On 7/24/2016 11:33 PM, Mark Eggers wrote: > On 7/24/2016 5:10 PM, Paul Roubekas wrote: >> On 7/24/2016 5:20 PM, Mark Eggers wrote: >>> On 7/24/2016 1:13 PM, Paul Roubekas wrote: >>>> On 7/23/2016 3:44 PM, Paul Roubekas wrote: >>>>> On 7/23/2016 3:15 PM, Paul Roubekas wrote: >>>>>> On 7/23/2016 2:57 PM, Christopher Schultz wrote: >>>>>>> Paul, >>>>>>> >>>>>>> On 7/23/16 8:39 AM, Paul Roubekas wrote: >>>>>>>> http://www.myDomain.com gets me to Tomcat where my ROOT webapp is >>>>>>>> deployed. Thank you very much!!! >>>>>>>> A few things that still need correction... >>>>>>>> Not all my webpages/servlets are https, just one is https. >>>>>>> No problem. You'll need an HTTPS and HTTP listener in httpd, which it >>>>>>> seems you already have working. >>>>>>> >>>>>>>> I can navigate to any page on the site, except the https page, and >>>>>>>> the prefix stays at http://. >>>>>>> Good. >>>>>>> >>>>>>>> But once I hit the https page/servlet two things happen: 1) The >>>>>>>> prefix stays at https:// for any other page in the site, even >>>>>>>> though the other pages were severed up as http:// in the past. >>>>>>> That's generally because your pages are using relative links, which >>>>>>> preserve the protocol. Is this a problem? Or do you just want to >>>>>>> understand why it's not reverting back to HTTP when HTTPS is not needed? >>>>>> I would like to fix it. >>>> What do I need to do to stop this behavior? >>>>>>>> 2) The port number 8443 now shows in the address bar and does not >>>>>>>> go away. What still needs to be done to fix the above two issues.? >>>>>>> If the port number shows 8443 then the proxying isn't quite set up >>>>>>> correctly. Since you are using httpd, you are probably using port 443 >>>>>>> for HTTPS traffic. I'm not quite sure how TomEE does configuration, >>>>>>> but I suspect it's quite similar to Tomcat. For Tomcat, you'd have a >>>>>>> configuration containing a <Connector> which has all kinds of >>>>>>> attributes on it. Specifically, there will be one called >>>>>>> "redirectPort". By default, that value is set to "8443" because >>>>>>> Tomcat's default HTTPS port is 8443. Since you are using httpd, you'll >>>>>>> want to change redirectPort to "443". That should stick you to httpd >>>>>>> instead of having TomEE serve the requests over port 8443. >>>>>> These are the three <Connector> XML configuration elements in my >>>>>> server.xml for Tomee >>>>>> <Connector port="8080" protocol="HTTP/1.1" >>>>>> connectionTimeout="20000" >>>>>> redirectPort="8443" xpoweredBy="false" server="Apache >>>>>> TomEE" proxyName="www.myDomain.com" proxyPort="80" /> >>>>>> >>>>>> <Connector port="8443" maxHttpHeaderSize="8192" >>>>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>>> maxThreads="150" minSpareThreads="25" >>>>>> maxSpareThreads="75" enableLookups="false" >>>>>> disableUploadTimeout="true" acceptCount="100" >>>>>> SSLEnabled="true" scheme="https" secure="true" >>>>>> keyAlias="server" keystoreFile="[redacted]" >>>>>> keystorePass="[redacted]" >>>>>> clientAuth="false" sslProtocol="TLS" xpoweredBy="false" >>>>>> server="Apache TomEE" proxyName="www.myDomain.com" proxyPort="80"/> >>>>>> >>>>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >>>>>> proxyName="www.myDomain.com" proxyPort="80"/> >>>>> Changing the redirectPort= on both <Connector> XML elements to 443 >>>>> causes the https page to have a "Unable to connect" error. >>>> What should I try next? >>>>>>> BTW if you aren't using TomEE for HTTPS directly, you can remove that >>>>>>> <Connector> entirely. If you are using AJP to proxy from httpd -> >>>>>>> TomEE, then you need no other connectors besides the AJP one. It will >>>>>>> make your TomEE configuration simpler, use fewer resources, and cause >>>>>>> less confusion (like what was happening above, because TomEE was >>>>>>> handling the requests, not httpd). >>>> I tested just having the AJP <Connector>. That did not work for the >>>> https page. All pages but the https page worked. On the https page I >>>> got the "Unable to connect" error page. >>>>>>>> Later, after the above is fixed, I will be adding Bugzilla and >>>>>>>> phpBB to the Fedora 23 server. I am assuming phpBB and Bugzilla >>>>>>>> don't support ajp, and/or I don't need the ajp protocol. Is that >>>>>>>> correct? AJP is just for Tomcat? >>>>>>> AJP actually stands for Apache JServ Protocol, which was invented >>>>>>> solely for the purposes of proxying to Java-based application servers. >>>>>>> It's mostly outlived its usefulness, but there are some of us die-hard >>>>>>> fans out there that simply can't live without mod_jk and all the great >>>>>>> things is provides. mod_proxy has been playing catch-up with mod_jk >>>>>>> for a very long time, and they are closing-in on feature parity. But >>>>>>> not quite yet :) >>>>>>> >>>>>>>> Since the below questions are off topic I will not be hurt if they >>>>>>>> are not answered. I will go on to another internet search. The >>>>>>>> https configurations for phpBB and Bugzilla will just be... >>>>>>>> For phpBB: ProxyPass /bb http://localhost:80/bb ProxyPassReverse >>>>>>>> /bb http://localhost:80/bb >>>>>>> Are you running a separate server for phpBB? Typically, you'll just >>>>>>> use an Alias to point a particular URL space to your disk, and use >>>>>>> mod_php to run the scripts directly: >>>>>>> >>>>>>> Alias /bb /path/to/phpBB >>>>>> Let give that a try and get back with you. >>>> That does not work. Based on testing it seems the AJP <Connector> takes >>>> complete control of all http/https traffic. I have placed the Alias >>>> before the AJP directive. I have testing putting the Alias directive >>>> after the AJP <Connector>. In both cases when I try MyDomain.com/bb or >>>> MyDomain.com/tt return the Tomcat "HTTP Status 404" error page. I even >>>> tried... >>>> >>>> # <Location /bb> >>>> >>>> # ProxyPass http://localhost/bb >>>> >>>> # </Location> >>>> >>> # >>> # Add this before your first ProxyPass >>> # However, after your aliases >>> # >>> >>> ProxyPass "/bb" ! >>> ProxyPass "/tt" ! >> This works now. Thanks >>> # >>> # Also this would be a good idea to prevent TomEE manager access >>> # >>> ProxyPass "/manager" ! >> I protect this page via IP address. >> <Valve className="org.apache.catalina.valves.RemoteAddrValve" >> allow="[redacted]" /> >>> # >>> # Finally, to protect your one servlet >>> # >>> ProxyPass "/path-to-servlet" ! >> I have done something wrong here. It is not working. See more details >> below. > Well this should block access to the servlet that you don't want to be > visible via HTTP (only HTTPS). > >>> # >>> # Now add the proxypass >>> # >>> ProxyPass "/" "ajp://TomEE-host:8009/" >> ok >>> In your ssl.conf, you'll need to proxy the HTTPS-protected servlet >>> >>> # >>> # Protected servlet >>> # >>> ProxyPass "/path-to-servlet" "ajp://TomEE-host:8009/path-to-servlet" >> I did a find on my whole Fedora 23 server looking for ssl.conf. The >> file did not exist. I created one(ssl.conf) and put it in the same >> directory as httpd.conf. Now the https servlet returns a "Not Found The >> requested URL /DonateServlet was not found on this server." >> 1) Did I put the ssl.conf in the correct directory? >> 2) What else can I check? > If you want Apache HTTPD to serve HTTPS content (in addition to HTTP > content), you'll need to install the mod_ssl RPM. > > 2.4.23-3.fc23.x86_64.rpm > > is the latest release I believe. I'm not sure - my laptop died and with > it my Fedora install (time to get a new laptop). > > In that rpm, you'll find: > > /etc/httpd/conf.d/ssl.conf > /etc/httpd/conf.modules.d/00-ssl.conf > /usr/lib/systemd/system/httpd.socket.d/10-listen443.conf > /usr/lib64/httpd/modules/mod_ssl.so > /usr/libexec/httpd-ssl-pass-dialog > /var/cache/httpd/ssl > > If Fedora and systemd haven't hacked things up too badly, you'll put > proxypass statements (again, I use mod_jk, so I put in JkMount > statements) in /etc/httpd/conf.d/ssl.conf. > > You'll be terminating SSL on Apache HTTPD, and sending AJP (not > encrypted) traffic between Apache HTTPD and TomEE. > > Prevent the proxypass to your protected servlet (whatever the URL is) by > using the exclamation point in httpd.conf. Add the required proxypass in > ssl.conf, which is what Apache HTTPD uses in order to configure SSL. Not working. I am getting
Not Found The requested URL /DonateServlet was not found on this server. ==== ssl.conf ===== # # Protected servlet # ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet" ErrorLog "/var/log/myDomain.com-error_log" TransferLog "/var/log/myDomain.com-access_log" > >>> >>> Personally, I don't alias Bugzilla or PHPBB. It just seems like another >>> level of indirection. >> What do you do? I am an newbie that is willing to learn. >>> There are other things that you can do to clean up the configuration, >>> but hopefully that will get you up and running. >> What "other things"? >>>> But that did not work either. >>>>>>>> For Bugzilla: ProxyPass /tt http://localhost:80/tt ProxyPassReverse >>>>>>>> /tt http://localhost:80/tt >>>>>>> Same here: >>>>>>> >>>>>>> Alias /tt /path/to/bugzilla >>>>>>> >>>>>>> For Bugzilla specifically, you'll need to enable cgi-bin capabilities >>>>>>> on that directory. Read the Bugzilla configuration reference for how >>>>>>> to enable it. You'll end up with something like this: >>>>>>> >>>>>>> Alias /tt /path/to/bugzilla >>>>>>> RedirectMatch ^/tt$ /tt/index.cgi >>>>>>> <Directory "/path/to/bugzilla"> >>>>>>> Order allow,deny >>>>>>> Allow from all >>>>>>> >>>>>>> Options +ExecCGI >>>>>>> AllowOverride None >>>>>>> >>>>>>> AddHandler cgi-script .cgi >>>>>>> >>>>>>> DirectoryIndex index.cgi >>>>>>> >>>>>>> .. probably some authentication configuration, here, too .. >>>>>>> .. maybe IP- or LDAP-based restrictions, etc. .. >>>>>>> </Directory> >>>> I have not tested this yet. There does not seem to be a point when the >>>> other configuration don't work yet. >>>>>> Thanks for answering this. >>>>>>> Hope that helps, >>>>>>> -chris >>>>>> Hope to return the favor some day :-) >>>>>> >>>>>> >>>>> -- >>>>> The people that bring you Usque <http://Usque.software/> >>> . . . just my two cents >>> /mde/ > . . . just my two cents > /mde/ > > -- The people that bring you Usque <http://Usque.software/>.
signature.asc
Description: OpenPGP digital signature