Search code examples
httpsapache2tomcat8proxypass

Configure Tomcat8 behind Apache with HTTPS


I have Tomcat 8 installed in my server in port 8080 that I am exposing with a secured Apache (using Proxy Pass).

Here is my Apache configuration:

<VirtualHost *:443>
    ServerName myserver.com

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass           /odata/    http://172.31.36.251:8080/
    ProxyPassReverse    /odata/    http://172.31.36.251:8080/

    <Proxy *>
        allow from all
    </Proxy>

    RequestHeader set X-Forwarded-Port 443
    RequestHeader set X-Forwarded-Scheme https
</VirtualHost>

Here is the Tomcat server.xml configuration

<Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" 
            address="172.31.36.251" 
            proxyName="myserver.com" 
            scheme="https" proxyPort="443"  />

All works well until here. If I call my application: https://myserver.com/odata/D3a1593adae89/odata.svc/

I get:

<service xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom" xml:base="https://myserver.com:443/D3a1593adae89/odata.svc/">
<workspace>
<atom:title>Default</atom:title>
<collection href="Maintables">
<atom:title>Maintables</atom:title>
</collection>
</workspace>
</service>

The problem: If you see the attribute xml:base in the result, Tomcat decorates the address with the port and I really don't know how to remove it. Also the address is wrong: It should be https://myserver.com:443/odata/D3a1593adae89/odata.svc/ . I been looking around and trying things like setting proxyPort to blank but nothing. I think this is related to broken links when using a reverse proxy as described at https://cwiki.apache.org/confluence/display/HTTPD/TomcatModProxyHTML . I tried some rewrites like:

ProxyHTMLURLMap http://172.31.33.105:8080 /odata
       RewriteEngine On
       RewriteRule ^/odata$ https://myserver.com/odata/ [R,L]

But I just cannot make it work. The xml:base should be https://myserver.com/odata/D3a1593adae89/odata.svc/

Any idea is appreciated


Solution

  • For the port thing, as you use ProxyPreserveHost On and you set X-Forwarded-* headers, you can use the RemoteIpValve:

    <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" /> 
    

    The connector will be simply:

    <Connector port="8080" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="443" 
                address="172.31.33.105" 
                 />
    

    The valve detect the proto and will assume the connection is secured with the default port number (https://xxxxx/yyy).

    For the location, you should deploy your application in the odata context so that you can use

        ProxyPass           /odata    http://172.31.33.105:8080/odata
    

    modifying the context on the proxy pass (from /odata/ to /) is somehow tricky as you would need to filter all text coming from your backend server to fix some url path. It can be really painful ( should I replace all "/xxx" with "/odata/xxx" ? )