https page. All pages but the https page worked. On the https page I >> got the "Unable to connect" error page. >>>>>> Later, after the above is fixed, I will be adding Bugzilla and >>>>>> phpBB to the Fedora 23 server. I am assuming phpBB and Bugzilla >>>>>> don't support ajp, and/or I don't need the ajp protocol. Is that >>>>>> correct? AJP is just for Tomcat? >>>>> AJP actually stands for Apache JServ Protocol, which was invented >>>>> solely for the purposes of proxying to Java-based application servers. >>>>> It's mostly outlived its usefulness, but there are some of us die-hard >>>>> fans out there that simply can't live without mod_jk and all the great >>>>> things is provides. mod_proxy has been playing catch-up with mod_jk >>>>> for a very long time, and they are closing-in on feature parity. But >>>>> not quite yet :) >>>>> >>>>>> Since the below questions are off topic I will not be hurt if they >>>>>> are not answered. I will go on to another internet search. The >>>>>> https configurations for phpBB and Bugzilla will just be... >>>>>> For phpBB: ProxyPass /bb http://localhost:80/bb ProxyPassReverse >>>>>> /bb http://localhost:80/bb >>>>> Are you running a separate server for phpBB? Typically, you'll just >>>>> use an Alias to point a particular URL space to your disk, and use >>>>> mod_php to run the scripts directly: >>>>> >>>>> Alias /bb /path/to/phpBB >>>> Let give that a try and get back with you. >> That does not work. Based on testing it seems the AJP <Connector> takes >> complete control of all http/https traffic. I have placed the Alias >> before the AJP directive. I have testing putting the Alias directive >> after the AJP <Connector>. In both cases when I try MyDomain.com/bb or >> MyDomain.com/tt return the Tomcat "HTTP Status 404" error page. I even >> tried... >> >> # <Location /bb> >> >> # ProxyPass http://localhost/bb >> >> # </Location> >> > # > # Add this before your first ProxyPass > # However, after your aliases > # > > ProxyPass "/bb" ! > ProxyPass "/tt" ! This works now. Thanks > > # > # Also this would be a good idea to prevent TomEE manager access > # > ProxyPass "/manager" ! I protect this page via IP address. <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="[redacted]" /> > # > # Finally, to protect your one servlet > # > ProxyPass "/path-to-servlet" ! I have done something wrong here. It is not working. See more details below. > > # > # Now add the proxypass > # > ProxyPass "/" "ajp://TomEE-host:8009/" ok > > In your ssl.conf, you'll need to proxy the HTTPS-protected servlet > > # > # Protected servlet > # > ProxyPass "/path-to-servlet" "ajp://TomEE-host:8009/path-to-servlet" I did a find on my whole Fedora 23 server looking for ssl.conf. The file did not exist. I created one(ssl.conf) and put it in the same directory as httpd.conf. Now the https servlet returns a "Not Found The requested URL /DonateServlet was not found on this server." 1) Did I put the ssl.conf in the correct directory? 2) What else can I check? > > > Personally, I don't alias Bugzilla or PHPBB. It just seems like another > level of indirection. What do you do? I am an newbie that is willing to learn. > > There are other things that you can do to clean up the configuration, > but hopefully that will get you up and running. What "other things"? > >> But that did not work either. >>>>>> For Bugzilla: ProxyPass /tt http://localhost:80/tt ProxyPassReverse >>>>>> /tt http://localhost:80/tt >>>>> Same here: >>>>> >>>>> Alias /tt /path/to/bugzilla >>>>> >>>>> For Bugzilla specifically, you'll need to enable cgi-bin capabilities >>>>> on that directory. Read the Bugzilla configuration reference for how >>>>> to enable it. You'll end up with something like this: >>>>> >>>>> Alias /tt /path/to/bugzilla >>>>> RedirectMatch ^/tt$ /tt/index.cgi >>>>> <Directory "/path/to/bugzilla"> >>>>> Order allow,deny >>>>> Allow from all >>>>> >>>>> Options +ExecCGI >>>>> AllowOverride None >>>>> >>>>> AddHandler cgi-script .cgi >>>>> >>>>> DirectoryIndex index.cgi >>>>> >>>>> .. probably some authentication configuration, here, too .. >>>>> .. maybe IP- or LDAP-based restrictions, etc. .. >>>>> </Directory> >> I have not tested this yet. There does not seem to be a point when the >> other configuration don't work yet. >>>> Thanks for answering this. >>>>> Hope that helps, >>>>> -chris >>>> Hope to return the favor some day :-) >>>> >>>> >>> >>> -- >>> The people that bring you Usque <http://Usque.software/> > . . . just my two cents > /mde/ > >
-- The people that bring you Usque <http://Usque.software/>.
signature.asc
Description: OpenPGP digital signature