Apache2 reverse proxy with Tomcat's basic auth keep asking auth - authentication

I have ubuntu 16.04,Apache2 ( Apache/2.4.18 (Ubuntu)), and Tomcat running.
I have application running on tomcat with Basic auth. Whenever I try to access application with basic auth It keep asking me same.
Access with "http://localhost/app/demo"
ServerAdmin demo#demo.com
ProxyPass /app http://localhost:8080/app
ProxyPassReverse /app http://localhost:8080/app
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Proxyrequests off
ProxyPreserveHost on
ProxyErrorOverride on
#DocumentRoot /var/html/www
SSLProxyEngine On
RedirectMatch ^/$ http://app.demo.com
ServerName app.demo.com
ProxyPassReverseCookiePath /app /app
ProxyPassReverseCookieDomain localhost app.demo.com
<Location "/app">
ProxyPass "http://localhost:8080/app"
ProxyPassReverse "http://localhost:8080/app"
</Location>
<Location "/app-style">
ProxyPass "http://localhost:8080/app-style"
ProxyPassReverse "http://localhost:8080/app-style"
</Location>
<Location /data>
AuthType Basic
AuthName "Data Realm"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
<Location /data-ext>
AuthType Basic
AuthName "Data Relm EXT"
AuthUserFile /etc/apache2/.htpasswdext
Require valid-user
</Location>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
#SSLCertificateChainFile /etc/apache2/ssl/apache.crt

Related

apache mod_proxy url does not work unless / is appended

I have apache 2.4 setup with mod_proxy to load balance 2 tomcats.
Here is the addition to httpd.conf
ProxyRequests Off
ProxyPass /APP balancer://mycluster stickysession=JSESSIONID|jsessionid
ProxyPassReverse /APP balancer://mycluster
<Proxy balancer://mycluster>
BalancerMember http://TOMCAT1:8080/APP route=TOMCAT1
BalancerMember http://TOMCAT2:8080/APP route=TOMCAT2
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
Require all granted
</Location>
ProxyPass /balancer-manager !
<Location /server-status>
SetHandler server-status
Require host localhost
Require all granted
</Location>
From a browser if I try "http://localhost:7000/APP" it does not work. However if I use "http://localhost:7000/APP/" the application comes up.
Note the additional "/" and the end of the url. How can this additional / be avoided?
Update
Working structure:
ProxyRequests Off
ProxyPass /APP balancer://mycluster/APP stickysession=JSESSIONID|jsessionid
ProxyPassReverse /APP balancer://mycluster/APP
<Proxy balancer://mycluster>
BalancerMember http://TOMCAT1:8080 route=TOMCAT1
BalancerMember http://TOMCAT2:8080 route=TOMCAT2
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
Require all granted
</Location>
ProxyPass /balancer-manager !
<Location /server-status>
SetHandler server-status
Require all granted
</Location>
Your balancer definitions are wrong. In the balancer definitions you just have to define the node, not the uri they handle.
**Incorrect:**
BalancerMember http://TOMCAT1:8080/APP
***Correct:***
BalancerMember http://TOMCAT1:8080
And then you handle uri-paths in ProxyPass
ProxyPass /app/ balancer://mycluster/app/
You can also use:
ProxyPass /app balancer://mycluster/app
Note: balancer://mycluster is the same as balancer://mycluster/. And there is a rule you should follow to avoid issues that says if source has a trailing slash target should also have a trailing slash, that way you avoid path mismatches in the response from the backend.
Note2: Your <Location /server-status> has two Require statements, since the default is Require any, all will be allowed because you have a Require all granted, so makes no sense to define a Require host localhost in that context.

Enable Basic Authentication in Lucee (tomcat) with Apache

I'm using apache with Lucee (tomcat). I have a dev site that I want behind basic authentication. I have apache configure and non ColdFusion pages require and prompt for authentication. When I navigate to a CF page basic authentication isn't being required.
What Tomcat / Lucee config file do I need to modify to either use the apache basic authentication on setup additional basic authentication?
I'm running Apache/2.4.10 (Debian)
Here's my site config file:
<VirtualHost *:80>
ServerName dev.mysite.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/mysite.com/dev/docroot
<Directory /var/www/mysite.com/dev>
Options Indexes FollowSymLinks
AllowOverride All
AuthName "Secured Development Environment"
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
DirectoryIndex index.cfm index.html
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here's what Lucee Added to my apache2.conf file
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassMatch ^/(.+\.cfchart)(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassMatch ^/(.+\.cfml)(/.*)?$ http://127.0.0.1:8888/$1$2
# optional mappings
#ProxyPassMatch ^/flex2gateway/(.*)$ http://127.0.0.1:8888/flex2gateway/$1
#ProxyPassMatch ^/messagebroker/(.*)$ http://127.0.0.1:8888/messagebroker/$1
#ProxyPassMatch ^/flashservices/gateway(.*)$ http://127.0.0.1:8888/flashservices/gateway$1
#ProxyPassMatch ^/openamf/gateway/(.*)$ http://127.0.0.1:8888/openamf/gateway/$1
#ProxyPassMatch ^/rest/(.*)$ http://127.0.0.1:8888/rest/$1
ProxyPassReverse / http://127.0.0.1:8888/
</IfModule>
Here's my update config base on the recommendation
I updated my config based on your recommendation and it doesn't resolve the issue.
<VirtualHost *:80>
ServerName dev.mysite.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/mysite.com/dev/docroot
<Directory /var/www/mysite.com/dev>
Options Indexes FollowSymLinks
AllowOverride All
AuthName "Secured Development Environment"
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
DirectoryIndex index.cfm index.html
</Directory>
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassMatch ^/(.+\.cfchart)(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassMatch ^/(.+\.cfml)(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassReverse / http://127.0.0.1:8888/
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
This doesn't work and I'm not sure it is any different since the virtualhost are include before the IfModule
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
The requests are getting proxied off to Tomcat before they hit your VirtualHost. Move the <IfModule> stuff into the <VirtualHost> after the <Directory> definition. You will need to do this for each Virtual Host, so you might want to pop it into a separate file and then include in using the Include directive.
Also try adding in:
<Limit GET POST>
order deny,allow
satisfy any
deny from all
require valid-user
</Limit>
Just after the Require valid-user line.

Connecting apache and Widfly using mod_cluster

I am trying to setup mod_cluster as a reverse proxy for Wildfly 9. When I use http as a protocol (between mod_cluster and Wildfly), everything works just fine (forwarding requests to application server and detecting server).
My problems come up when I try to wire mod_cluster and wildfly using ajp as a protocol. I checked mod_cluster-manager and it seemed that
mod_cluster was connected to wildfly, but it couldn't forward
requests to application server.
I have the following configuration:
http server: Apache/2.4.18 (Ubuntu)
application server: Wildfly 9.0.2
mod_cluster: 1.3
mod_cluster.conf
PersistSlots on
CreateBalancers 1
MemManagerFile /opt/mod_cluster/logs
EnableOptions
AllowDisplay On
AllowCmd On
WaitForRemove 1
UseAlias 1
ServerAdvertise Off
Listen *:5555
<VirtualHost *:5555>
<Directory />
Order deny,allow
Allow from 192.168.0.71
Allow from 192.168.0.71
Allow from 127
Require all granted
</Directory>
<Location /mcm>
SetHandler mod_cluster-manager
Allow from 192.168
Allow from all
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
ManagerBalancerName mycluster
#AdvertiseFrequency 5
EnableMCPMReceive
</VirtualHost>
<VirtualHost *:80>
ServerName my-app.org
ServerAlias my-app.org
ErrorLog /var/log/apache2/user.error.log
LogLevel warn
CustomLog /var/log/apache2/my_app.access.log combined
ServerSignature On
Redirect "/" https://my-app.org
ProxyPreserveHost On
SSLProxyEngine On
ProxyPreserveHost On
#ProxyPass /_error !
#ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=on
#ProxyPassReverse / balancer://mycluster
<Location />
Order deny,allow
Allow from all
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName my-app.org
ServerAlias my-app.org
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
ErrorLog /var/log/apache2/user.ssl.error.log
LogLevel warn
CustomLog /var/log/apache2/my_app.ssl.access.log combined
ServerSignature On
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass /_error !
ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=on
ProxyPassReverse / balancer://mycluster
<Location />
Order deny,allow
Allow from all
</Location>
</VirtualHost>
Wildfly Configuration (relevant fragments):
mod_cluster subsystem:
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster"
proxies="mc-prox1"
advertise="false"
sticky-session-force="true" load-balancing-group="mycluster" connector="ajp">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
outbound-socket-binding:
<outbound-socket-binding name="mc-prox1">
<remote-destination host="192.168.0.71" port="5555"/>
</outbound-socket-binding>
[EDIT]
I should have included ajp configuration:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:1500}">
<socket-binding name="ajp" port="${jboss.ajp.port:0}" />
.......
</socket-binding-group>
[EDIT2]
When I set ajp port to 8009, it works. I want to use custom port number.
Does anyone have a clue how to do it?
It turned out I had the wrong binaries :/. After replacing them with the ones from the offical website, I managed to connect Wildfly with apache through AJP.

How can I access 1 tomcat app from 2 different contexts?

Is it possible to load same application called from different URLs?
I have tried different configs with mod_rewrite but its not working. I am currently trying with virtual hosts but not sure if it will work.
I am assuming that since you are mentioning that you are using mod_rewrite, you are fronting, Tomcat with Apache?
If so, why not use Apache as a reverse proxy?
An example config for Apache would be: Where Tomcat is assumed to run on Port 8080 with Tomcat's ROOT context serving out the application.
NameVirtualHost *
<VirtualHost *>
ServerName url1.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
<VirtualHost *>
ServerName url2.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

Setting up httpd authentication for a particular page

I had a script install this all for me but I am trying to configure it to how I like.
The issue is it does it at the root of the web directory I want it to a particular folder in the directory...how would I go about this...
This is what I have now
ServerName localhost
<VirtualHost *:80>
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent/
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/httpd/rutorrent.pem
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
#SCGIMount /RPC00001 127.0.0.1:23876
I want to make it so it asks for a password in /var/rutorrent/passwordarea
I also wouldn't mind having a separate password and username for /var/rutorrent so if someone could share how to do that as well I'd greatly appreciate it.
Thanks

Resources