Monday, January 4, 2016

Using Apache as (SSL) proxy server

If you are a using any Java web server (such as Tomcat) or app server (such as Wildfly, JBoss or Glassfish), then you know that they dont listen on http port 80.

Well, why does it have to listen on port 80? because if you want your user to specify only the url and not the port; for example,
http://mydomain.com and not http://mydomain:8080

Note: throughout this article mydomain.com can be replaced with localhost, if your product is in development stage.

Software used:
  • Ubuntu
  • apache2
  • Any Java web/app server

What we want to achieve

We are going to divert all user requests coming on port 80 to Tomcat running 8080 on the same host.

Installation

Run the following commands
sudo apt-get install apache2
sudo apt-get install libxml2-dev
sudo apt-get install libapache2-mod-proxy-html

Configuration

1. Append the following to /etc/apache2/sites-available/000-default.conf inside <VirtualHost *:80> block
 ProxyPass /myapp http://localhost:8080/myapp
 ProxyPassReverse /myapp http://localhost:8080/myapp

2. Create the following symlinks
cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/proxy.load
sudo ln -s ../mods-available/proxy_http.load

3. Create /etc/apache2/mods-enabled/proxy_http.conf file with the following content. 
LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so
On some machines the libxml2.so is present in /usr/lib/libxml2.so location. If it is so, in your case, update the above file with /usr/lib/libxml2.so path

4. Restart apache2.
sudo service apache2 restart

Now (assuming that you have an app running at http://mydomain.com:8080/myapp) you can hit http://mydomain.com/myapp and see your application page.


Let's say that you are not satisfied. You want your users to hit http://mydomain.com and not http://mydomain.com/myapp. Well, that's easy.

Edit the /etc/apache2/sites-available/000-default.conf file with the following content
 ProxyPass / http://localhost:8080/myapp
 ProxyPassReverse / http://localhost:8080/myapp

That's it. you can now hit http://mydomain.com; you will see your application page. Hold on. There is one problem.

If you were servering any static content, such as image (e.g http://mydomain.com/data/banner.jpg) in your application myapp, then it will not work now. How do we address this? Read on.

Add the following line to /etc/apache2/sites-available/000-default.conf file 
ProxyPassMatch ^/data(.*)$ !
# This redirects everything except the above exceptions to tomcat.

Your final file will look like this.
<VirtualHost *:80>
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # This redirects everything except the above exceptions to tomcat.
        ProxyPassMatch ^/data(.*)$ !

        ProxyPass / http://localhost:8080/myapp                                 
        ProxyPassReverse / http://localhost:8080/myapp                                  
</VirtualHost>

Don't forget to restart apache server.



Great. Now you want to redirect HTTPS/SSL traffic as well. How do we do?

1. Run the following commands
sudo apt-get install openssl
sudo a2enmod ssl
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf

2. add the following to /etc/apache2/sites-available/default-ssl.conf
ProxyPassMatch ^/data(.*)$ !
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPass / https://localhost:8443/myapp
ProxyPassReverse / https://localhost:8443/myapp

If you get any error related to SSLProxyCheckPeerName you can comment that line and restart apache.
You are done. You will get your HTTPS/SSL traffic to port 8443 now.


Let's say you want to have a beta release for some features of your application. i.e., you want your application to be available at beta.mydomain.com.

Few things to note here are,
  • You are already running a production application myapp at http://mydomain.com:8080/myapp (now it is available at http://mydomain.com)
  • You are running a beta version of myapp (with some additional features) at http://mydomain.com:9080/myapp (note the port here) and you want that to be available at http://beta.mydomain.com
Alright it is simple. I assume that domain-to-your-host mapping is already taken care and both mydomain.com and beta.mydomain.com are now pointing to the same machine (i.e., same IP address)

Add/uncomment the following line in /etc/apache2/sites-available/000-default.conf
ServerName mydomain.com

Append (not replace) the following to /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    ServerName beta.mydomain.com
    <-- remaining configuration for redirection of beta site goes here -->
</VirtualHost>

Your final file will look like this.
<VirtualHost *:80>
        ServerName mydomain.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # This redirects everything except the above exceptions to tomcat.
        ProxyPassMatch ^/data(.*)$ !

        ProxyPass / http://localhost:8080/myapp                                 
        ProxyPassReverse / http://localhost:8080/myapp                                  
</VirtualHost>

<VirtualHost *:80>
        ServerName beta.mydomain.com
        # This redirects everything except the above exceptions to tomcat.
        ProxyPassMatch ^/data(.*)$ !

        ProxyPass / http://localhost:9080/myapp                                 
        ProxyPassReverse / http://localhost:9080/myapp
</VirtualHost>
That's it. Now you have your production site at http://mydomain.com and beta site at http://beta.mydomain.com