Tag Archives: Apache

How to bind apache server non localhost to tomcat server?

Goal

We would like to make sur tomcat only listen to apache server which was not on localhost adress. It is a security measure to protect the tomcat port.

In order to do that we need to add the attribute “address” to the connector of the tomcat port.
Few words about the connector :

The HTTP Connector element represents a Connector component that supports the HTTP/1.1 protocol. It enables Catalina to function as a stand-alone web server, in addition to its ability to execute servlets and JSP pages.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

 
<Connector port="8111"                
               acceptCount="100"     
            address="127.0.0.1" 
               connectionTimeout="5000"               
               keepAliveTimeout="10000"               
               maxKeepAliveRequests="1"               
               maxConnections="10000"               
               protocol="HTTP/1.1"
               />

Few words about the attribute address :

For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server.

NOTE : this solution uses HTTP protocol connector to connect to apache instead of AJP protocol. The connector AJP should be used between apache and tomcat for performance reason.
https://www.mulesoft.com/tcat/tomcat-connectors

Problem

At first I used the localhost address(127.0.0.1) to make tomcat listening to this address. I wrongly assume the apache server was at the local address server.

Apache and tomcat would start with no errors. However the application would not start. There was no errors meaningful in the application logs, tomcat logs. At last i found some error in apache server error.log :

[Thu Jun 15 17:56:15 2017] [error] (111)Connection refused: proxy: HTTP: attempt to connect to 191.14.12.14:8111 (machine_adress) failed
[Thu Jun 15 17:56:15 2017] [error] ap_proxy_connect_backend disabling worker for (machine_adress)

This error helped to find a solution to this problem.
I checked the IP address 191.14.12.14 and I found out in /etc/hosts that the adress 191.14.12.14 was link to a server called apache_instance1

Solution :

I check in apache configuration “httpd.conf” and I found out that the name of the server is :

ServerName apache_instance1

Therefore to bind tomcat port to listen only to apache server, I had to do modify the attribute adress like this :

 

 
<Connector port="8111"                
               acceptCount="100"     
            address="apache_instance1" 
               connectionTimeout="5000"               
               keepAliveTimeout="10000"               
               maxKeepAliveRequests="1"               
               maxConnections="10000"               
               protocol="HTTP/1.1"
               />

It fixes my problem.

Advertisements

Set up apache reverse proxy with tomcat

This article will overview the relation between Apache HTTP Server and tomcat and also the reverse proxy.

For a long time tomcat/apache was a black-box for me because I did not have to manage it. But few years ago I had the opportunity to gain more knowledge on this subject. The aim of this article is to focus on the big picture of apache/tomcat and present the mod reverse proxy for Apache HTTP server.

What is tomcat ?

Tomcat executes Java servlets and renders Webpages JSP ( Java server page). This guide can help you to understand and run tomcat https://tomcat.apache.org/tomcat-3.2-doc/uguide/tomcat_ug.html

Tomcat is a web server used in the Java world most of the time. It is also easy to use in dev environment with Eclipse for quick testing of JSP/Javascript/HTML/CSS pages.

Install tomcat on linux :
http://www.vogella.com/tutorials/ApacheTomcat/article.html

Why use Apache if tomcat is a web server ?

Apache is more robust for HTML/images static content. For production environment it is necessary to have Apache HTTP web server combined with tomcat for dynamic content(JSP).

https://tomcat.apache.org/tomcat-3.2-doc/tomcat-apache-howto.html

How apache and tomcat communicate together ?

I am not going into details since there is a documentation about it in user’s guide and also here https://tomcat.apache.org/tomcat-3.2-doc/tomcat-apache-howto.html

I am just going through the most important steps briefly and give real world example along the way. For information the example i am giving is in with tomcat version 8.0.23 and apache version Apache/2.2.15 (Unix).

What’s required to pull this off?
Answers to the above three questions!
1. Configure Tomcat
2. Install a web server adapter.
3. Modify Apache’s httpd.conf file.

1.Configure Tomcat

1.1 Modify Tomcat’s server.xml file.
-> Create connectors (HTTP/HTTPS/AJP). A “Connector” represents an endpoint by which requests are received and responses are returned.
->The AJP connector is mechanism by which Tomcat will communicate with Apache.

1.2 Defining a context.
->It is NOT recommended to place elements directly in the server.xml file. Defined in context.xml instead.https://tomcat.apache.org/tomcat-7.0-doc/config/context.html
-> We can also defined here the jdbc configuration used to access the database. Jdbc Example under the context :

The Resources element represents all the resources available to the web application. https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html . Example of resource within the context to mount the web app :

2.Install a web server adapter.

This adapter is not located in apache or tomcat configuration. It answers the question : “How will Apache forward these requests to Tomcat?”.
http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

mod_jk requires two entities:
mod_jk.xxx – The Apache HTTP Server module, depending on your operating system, it will be mod_jk.so, mod_jk.nlm or MOD_JK.SRVPGM (see the build section).For example in our linux machine.
find / -iname ‘*MOD_JK*’ -print 2>/dev/null
/usr/lib64/httpd/modules/mod_jk-1.2.31-httpd-2.2.x.so
workers.properties – A file that describes the host(s) and port(s) used by the workers (Tomcat processes). A sample workers.properties can be found under the conf directory in the source download.
Also as with other Apache modules, mod_jk should be first installed on the modules directory of your Apache HTTP Server, ie: /usr/lib/apache and you should update your httpd.conf file.
Mod_jk.conf – It is not necessarily needed to make custom changes of this file. There are situation where we need to make changes.

For information workers.properties and Mod_jk.conf are located under our module apache/conf.d

3.Modify Apache’s httpd.conf file.

We need to tell Apache how to load and initialize our adapter, and that certain requests should be handled by this adapter and forwarded onto Tomcat.Tomcat does most of the work for you.

Each time you start Tomcat, after it loads Contexts (both from the server.xml and automatically from $TOMCAT_HOME/webapps), it automagically generates a number of files for you. The two that we’re concerned with are:
tomcat-apache.conf (should really be named mod_jserv.conf-auto)
mod_jk.conf-auto

For example on my latest project our httpd.file we have simply a line to include all configuration files for apache including mod_jk.conf. :

Include conf.d/*.conf

NOTE : For this application we do not use mod_jk.conf-auto but our own custom configuration file mod_jk.conf.

More information at chapter “httpd.conf – Apache’s main configuration file” https://tomcat.apache.org/tomcat-3.2-doc/tomcat-apache-howto.html#httpd

Reverse Proxy in Apache

A reverse proxy (or gateway), appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the namespace of the reverse proxy. The reverse proxy then decides where to send those requests and returns the content as if it were itself the origin.

https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#access

We wanted to set up a reverse proxy in order to access to a remote web server running on different machine but on the same network. The idea was to access a servlet running on different application. It would save us duplicating the servlet and a database for our application. Instead of creating something existing we could just reuse an existing web server.

As you have seen previously we have loaded all .conf files in conf.d directory including our reverse_proxy.conf file.

Our configuration file for the reverse proxy is the following :

# Load the proxy module
LoadModule proxy_http_module modules/mod_proxy_http.so

# HTTP
ProxyPass /foo/loadsomeinfo http://192.168.10.1.8080/loadapp
ProxyPassReverse /foo/loadsomeinfo http://192.168.10.1.8080/loadapp

ProxyPass / http://machinea:9000/
ProxyPassReverse / http://machinea:9000/

Apache module mod_proxy :
https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#access