DX NetOps

Hi All,

I am trying to setup an Apache proxy in front of Spectrum Oneclick Tomcat using HTTPD's AJP protocol. I am using SSL and Sun web agent for authentication. User requests are sent to https://host_url.tld and the user is directed to the authentication portal. Once authenticated they are sent back to HTTPD on the server where the request is proxied using the AJP protocol on port 8009 for Tomcat. In my Apache logs I see the 302 redirect but the Tomcat server is not accepting the connections. My Spectrum/tomcat/conf/server.xml I have a connector accepting requests on 8009. I have tried several different combinations of configurations in the server.xml but none are working. It is my understanding that I would only need to edit my httpd/conf.d/ssl.conf and Spectrum/tomcat/conf/server.xml. Is there some other file that I need to edit. Does anyone have experience with a similar setup and would you mind sharing your configurations?

Thank you,
Scotty


ssl.conf ajp proxy lines
--
# Tomcat Proxy
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

<Location />
Order allow,deny
Allow from all
</Location>


server.xml (current configuration with no redirect)
--
<?xml version="1.0" encoding="UTF-8"?>
<!-- Tomcat Server Configuration File --><Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Tomcat-Standalone">

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" />

<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost">
<!-- Define the host to run the web applications -->
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false">

<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory relative to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a relative
(to $CATALINA_HOME) or absolute path to the desired directory.
This access log implementation is optimized for maximum performance,
but is hardcoded to support only the "common" and "combined" patterns.
-->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false" />
</Host>

</Engine>

</Service>

</Server>


server.xml (with redirect to port 8443)
--
<?xml version="1.0" encoding="UTF-8"?>
<!-- Tomcat Server Configuration File --><Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Tomcat-Standalone">

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

<Connector address="127.0.0.1"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="/opt/Spectrum/custom/keystore/cacerts"
keystorePass="changeit">
</Connector>

<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost">
<!-- Define the host to run the web applications -->
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false">

<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory relative to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a relative
(to $CATALINA_HOME) or absolute path to the desired directory.
This access log implementation is optimized for maximum performance,
but is hardcoded to support only the "common" and "combined" patterns.
-->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false" />
</Host>

</Engine>

</Service>

</Server>

Hello Community:

Scotty is looking for some assistance. Anyone?

Thanks!
Mary

Hi All,

Some additional information will hopefully help to make the overall solution clear for anyone who is looking to do something similar in the future. My setup includes a redirect to an OpenSSO authentication agent that is handled by HTTPD. The issue I originally posted was directly related to the OpenSSO agent and not the HTTPD proxy to Tomcat.

User access https://url.tld/spectrum -> HTTPD answers request and directs to OpenSSO agent server -> User authenticates and is directed back to HTTPD -> HTTPD proxies the request to Spectrum's Tomcat using the AJP protocol

My HTTPD.conf has a rewrite rule to force HTTPS on port 443.

httpd.conf
--
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^8443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

My SSL.conf has a proxy rule to force connection to Tomcat on port 8009

ssl.conf
--
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

<Location />
Order allow,deny
Allow from all
</Location>

My Spectrum SERVER.xml is only listening on port 8009 for incoming connections

server.xml
--
<?xml version="1.0" encoding="UTF-8"?>
<!-- Tomcat Server Configuration File --><Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Tomcat-Standalone">

<!-- This is here for compatibility only, not required -->
<Connector port="8009" protocol="AJP/1.3" />

<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost">
<!-- Define the host to run the web applications -->
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false">

<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory relative to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a relative
(to $CATALINA_HOME) or absolute path to the desired directory.
This access log implementation is optimized for maximum performance,
but is hardcoded to support only the "common" and "combined" patterns.
-->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false" />
</Host>

</Engine>

</Service>

</Server>


Hopefully this may help others who want to front Spectrum with an HTTPD proxy.

Thank you,
Scotty