What should be configured in AJP proxy configuration?

apache-2.2 reverse-proxy mod-proxy-ajp ajp

I have Apache HTTPD server in our product and I need to add the AJP proxy to some specific application.

The Tomcat AJP port is 8009 and the Tomcat HTTP port is 8080 (the SSL termination is in Apache). This is the AJP proxy I need to configure.

<Directory /app>
    AuthType None
    Allow from all
    Satisfy any
    AllowOverride None
    Options None FollowSymLinks
</Directory>

<Proxy http://localhost:8080/app >
    AuthType None
    Allow from all
    Order Deny,Allow
    Satisfy any
    Options None FollowSymLinks
</Proxy>
ProxyPass /app ajp://localhost:8009/app
<Location /app>
        ProxyPassReverse ajp://localhost:8009/app
</Location>

Question: What should be configured in <Proxy … >? <Proxy http://localhost:8080/app > or <Proxy ajp://localhost:8009/app >

Added Clarification. The whole configuration contains the root configuration (see below).

I just need to add AJP proxy to some specific application.

<Directory />
    Deny from all
    Allow from localhost
    Order Deny,Allow
    AuthType Basic
    Require valid-user
    AllowOverride None
    Satisfy any
    Options None FollowSymLinks
</Directory>


<Proxy *>
    Deny from all
    Order Deny,Allow
    AuthType Basic
    Require valid-user
    Satisfy any
    Options None FollowSymLinks
</Proxy>

Solution 1:

OK, you have several misconceptions about Apache configuration that need correcting.

  1. <Directory> blocks refer to absolute file system paths. Not URI Paths or ones relative to the document root. When proxying, as mentioned by David Hutchinson, you should be using <Location> blocks instead.
  2. <Proxy> blocks are (almost) exclusively use to configure forward proxies, not reverse ones. Remove these blocks, you do not need them. Again, use <Location> blocks.
  3. Do not use ProxyPass or ProxyPassReverse inside <Location>. Although it is valid, it can complicate things. Simply use the two argument versions of these directive. Also, unless you have a reason not to, use trailing slashes in both these directives.

The order of the location blocks may need to be reversed (I can't remember off the top of my head the correct order), but start with something like:

ProxyPass /app/ ajp://localhost:8009/app/
ProxyPassReverse /app ajp://localhost:8009/app/

<Location />
  Order Allow,Deny
  Allow from localhost
  AuthType Basic
  Require valid-user
</Location>

<Location /app/>
  Allow from all
</Directory>

I have remove directives where they were the default.

Solution 2:

You don't need the "<Proxy" block at all to do what you are trying to achieve.

The ProxyPass and ProxyPassReverse directives are all you require. For readability I'd advise however to either stick both in the Location block, or neither.

If you need to configure different settings for your app path, for instance client certificate authentication, use a Location (or LocationMatch) block as you have already in your configuration.

Related

Scaling MySQL Database
NFS from Windows Server 2008 R2
I need to create a special rule on my firewall with all the IP addresses from Facebook (Akamai included).... where I can get those IPs? [duplicate]
Hyper-V host with one External IP address. How do I assign guest VMs an internal IP and configure NAT?
How do you get SharePoint back in sync when you change a user's sAMAccountName?
asterisk peer with SIP provider through proxy
Delegate administration rights to OU in OpenLDAP?
Postfix unknown command
147GB vs. 146GB HP Drives
OpenSSH, cannot disable password login [closed]
Error: Could not execute mail delivery program '/usr/sbin/sendmail'
ntp security best practice with instance on AWS