EzDevInfo.com

mod-proxy interview questions

Top mod-proxy frequently asked interview questions

Setting up an Apache Proxy with Authentication

I need to set up a proxy with authentication to verify the behavior of an application that connects to the internet.

I am trying to set-up an Apache installation with forward proxy and authentication, and even though I am close to make it work, I wonder if there is maybe a better way, as the configuration is fairly esoteric.

How can Apache be configured to work this way?

Is there any other good option that is already configured? Maybe some VM or some other software tool, instead of Apache?


Source: (StackOverflow)

Bad Gateway 502 error with Apache mod_proxy and Tomcat

We're running a web app on Tomcat 6 and Apache mod_proxy 2.2.3. Seeing a lot of 502 errors like this:

Bad Gateway! The proxy server received an invalid response from an upstream server.

The proxy server could not handle the request GET /the/page.do.

Reason: Error reading from remote server

If you think this is a server error, please contact the webmaster.

Error 502

Tomcat has plenty of threads, so it's not thread-constrained. We're pushing 2400 users via JMeter against the app. All the boxes are sitting inside our firewall on a fast unloaded network, so there shouldn't be any network problems.

Anyone have any suggestions for things to look at or try? We're heading to tcpdump next.

UPDATE 10/21/08: Still haven't figured this out. Seeing only a very small number of these under load. The answers below haven't provided any magical answers...yet. :)


Source: (StackOverflow)

Advertisements

apache proxy module gives 403 forbidden error

I am trying to use the apache's proxy module for working with xmpp on ubuntu desktop. For this i did the following things -

1) enabled mod_proxy by creating a symlink of proxy.conf, proxy.load and proxy_http.load from /etc/apache2/mods-available/ in the mods-enabled directory.

2) Added the following lines to the vhost

    <Proxy http://mydomain.com/httpbind>
     Order allow,deny
     Allow from all
   </Proxy>

   ProxyPass /httpbind http://mydomain.com:7070/http-bind/
   ProxyPassReverse /httpbind http://mydomain.com:7070/http-bind/

I am new to using the proxy module but what i can make from the above lines is that requests to http://mydomain.com/httpbind will be forwarded to http://mydomain.com:7070/http-bind/. Kindly correct if wrong.

3) added rule Allow from .mydomain.com in /mods-available/proxy.conf

Now i try to access http://mydomain.com/httpbind and it shows 403 Forbidden error..

What am i missing here ? Please help. thanks

Edit : The problem got solved when i changed the following code in mods_available/proxy.conf

    <Proxy *>
            AddDefaultCharset off
            Order deny,allow
    Deny from all 
    Allow from mydomain.com                        
    </Proxy>

to

    <Proxy *>
            AddDefaultCharset off
            Order deny,allow
    #Deny from all 
    Allow from all                         
    </Proxy>

Didnt get what was wrong with the initial code though


Source: (StackOverflow)

Is it possible to ignore an Apache proxy'd certificate

For background information: (Question at bottom)

I'm trying to connect to a client, who has 8 servers, all of which have unique IP addresses. The client uses the same SSL certificate on all the servers (for this example, cert name == www.all_servers.com). The client only allows incoming requests over https.

I'm trying to create an apache proxy using mod_proxy that maps different URI mappings to different servers. For example:

https://PROXY_SERVER/SERVER1/{REQUEST}

This would send {REQUEST} to server1

https://PROXY_SERVER/SERVER2/{REQUEST}

would send {REQUEST} to server2. So far, pretty simple.

In Apache 2.2, this could be achieved by using the IP addresses like so:

SSLProxyEngine On

ProxyPass /server1 https://1.1.1.1/
ProxyPassReverse /server1 https://1.1.1.1/

ProxyPass /server2 https://1.1.1.2/
ProxyPassReverse /server2 https://1.1.1.2/

This was due to Apache 2.2 not checking if the certificate matched (1.1.1.1 != www.all_servers.com)

However, in Apache 2.4, I'm now getting certificate issues (rightly so). (This exact code works on an apache 2.2 box)

[Thu Oct 10 12:01:48.571246 2013] [proxy:error] [pid 13282:tid 140475667224320] (502)Unknown error 502: [client 192.168.1.1:48967] AH01084: pass request body failed to 1.1.1.1:443 (1.1.1.1)
[Thu Oct 10 12:01:48.571341 2013] [proxy:error] [pid 13282:tid 140475667224320] [client 192.168.1.1:48967] AH00898: Error during SSL Handshake with remote server returned by /server1/asd
[Thu Oct 10 12:01:48.571354 2013] [proxy_http:error] [pid 13282:tid 140475667224320] [client 192.168.1.1:48967] AH01097: pass request body failed to 1.1.1.1:443 (1.1.1.1) from 192.168.1.1 ()

I can't use /etc/hosts, as one server would work, using:

1.1.1.1 www.all_servers.com

SSLProxyEngine On
ProxyPass /server1 https://www.all_servers.com/
ProxyPassReverse /server1 https://www.all_servers.com/

But many servers wouldn't


So, to the actual question:

Is there a way to force mod_proxy to ignore miss-matching certificates. Or, is there a better way to do this.

Thanks for any help with this!


Source: (StackOverflow)

NGINX to reverse proxy websockets AND enable SSL (wss://)?

I'm so lost and new to building NGINX on my own but I want to be able to enable secure websockets without having an additional layer.

I don't want to enable SSL on the websocket server itself but instead I want to use NGINX to add an SSL layer to the whole thing.

Every web page out there says I can't do it, but I know I can! Thanks to whoever (myself) can show me how!


Source: (StackOverflow)

apache to tomcat: mod_jk vs mod_proxy

What are the advantages and disadvantages of using mod_jk and mod_proxy for fronting a tomcat instance with apache?

I've been using mod_jk in production for years but I've heard that it's "the old way" of fronting tomcat. Should I consider changing? Would there be any benefits?


Source: (StackOverflow)

Risk of using Apache mod_proxy

I am now exploring to use Apache's mod_proxy's directive, eg ProxyPass, as part of solution for cross-domain scripting restriction (for html/ajax/flash code). However, I am afraid by enabling mod_proxy, I would risk having the server as open proxy.

What's the risk, and how to minimize the risk, in short?

Thanks.


Source: (StackOverflow)

Apace proxy caching "service temporarily unavailable" response when target is down

I have apache sitting in front of my node server. Node is running on certain port, I am using apache to proxy to that port and also have apache configured for https.

When I start apache and then start my node server everything runs great. If I bring down the node server and try to hit my service apache says 'Service Temporarily Unavailable'. This is expected as my node server is down.

However when I bring my server back up without touching apache and try to hit me service again apache still says 'Service Temporarily Unavailable'. Its like apache is not trying again. If I bounce apache all is well again.

Since I am running with forever there is a chance my server could be down for a few second if a fatal happens. I don't want to have to bounce apache if that happens.

Is there anyway to get apache to always try and not cache the fact that a Service it recently tried to hit was unavailable?


Source: (StackOverflow)

How can I setup reverse proxy on IIS, allowing cross-host communciation between host1.mydomain.com and host2.mydomain.com?

I have a page at host1.mydomain.com/page_from_host1.jsp and an HTML page at host2.mydomain.com/page_from_host2.html. host1 is an IIS7/Tomcat box and host2 is an IIS7 box. I want to allow the first page to submit a form, which displays the second page, and the URL does not change.

That is, the URL is host1.mydomain.com/page_rom_host2.jsp, but the contents of the page are from host2.mydomain.com/page_from_host2.html.

I would imagine I can setup a reverse proxy on IIS to accomplish this, similar to mod_proxy, but the Apache Tomcat Server throws a bit of a wrench into all of this. How can I setup a reverse proxy to allow cross-host communication and mask the URL?

Thank you.


Source: (StackOverflow)

How to rewrite / proxy an Apache URI to an application listening on a specific port / server?

They say that Apache's mod_rewrite is the swiss-army knife of URL manipulation, but can it do this?

Lets say I want to add a new application to my Apache webserver, where the only configurable option of the app is a port number.

I want to use & give out URLs of the form "http://hostname.example.com/app" rather than "http://hostname.example.com:8080". This would ensure that clients would be getting through the institution's firewall as well, and it's generally tidier.

My application includes absolute URIs in php, javascript and css, so I want to prepend my own root location to the URI in the applications internal links. I have no access to DNS records and so can't create another name-based virtual server.

Using Apache's mod_rewrite and mod_proxy modules, I can transparently redirect a client to the correct home-page of the application. But links within that homepage don't point a client to links relative to the new base URL.

So, what's the best way of proxying a request to an application that is listening on a specific port?

For example, if I had an application listening on port 8080, I could put this in my Apache configuration:-

<VirtualHost *:80>
    SSLProxyEngine On
    ServerName myhost.example.com
    RewriteEngine On
    UseCanonicalName On
    ProxyVia On
    <Location "/application">
        RewriteRule ^/application/?(.*) http://localhost:8080/$1 [P,L]
    </Location>
</VirtualHost>

This would work fine if the application didn't use absolute URLs, but it does. What I need to do is rewrite URLs that are returned by the application's css, javascript and php.

I've looked at the ProxyPass and ReverseProxyPass documentation, but I don't think these would work..?

I've also come across Nick Kew's mod_proxy_html, but this isn't included in the standard Apache Distribution, and my institution's webserver seems to have been fine for years without it.. Other than trawling manually (or using a grep -r | sed type expression) through the application's source code, or using this 3rd party add-on, are there any other ways to go about this?

Could I perhaps use some of the internal server variables in a mod_rewrite rule? For example a rewrite rule based on ’HTTP_REFERER'?


Source: (StackOverflow)

lighttpd as reverse-proxy

DeviceA serves as a reverse-proxy and is supposed to forward requests as follows:

192.168.1.10/DeviceB ==> 192.168.1.20/index.html

192.168.1.10/DeviceC ==> 192.168.1.30/index.html

Both index files are located under /var/www and are static "Hello world!" pages. The problem is that I can't access those files through DeviceA, but if I call a test service also running on DeviceC (listening on port 12345) everything works fine.

Am I wrong saying that the web server on DeviceB, DeviceC should respond with index.html if a request comes in on port 80 ???

lighttpd.conf DeviceA @192.168.1.10 server.modules = ( "mod_proxy" )

proxy.server = ( 
"/DeviceB" => ( "" => ( "host" => "192.168.1.20", "port" => 80 )),
"/DeviceC" => ( "" => ( "host" => "192.168.1.30", "port" => 80 )),  
"/TestService" => ( "" => ( "host" => "192.168.1.30", "port" => 12345 ))
)

lighttpd.conf DeviceB @192.168.1.20

server.document-root = "/var/www"
server.port = 80
index-file.names = ( "index.html" )

lighttpd.conf DeviceC @192.168.1.30

server.document-root = "/var/www"
server.port = 80
index-file.names = ( "index.html" )

Update

Do I need $HTTP["host"] == ... around proxy.server() to rewrite/redirect URLs? Or, how to define what shall be proxy(ed)


Source: (StackOverflow)

Tomcat cookies not working via my ProxyPass VirtualHost

I'm having some issues with getting cookies to work when using a ProxyPass to redirect traffic on port 80 to a web-application hosted via Tomcat.

My motivation for enabling cookies is to get rid of the "jsessionid=" parameter that is appended to the URLs.

I've enabled cookies in my context.xml in META-INF/ for my web application.
When I access the webapplication via http://url:8080/webapp it works as expected, the jsessionid parameter is not visible in the URL, instead it's stored in a cookie.

When accessing my website via an apache2 virtualhost the cookies doesn't seem to work because now "jsessionid" is being appended to the URLs. How can I solve this issue?

Here's my VHost configuration:

<VirtualHost *:80>
        ServerName somedomain.no
        ServerAlias www.somedomain.no

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPreserveHost Off
        ProxyPass / http://localhost:8080/webapp/
        ProxyPassReverse / http://localhost:8080/webapp/

        ErrorLog /var/log/apache2/somedomain.no.error.log
        CustomLog /var/log/apache2/somedomain.no.access.log combined
</VirtualHost>

EDIT: The cookie is actually being set. I am guessing that the problem is that the cookie contains the "Path: /webapp".


Source: (StackOverflow)

Ajp invalid message received with signature

I am using Tomcat 7.0.29 fronted with Apache 2.2.22 modproxy. Configured Ajp as the protocol in httpd.conf and AjpNioProtocol in server.xml. After the server starts, the logs are filled with the following message:

Severe: Invalid message received with signature 20599
com.apache.coyote.ajp.AjpMessage processHeader

There are no requests sent to the web or tomcat server and it still throws that error. Access logs in tomcat and apache show that no request is coming in. What is causing the invalid message error?

Here is the configuration :

  • httpd.conf

    ProxyPass /wl ajp:// ip : port /wl
    ProxyPassReverse /wl ajp:// ip : port /wl
    
  • server.xml

    <Connector port="port" 
               protocol="org.apache.coyote.ajp.AjpNioProtocol" 
               connectionTimeout="20000" 
               acceptorThreadCount="2" 
               maxThreads="1600" 
               redirectPort="8443" />
    

Source: (StackOverflow)

Setting timeout for all the ProxyPass mappings in Apache Server mod_proxy directive [closed]

What I have and works:

I'm using Apache HTTPD 2.2 for proxy requests. I have multiple ProxyPass mappings:

ProxyRequests On 
<Proxy *>
AddDefaultCharset off
    Order deny,allow
    Allow from all
</Proxy>
ProxyPreserveHost Off

ProxyPass /a http://some_ip/
ProxyPassReverse /a http://some_ip/

ProxyPass /b http://some_other_ip/
ProxyPassReverse /b http://some_other_ip/

...

This works well.

What I want:

Some of my requests are taking longer, so they timed out giving me a Proxy Error - Reason: Error reading from remote server.

I want to set timeout for all of my requests. Can I do this without having to add timeout=... KeepAlive=On for every ProxyPass mapping?

I currently have something like:

ProxyPass /a http://some_ip/ timeout=1200 KeepAlive=On
ProxyPassReverse /a http://some_ip/

ProxyPass /b http://some_other_ip/ timeout=1200 KeepAlive=On
ProxyPassReverse /b http://some_other_ip/

... and i do this for all my ProxyPass mappings

Can I tell Apache in some way to add timeout and KeepAlive parameters for all the mappings? Thanks in advance.


Source: (StackOverflow)

Is there a way to remove apaches Reverse Proxy Request Headers?

When acting as a reverse proxy, apache adds x-forwarded headers as described here.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

In my configuration I have configured server A as a forward proxy. There is a rule like this:

RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]

This rule lets the server request the resource from one of my other servers.

On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:

RewriteRule some-regex some-url [P]

It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.

However that final request has these headers:

[X-Forwarded-For] => ip of 1st server
[X-Forwarded-Host] => example.myseconserver.com
[X-Forwarded-Server] => example.com

I want those headers gone.

I seem to be unable to unset them with mod_headers. I can add more entries to the, but I can not remove them

Any Ideas?


Source: (StackOverflow)