Apache 2.2 to Tomcat Virtual Host from differnt machines not working

I dont know if the Tomcat Forum serves the VisrtualHosts questions so apologies in advance.

I have a scenario where all the requests to the Tomcat Server (Application Server) should go through the Apache 2.2 (Web server). Both the servers are on 2 different machines. The 2 machines are not on the same domain or network due to security reasons.

I have to use a Virtual Host setting like below because this had already been used by other developers in my company and its fully tested and works fine.

<VirtualHost *:*> #Full Computer Name with port if its not 80 ServerName Full_Name_OF_Computer ServerAlias Full_Name_OF_Computer LogFormat "%h %l %u %t \"%r\" %s %b %D" app CustomLog logs/app-access.log app SSLProxyEngine On RewriteEngine on RewriteLogLevel 5 RewriteLog logs/rewrite.log # Root URL handling RewriteRule ^\/app\/?$ /app/launch.jsp [R,L] RewriteRule ^\/app\/?$ ajp://Full_Name_OF_Computer:8009/app [P,L] # Dynamic content RewriteRule ^/app/(.+\.(?:jsp|do|rpc).*)$ ajp://Full_Name_OF_Computer:8009/app/$1 [P,L] # This must be the location where application is deployed # SHOULD THIS BE THE LOCATION WITH IN THE APPLICATION SEVER OR THE LOCATION PATH TO THE APPLICATION SERVER FROM WEB SERVER?? Alias /app "D:\apache-tomcat-7.0.63\webapps\app" <Directory "D:\apache-tomcat-7.0.63\webapps\app"> Options FollowSymLinks AllowOverride None Allow from all ExpiresActive on ExpiresDefault "access plus 2 months" ExpiresByType application/x-javascript "access plus 2 months" ExpiresByType application/javascript "access plus 2 months" ExpiresByType text/javascript "access plus 2 months" ExpiresByType text/css "access plus 2 months" ExpiresByType image/gif "access plus 2 months" ExpiresByType image/jpeg "access plus 2 months" ExpiresByType image/png "access plus 2 months" ExpiresByType image/x-icon "access plus 2 months" AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript text/json application/x-javascript </Directory> </VirtualHost>


This works fine for me if I install both the apache and tomcat server on the same machine. However, if I install the Apache and Tomcat Server on different machines (As Required) then I make few changes to the HTTPD.conf and after that I am unable to access the Application through Apache. The application is accessible from the WebServer through the Appplication URL though (using port 8080).

Can somebody please help me in pointing out what I am doing wrong?

After changing the WebServerFullName, the ApplicationServerFullName and the Network Path to Application Deployment Folder on Tomcat, the New Virtual Host Settings are:

<VirtualHost *:*> #Full Computer Name with port if its not 80 ServerName Web_Server_Ful_Name ServerAlias Web_Server_Ful_Name LogFormat "%h %l %u %t \"%r\" %s %b %D" app CustomLog logs/app-access.log app SSLProxyEngine On RewriteEngine on RewriteLogLevel 5 RewriteLog logs/rewrite.log # Root URL handling RewriteRule ^\/app\/?$ /app/launch.jsp [R,L] RewriteRule ^\/app\/?$ ajp://ApplicationServerFullName:8009/app [P,L] # Dynamic content RewriteRule ^/app/(.+\.(?:jsp|do|rpc).*)$ ajp://ApplicationServerFullName:8009/app/$1 [P,L] # This must be the location where application is deployed # SHOULD THIS BE THE LOCATION WITH IN THE APPLICATION SEVER OR THE LOCATION PATH TO THE APPLICATION SERVER FROM WEB SERVER?? Alias /app "\\ApplicationServerFullName\cim$\apache-tomcat-7.0.63\webapps\app" <Directory "\\ApplicationServerFullName\cim$\apache-tomcat-7.0.63\webapps\app"> Options FollowSymLinks AllowOverride None Allow from all ExpiresActive on ExpiresDefault "access plus 2 months" ExpiresByType application/x-javascript "access plus 2 months" ExpiresByType application/javascript "access plus 2 months" ExpiresByType text/javascript "access plus 2 months" ExpiresByType text/css "access plus 2 months" ExpiresByType image/gif "access plus 2 months" ExpiresByType image/jpeg "access plus 2 months" ExpiresByType image/png "access plus 2 months" ExpiresByType image/x-icon "access plus 2 months" AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript text/json application/x-javascript </Directory> </VirtualHost>

I have my doubt on the Network Path to the application deployment Folder on Tomcat because as the 2 computers are not on the same Network, the network administrator had to give me a Strange Path considering the DOLLAR ($) sign in it, \ApplicationServerFullName\cim$\apache-tomcat-7.0.63\webapps\app (Which is accessible from WebServer through the browser though)

Other Details Are:

Apache2.2

apache-tomcat-7.0.63-windows-x64

Windows Server 2012 for both Web And Application Servers.

Tomcat Server.xml AJP Settings:

<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />



Error.log:

[Fri Aug 14 18:27:07 2015] [debug] mod_proxy_ajp.c(45): proxy: AJP: canonicalising URL //ApplicationServerFullName:8009/app/launch.jsp [Fri Aug 14 18:27:07 2015] [debug] proxy_util.c(1532): [client 10.16.1.3] proxy: *: found reverse proxy worker for ajp://ApplicationServerFullName:8009/app/launch.jsp [Fri Aug 14 18:27:07 2015] [debug] mod_proxy.c(1036): Running scheme ajp handler (attempt 0) [Fri Aug 14 18:27:07 2015] [debug] mod_proxy_ajp.c(726): proxy: AJP: serving URL ajp://ApplicationServerFullName:8009/app/launch.jsp [Fri Aug 14 18:27:07 2015] [debug] proxy_util.c(2018): proxy: AJP: has acquired connection for (*) [Fri Aug 14 18:27:07 2015] [debug] proxy_util.c(2074): proxy: connecting ajp://ApplicationServerFullName:8009/app/launch.jsp to ApplicationServerFullName:8009 [Fri Aug 14 18:27:07 2015] [debug] proxy_util.c(2200): proxy: connected /app/launch.jsp to ApplicationServerFullName:8009 [Fri Aug 14 18:27:07 2015] [debug] proxy_util.c(2451): proxy: AJP: fam 2 socket created to connect to * [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(224): Into ajp_marshal_into_msgb [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[0] [Accept] = [text/html, application/xhtml+xml, */*] [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[1] [Accept-Language] = [nl-NL] [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[2] [User-Agent] = [Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko] [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[3] [Accept-Encoding] = [gzip, deflate] [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[4] [Host] = [Web_Server_Ful_Name] [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[5] [Connection] = [Keep-Alive] [Fri Aug 14 18:27:07 2015] [debug] ajp_header.c(461): ajp_marshal_into_msgb: Done [Fri Aug 14 18:27:07 2015] [debug] mod_proxy_ajp.c(270): proxy: APR_BUCKET_IS_EOS [Fri Aug 14 18:27:07 2015] [debug] mod_proxy_ajp.c(275): proxy: data to read (max 8186 at 4) [Fri Aug 14 18:27:07 2015] [debug] mod_proxy_ajp.c(290): proxy: got 0 bytes of data [Fri Aug 14 18:27:07 2015] [error] (OS 10054)An existing connection was forcibly closed by the remote host. : ajp_ilink_receive() can't receive header [Fri Aug 14 18:27:07 2015] [error] ajp_read_header: ajp_ilink_receive failed [Fri Aug 14 18:27:07 2015] [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (*) [Fri Aug 14 18:27:07 2015] [debug] proxy_util.c(2036): proxy: AJP: has released connection for (*)



Rewrite.log


10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (2) init rewrite engine with requested uri /app/launch.jsp 10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (3) applying pattern '^\\/app\\/?$' to uri '/app/launch.jsp' 10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (3) applying pattern '^\\/app\\/?$' to uri '/app/launch.jsp' 10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (3) applying pattern '^/app/(.+\\.(?:jsp|do|rpc).*)$' to uri '/app/launch.jsp' 10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (2) rewrite '/app/launch.jsp' -> 'ajp://ApplicationServerFullName:8009/app/launch.jsp' 10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (2) forcing proxy-throughput with ajp://ApplicationServerFullName:8009/app/launch.jsp 10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] [Web_Server_Ful_Name/sid#79a028][rid#7aed50/initial] (1) go-ahead with proxy request proxy:ajp://ApplicationServerFullName:8009/app/launch.jsp [OK]


Access.log
10.16.1.3 - - [14/Aug/2015:18:27:07 +0200] "GET /app/launch.jsp HTTP/1.1" 503 323 0

Interesting. Normally, you're going to be more secure if your machines are on the same domain and network.

There are 2 ways for Apache to serve as a reverse proxy for Tomcat. One is to use the Apache mod_jk plugin. The other is to use mod_proxy.

I haven't used mod_jk in quite a few years. Although it does have, I believe, some abilities that mod_proxy does not, mod_proxy is the recommended plugin these days.

I think, based on a preliminary view, that you're thinking that you need to use URL rewriting rules to do the proxying. That's not true. Your exact needs are not totally clear, but I'll start with common usage and we can adapt as needed.

First, assume that the Tomcat webapp's public URL might look something like this: http://app1.coderanch.com/home.jsp . The Tomcat-local URL that would be involved might then look something like this: http://tomcat-host.altcoderanch.com/app1/home.jsp.

You first would define in Apache, a VirtualHost directive so as to envelope the directives related to app1.coderanch.com.

One of the most important things that you would then place within this directive would be the proxy information. First and foremost, what mechanism you are using: mod_jk or mod_proxy. Note that there used to be a mod_jk2. It was a dead end and anything useful in it was put into mod_jk.

For mod_proxy, you'd use the ProxyPass and ProxyPassReverse directives to set up the linkage AND to do the basic URL rewriting:
ProxyPass / http://tomcat-host.altcoderanch.com/app1/ ProxyPassReverse / http://tomcat-host.altcoderanch.com/app1/

caution use ProxyPassReverse with extreme care. If you don't configure properly, email spammers can subvert it to send spam, making you a bad Internet citizen and consuming a lot of your network and computer resources.

For mod_jk, things are more complicated. You have to define a workers.properties file that indicates the hostname/ip and port (usually 8009) of the Tomcat's coyote connector. Since there's no full rewrite pattern here the way there is with mod_proxy, I think you do have to do a partial Apache rewrite (mod_rewrite_ to inject the Tomcat webapp's context path into the proxied URL, but a quick scan of the docs doesn't make that clear. You would have to have a JkMount directive, however. JkMount defines a URL path-to-worker mapping. For example:
JkMount /* worker1

Then the worker1 definitions in the workers.properties file would determine where the proxy request would be routed. An equivalent would be to define a mount point in the workers.properties, but I don't like that idea because it puts stuff related to the Apache URL in Tomcat definitions instead of in the Apache definitions where all the other Apache URL-related directives go.

As I said, I haven't worked with mod_j in quite a long time. It does tend to be quite confusing and messy compared to mod_proxy if you have the choice.

Mod proxy also has 2 modes. Basic mod_proxy, which just forwards http(s) requests (for example Apache port 80 to Tomcat port 8080) and mod_proxy_ajp, which uses the ajp binary protocol to talk to Tomcat's port 8009.

Tim,
Like always, thanks a lot for the reply.

I am using the following apart from the defaults


LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule deflate_module modules/mod_deflate.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so LoadModule proxy_connect_module modules/mod_proxy_connect.so

My Webserver is on one machine which is not part of the internal company domain due to security reasons.
I want all requests to the Application Server to pass through the Webserver.
First, I tried installing the 2 servers on the same machine and everything worked fine for me.
The problem comes when I installed the Webserver on a different machine which is not part of the domain. Initially, the computer was unable to access the Tomcat location (Not the URL but actual folder location) but later on the network administrator managed to allow the access through a strange kind of URL \\ApplicationServerFullName\cim$\apache-tomcat-7.0.63\webapps\app I am able to access the tomcat server's webApps folder by this URL from the WebServer in the browser.
But when I put that URL in the Virtualhost's Directory directive, it is then that the problem arise and I am unable to access the application through Apache.
I am not sure but I guess the issues arise due to one of the following:

HTTPD.conf setting does not understand the shared location path due to the dollar sign \\ApplicationServerFullName\cim$\apache-tomcat-7.0.63\webapps\app. If this is the case, what should I do then?

The virtual host's directory directive shouldn't use the network location of tomcat from Webserver which is \\ApplicationServerFullName\cim$\apache-tomcat-7.0.63\webapps\app. Instead, it should use the relative path within the application server which is D:\apache-tomcat-7.0.63\webapps\app. I will try this one and will see if this fix the issue

Thanks a lot for your time

What you have here is confusion between file serving and web serving.

A file server is a host that presents files "as is" over a LAN as though those files were local to the client machine. You can therefore do file open/close/read/write/update/delete and status operations using your client machine's OS file services. Subject to file access restrictions and some possible distortions in meanings if you're not running a common OS on both fileserver and file client machines.

A web server, on the other hand, presents content in response to a URL request. Whether the content physically exists in a file or it is synthesized via web application logic depends entirely on how the web application was written. You cannot use OS file services to read/write/etc./etc.

When using Microsoft Windows Lan Manager (also known as CIFS), the filename path for a LAN-shared file is in the form of a "UNC" name as follows:

\\servername\sharename\dir\dir\filename.ext

Which may look familiar to you from your example.

The fundamental problems here are that a UNCname does you absolutely no good if the server is not on the same LAN as the client machine. At a minumum, there has to be a trust relationship between the domain of the client and the domain of the server.

UNC names and LAN shares are for OS-local use. They should not (generally cannot) be used over the Internet or between an Apache http server and a Tomcat server. A Tomcat server can use a network share to locate OS-local resources used to resolve URL requests, but you may have to override some Tomcat security options. You can never use Tomcat to present the actual files directly to Apache or any other client. since Tomcat is not a file server, it's a webapp server.

Using mod_proxy_ajp you need a ProxyPass Apache directive to convert Apache URL locations to Tomcat equivalents, targeting Tomcat's ajp port 8009. So, for example:

ProxyPass / ajp://tomcat-server:8009/mywebapp/

Incidentally, a "$" at the end of a sharename has magic significance. It makes the share name invisible for network browsing. You'll often see shares for "C$, D$, E$" and so forth which may be employed by LAN-based backup and restore systems to backup the C, D, and E (or whatever) drives.

Thanks a lot Tim for your help.

The error was due to the fact that AJP port for tomcat was not accessible from outside.

After opening the port, I simply placed the static content on the server on which Apache was hosting so I did not need to have a network path be mapped on the WebServer.