0

im running tomcat on my linux server and i want use a reverse proxy for this. After reading the manual in apacha for mod_proxy , i didnt really understand the /path in the proxypass .

i make a small example. the directory for my tomcat is /tomcat/webapp. Is then this following configuration right ?:

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ProxyRequests Off
ProxyPass /tomcat/webapp         http://127.0.0.1:8080
ProxyPassReverse /tomcat/webapp  http://127.0.0.1:8080
</VirtualHost>

i would be thankful, im somebody with experience can help me out.

beard black
  • 67
  • 2
  • 11
  • The path parameter is an [URI path](https://en.wikipedia.org/wiki/Uniform_Resource_Identifier#Examples), not a directory (filesystem path). Tomcat's `ROOT` web application will appear under the URL `http://example.com/tomcat/webapp/`. – Piotr P. Karwasz Jan 24 '20 at 18:56
  • this means i should change the following setting to : ProxyPass /app http://localhost:8080/tomcat/webapp right ? – beard black Jan 24 '20 at 19:01

1 Answers1

2

Theoretically whichever ProxyPass directive you choose, it will work, even if you choose to proxy http://example.com:8080/webapp/ as http://example.com/foo/bar/baz/.

However, if your application uses absolute paths in hyperlinks, it is better to use the same URI path on both Apache and Tomcat or you will have problems like in this question. So:

  • if your application is well written, choose your favourite URL and adjust the webapp deployment on Tomcat to fit it.
  • if your application is badly written (e.g. has some hardcoded paths like in this question adjust the Apache path to fit the hardcoded deployment path.

Either way you should use:

ProxyPass "/path/to/webapp/" "http://127.0.0.1:8080/path/to/webapp/"

PS: Since apparently you want to run Tomcat on two ports, it is better if you tell the webapp that it is being proxied and that port 8443 is accessed through SSL:

<Connector port="8080"
           proxyName="example.com"
           proxyPort="80"
           redirectPort="443" />
<Connector port="8443"
           proxyName="example.com"
           proxyPort="443"
           scheme="https" secure="true" />

so the webapp will not generate useless redirects from port 8443 to port 443.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • and what if i config the proxypass like this, : ProxyPass / http://127.0.0.1:8080 is it secure enough like the above examples ? – beard black Jan 24 '20 at 22:02
  • Yes, the app will work correctly. However if you want to give Tomcat the entire web space, why don't you just run Tomcat on port `80` and `443`? – Piotr P. Karwasz Jan 24 '20 at 22:15
  • for port 80/443 i need to be run tomcat as root, therefore i need to be run tomcat with reverse proxy :D – beard black Jan 24 '20 at 22:40
  • Not really: you can use [authbind](https://en.wikipedia.org/wiki/Authbind) or set the `CAP_NET_BIND_SERVICE` ambient capability on the Tomcat process. Debian 9 uses the first, Debian 10 uses the second. – Piotr P. Karwasz Jan 24 '20 at 22:44
  • but i can still use authbind but its not secure enough, i would give tomcat user the read write execute as for all privileg ports :) – beard black Jan 24 '20 at 22:49
  • authbind is configurable and allows to bind only the specified ports. As for privileged ports: once upon a time servers trusted communication from ports lower than 1024, nowadays it is not the case. – Piotr P. Karwasz Jan 24 '20 at 22:55
  • look at debian changelog, authbind 2.1 is unstable ;), is that enough ? I read from expert, that tells me that authbind can open ports etc... (im not expert, you see ), but install apache reverse proxy, harden it, isnt much work for me, i dont understand the proxypass story, but you explain it to me very well, know i think i understand it right :D here the link :https://metadata.ftp-master.debian.org/changelogs//main/a/authbind/authbind_2.1.2_changelog – beard black Jan 24 '20 at 22:59
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/103687/discussion-between-piotr-p-karwasz-and-beard-black). – Piotr P. Karwasz Jan 24 '20 at 23:01