18 Apr
2011
18 Apr
'11
1:28 p.m.
Hello again,
we are running a tomcat-server "behind" an apache-server. In order to
redirect the request we use the following configuration:
<VirtualHost *:80>
ServerName www.my-domain.de
ServerAlias my-domain.de
Redirect permanent / https://www.my-domain.de/
</VirtualHost>
<VirtualHost *:443>
ServerName www.my-domain.de
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/my-domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
Redirect / /xwikiv2/
ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
ProxyPreserveHost On
</VirtualHost>
So all communication should be encrypted and the user should
immediately be redirected to the wiki.
With these settings we encounter a strange behaviour. For example the
Blog refuses to create a new category (see: [xwiki-users] Server not
responding when creating a new Blog-Category). If I point my browser
directly to my-domain.de:8080 I can create categories.
Is the config file correct? Is there a better way?
Cheers,
Stephanie
18 Apr
18 Apr
2:01 p.m.
On 04/18/2011 01:28 PM, lists(a)yhmail.de wrote:
Hello again,
we are running a tomcat-server "behind" an apache-server. In order to
redirect the request we use the following configuration:
<VirtualHost *:80>
ServerName www.my-domain.de
ServerAlias my-domain.de
Redirect permanent / https://www.my-domain.de/
</VirtualHost>
<VirtualHost *:443>
ServerName www.my-domain.de
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/my-domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
Redirect / /xwikiv2/
ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
ProxyPreserveHost On
</VirtualHost>
So all communication should be encrypted and the user should
immediately be redirected to the wiki.
With these settings we encounter a strange behaviour. For example the
Blog refuses to create a new category (see: [xwiki-users] Server not
responding when creating a new Blog-Category). If I point my browser
directly to my-domain.de:8080 I can create categories.
Is the config file correct? Is there a better way?
I think this is caused by the fact that the container (Tomcat) doesn't
know the connection is secure (HTTPS) and tries to generate absolute
URLs pointing to http instead of https. I don't know how to forward the
information that the connection is secure from httpd to tomcat, but this
could be a good starting point into fixing the problem.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
2:31 p.m.
Depending on the version you use, and how much you tuned it, using a different
"context name" than /xwiki/ is likely to produce bizarre behaviours i believe.
Are you sure you need the <Proxy> section? Isn't that the door towards opening
your server to be exploited as a proxy to go outside?
paul
Le 18 avr. 2011 à 13:28, lists(a)yhmail.de a écrit :
Redirect / /xwikiv2/
ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
ProxyPreserveHost On
</VirtualHost>
So all communication should be encrypted and the user should
immediately be redirected to the wiki.
With these settings we encounter a strange behaviour. For example the
Blog refuses to create a new category (see: [xwiki-users] Server not
responding when creating a new Blog-Category). If I point my browser
directly to my-domain.de:8080 I can create categories.
Is the config file correct? Is there a better way?
3:06 p.m.
Hi Stephanie,
Can you try to replace the ProxyPass part by:
ProxyPass /xwikiv2
ajp://localhost:8009/xwikiv2<http://localhost:8080/xwikiv2>
ProxyPassReverse /xwikiv2
ajp://localhost:8009/xwikiv2<http://localhost:8080/xwikiv2>
Let me know if it's better.
Regards,
Guillaume
2011/4/18 Paul Libbrecht <paul(a)hoplahup.net>
Depending on the version you use, and how much you
tuned it, using a
different "context name" than /xwiki/ is likely to produce bizarre
behaviours i believe.
Are you sure you need the <Proxy> section? Isn't that the door towards
opening your server to be exploited as a proxy to go outside?
paul
Le 18 avr. 2011 à 13:28, lists(a)yhmail.de a écrit :
--
Guillaume Fenollar
guillaume(a)fenollar.fr
Skype: guillaume.fenollar
Redirect / /xwikiv2/
ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
ProxyPreserveHost On
</VirtualHost>
So all communication should be encrypted and the user should
immediately be redirected to the wiki.
With these settings we encounter a strange behaviour. For example the
Blog refuses to create a new category (see: [xwiki-users] Server not
responding when creating a new Blog-Category). If I point my browser
directly to my-domain.de:8080 I can create categories.
Is the config file correct? Is there a better way?
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3:40 p.m.
Stephanie -
I use mod_jk for other reasons.. but mod_proxy_ajp is similar.. there is no
reason why this should not work ..
Make some changes though..
In your httpd conf where you have your virtual host defined
change ServerName to the full address
ServerName https://www.my-domain.de
Dont proxy to tomcat via http... use tomcat in ajp mode ..
disable port :8080 and server xwiki over :8009 only to local host via
your <tomcat location>/conf/server.xml file. (usually all you need to do
is comment the 8080 stuff and uncomment the 8009.
your proxy string will look something like this then..
ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
------
thanks
kevin.foote
On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
-> Hello again,
->
-> we are running a tomcat-server "behind" an apache-server. In order to
-> redirect the request we use the following configuration:
->
-> <VirtualHost *:80>
-> ServerName www.my-domain.de
-> ServerAlias my-domain.de
-> Redirect permanent / https://www.my-domain.de/
-> </VirtualHost>
->
-> <VirtualHost *:443>
-> ServerName www.my-domain.de
->
-> SSLEngine On
-> SSLProxyEngine On
->
-> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
-> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
->
-> <Proxy *>
-> Order allow,deny
-> Allow from all
-> </Proxy>
->
->
-> Redirect / /xwikiv2/
->
-> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
-> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
-> ProxyPreserveHost On
-> </VirtualHost>
->
-> So all communication should be encrypted and the user should
-> immediately be redirected to the wiki.
->
-> With these settings we encounter a strange behaviour. For example the
-> Blog refuses to create a new category (see: [xwiki-users] Server not
-> responding when creating a new Blog-Category). If I point my browser
-> directly to my-domain.de:8080 I can create categories.
->
-> Is the config file correct? Is there a better way?
->
-> Cheers,
-> Stephanie
->
->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
3:40 p.m.
Hi Guillaume,
that results in the following error:
Apr 18 15:35:27 jsvc.exec[823]: Apr 18, 2011 3:35:27 PM
org.apache.jk.common.MsgAjp processHeader#012SEVERE: BAD packet
signature 18245#012Apr 18, 2011 3:35:27 PM
org.apache.jk.common.ChannelSocket processConnection#012SEVERE: Error,
processing connection#012java.lang.IndexOutOfBoundsException#012#011at
java.io.BufferedInputStream.read(BufferedInputStream.java:310)#012#011at
org.apache.jk.common.ChannelSocket.read(ChannelSocket.java:627)#012#011at
org.apache.jk.common.ChannelSocket.receive(ChannelSocket.java:584)#012#011at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:692)#012#011at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)#012#011at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)#012#011at
java.lang.Thread.run(Thread.java:662)
Cheers,
Stephanie
Quoting Guillaume Fenollar <guillaume.fenollar(a)gmail.com>om>:
Hi Stephanie,
Can you try to replace the ProxyPass part by:
ProxyPass /xwikiv2
ajp://localhost:8009/xwikiv2<http://localhost:8080/xwikiv2>
ProxyPassReverse /xwikiv2
ajp://localhost:8009/xwikiv2<http://localhost:8080/xwikiv2>
Let me know if it's better.
Regards,
Guillaume
2011/4/18 Paul Libbrecht <paul(a)hoplahup.net>
Depending on the version you use, and how much
you tuned it, using a
different "context name" than /xwiki/ is likely to produce bizarre
behaviours i believe.
Are you sure you need the <Proxy> section? Isn't that the door towards
opening your server to be exploited as a proxy to go outside?
paul
Le 18 avr. 2011 à 13:28, lists(a)yhmail.de a écrit :
--
Guillaume Fenollar
guillaume(a)fenollar.fr
Skype: guillaume.fenollar
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Redirect / /xwikiv2/
ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
ProxyPreserveHost On
</VirtualHost>
So all communication should be encrypted and the user should
immediately be redirected to the wiki.
With these settings we encounter a strange behaviour. For example the
Blog refuses to create a new category (see: [xwiki-users] Server not
responding when creating a new Blog-Category). If I point my browser
directly to my-domain.de:8080 I can create categories.
Is the config file correct? Is there a better way?
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3:45 p.m.
Hello,
does anyone know if I can setup Tomcat directly. Since there is no
other content on that server, I actually do not need the Apache-Server.
I guess all I have to do is: make tomcat listen on port 443. Make it
accept ssl-connections and make the wiki the default application.
But I have never done that, so if someone has experience in that field
it would be nice if he7she could share them with me.
Thanks a lot,
Stephanie
Quoting Sergiu Dumitriu <sergiu(a)xwiki.com>om>:
On 04/18/2011 01:28 PM, lists(a)yhmail.de wrote:
Hello again,
we are running a tomcat-server "behind" an apache-server. In order to
redirect the request we use the following configuration:
<VirtualHost *:80>
ServerName www.my-domain.de
ServerAlias my-domain.de
Redirect permanent / https://www.my-domain.de/
</VirtualHost>
<VirtualHost *:443>
ServerName www.my-domain.de
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/my-domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
Redirect / /xwikiv2/
ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
ProxyPreserveHost On
</VirtualHost>
So all communication should be encrypted and the user should
immediately be redirected to the wiki.
With these settings we encounter a strange behaviour. For example the
Blog refuses to create a new category (see: [xwiki-users] Server not
responding when creating a new Blog-Category). If I point my browser
directly to my-domain.de:8080 I can create categories.
Is the config file correct? Is there a better way?
I think this is caused by the fact that the container (Tomcat) doesn't
know the connection is secure (HTTPS) and tries to generate absolute
URLs pointing to http instead of https. I don't know how to forward the
information that the connection is secure from httpd to tomcat, but this
could be a good starting point into fixing the problem.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3:52 p.m.
Hey,
thanks it works now. At least I do not get any errors at the moment.
Could you explain to me what the difference is? (HTTP vs. ajp) When proxying?
@Everybody: Thank you for your help.
Cheers,
Chris
Quoting "Kevin P. Foote" <kpfoote(a)iup.edu>du>:
Stephanie -
I use mod_jk for other reasons.. but mod_proxy_ajp is similar.. there is no
reason why this should not work ..
Make some changes though..
In your httpd conf where you have your virtual host defined
change ServerName to the full address
ServerName https://www.my-domain.de
Dont proxy to tomcat via http... use tomcat in ajp mode ..
disable port :8080 and server xwiki over :8009 only to local host via
your <tomcat location>/conf/server.xml file. (usually all you need to do
is comment the 8080 stuff and uncomment the 8009.
your proxy string will look something like this then..
ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
------
thanks
kevin.foote
On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
-> Hello again,
->
-> we are running a tomcat-server "behind" an apache-server. In order to
-> redirect the request we use the following configuration:
->
-> <VirtualHost *:80>
-> ServerName www.my-domain.de
-> ServerAlias my-domain.de
-> Redirect permanent / https://www.my-domain.de/
-> </VirtualHost>
->
-> <VirtualHost *:443>
-> ServerName www.my-domain.de
->
-> SSLEngine On
-> SSLProxyEngine On
->
-> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
-> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
->
-> <Proxy *>
-> Order allow,deny
-> Allow from all
-> </Proxy>
->
->
-> Redirect / /xwikiv2/
->
-> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
-> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
-> ProxyPreserveHost On
-> </VirtualHost>
->
-> So all communication should be encrypted and the user should
-> immediately be redirected to the wiki.
->
-> With these settings we encounter a strange behaviour. For example the
-> Blog refuses to create a new category (see: [xwiki-users] Server not
-> responding when creating a new Blog-Category). If I point my browser
-> directly to my-domain.de:8080 I can create categories.
->
-> Is the config file correct? Is there a better way?
->
-> Cheers,
-> Stephanie
->
->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3:56 p.m.
Stephanie..
OK from your last post looks like some confusion.. so here goes:
o Stop tomcat.
o Backup your <tomcat location>/conf/server.xml file replace it with this
one ...
---- SERVER.XML 8< ----
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="8009"
address="127.0.0.1"
URIEncoding="UTF-8"
protocol="AJP/1.3"
enableLookups="false"
request.tomcatAuthentication="false"
redirectPort="8443"
scheme="https"
proxyPort="443"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
xmlValidation="false"
xmlNamespaceAware="false"/>
</Engine>
</Service>
</Server>
---- >8 END SERVER.XML ----
o start tomcat verify localhost is listening on 8009
o Inside your httpd conf where you have your virtual hosts defined..
replace
-OUT- ServerName www.my-domain.de
+IN+ ServerName https://www.my-domain.de
-OUT- ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
+IN+ ProxyPass /xwikiv2 ajp://localhost:8009/xwikiv2
o restart httpd
------
thanks
kevin.foote
On Mon, 18 Apr 2011, Kevin P. Foote wrote:
->
-> Stephanie -
->
-> I use mod_jk for other reasons.. but mod_proxy_ajp is similar.. there is no
-> reason why this should not work ..
->
-> Make some changes though..
->
-> In your httpd conf where you have your virtual host defined
->
-> change ServerName to the full address
->
-> ServerName https://www.my-domain.de
->
-> Dont proxy to tomcat via http... use tomcat in ajp mode ..
-> disable port :8080 and server xwiki over :8009 only to local host via
-> your <tomcat location>/conf/server.xml file. (usually all you need to do
-> is comment the 8080 stuff and uncomment the 8009.
->
-> your proxy string will look something like this then..
->
-> ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
->
->
-> ------
-> thanks
-> kevin.foote
->
-> On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
->
-> -> Hello again,
-> ->
-> -> we are running a tomcat-server "behind" an apache-server. In order
to
-> -> redirect the request we use the following configuration:
-> ->
-> -> <VirtualHost *:80>
-> -> ServerName www.my-domain.de
-> -> ServerAlias my-domain.de
-> -> Redirect permanent / https://www.my-domain.de/
-> -> </VirtualHost>
-> ->
-> -> <VirtualHost *:443>
-> -> ServerName www.my-domain.de
-> ->
-> -> SSLEngine On
-> -> SSLProxyEngine On
-> ->
-> -> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
-> -> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
-> ->
-> -> <Proxy *>
-> -> Order allow,deny
-> -> Allow from all
-> -> </Proxy>
-> ->
-> ->
-> -> Redirect / /xwikiv2/
-> ->
-> -> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
-> -> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
-> -> ProxyPreserveHost On
-> -> </VirtualHost>
-> ->
-> -> So all communication should be encrypted and the user should
-> -> immediately be redirected to the wiki.
-> ->
-> -> With these settings we encounter a strange behaviour. For example the
-> -> Blog refuses to create a new category (see: [xwiki-users] Server not
-> -> responding when creating a new Blog-Category). If I point my browser
-> -> directly to my-domain.de:8080 I can create categories.
-> ->
-> -> Is the config file correct? Is there a better way?
-> ->
-> -> Cheers,
-> -> Stephanie
-> ->
-> ->
-> -> _______________________________________________
-> -> users mailing list
-> -> users(a)xwiki.org
-> -> http://lists.xwiki.org/mailman/listinfo/users
-> ->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
4:04 p.m.
Hey Kevin,
thanks it works now.
What I do not understand, though is, why the apache-proxy (or xwiki)
handles http request different to ajp requests. But maybe I just need
to switch my brain on but right now it makes no sense to me...
Thanks,
Stephanie
Quoting "Kevin P. Foote" <kpfoote(a)iup.edu>du>:
Stephanie..
OK from your last post looks like some confusion.. so here goes:
o Stop tomcat.
o Backup your <tomcat location>/conf/server.xml file replace it with this
one ...
---- SERVER.XML 8< ----
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="8009"
address="127.0.0.1"
URIEncoding="UTF-8"
protocol="AJP/1.3"
enableLookups="false"
request.tomcatAuthentication="false"
redirectPort="8443"
scheme="https"
proxyPort="443"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
xmlValidation="false"
xmlNamespaceAware="false"/>
</Engine>
</Service>
</Server>
---- >8 END SERVER.XML ----
o start tomcat verify localhost is listening on 8009
o Inside your httpd conf where you have your virtual hosts defined..
replace
-OUT- ServerName www.my-domain.de
+IN+ ServerName https://www.my-domain.de
-OUT- ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
+IN+ ProxyPass /xwikiv2 ajp://localhost:8009/xwikiv2
o restart httpd
------
thanks
kevin.foote
On Mon, 18 Apr 2011, Kevin P. Foote wrote:
->
-> Stephanie -
->
-> I use mod_jk for other reasons.. but mod_proxy_ajp is similar..
there is no
-> reason why this should not work ..
->
-> Make some changes though..
->
-> In your httpd conf where you have your virtual host defined
->
-> change ServerName to the full address
->
-> ServerName https://www.my-domain.de
->
-> Dont proxy to tomcat via http... use tomcat in ajp mode ..
-> disable port :8080 and server xwiki over :8009 only to local host via
-> your <tomcat location>/conf/server.xml file. (usually all you need to do
-> is comment the 8080 stuff and uncomment the 8009.
->
-> your proxy string will look something like this then..
->
-> ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
->
->
-> ------
-> thanks
-> kevin.foote
->
-> On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
->
-> -> Hello again,
-> ->
-> -> we are running a tomcat-server "behind" an apache-server. In order
to
-> -> redirect the request we use the following configuration:
-> ->
-> -> <VirtualHost *:80>
-> -> ServerName www.my-domain.de
-> -> ServerAlias my-domain.de
-> -> Redirect permanent / https://www.my-domain.de/
-> -> </VirtualHost>
-> ->
-> -> <VirtualHost *:443>
-> -> ServerName www.my-domain.de
-> ->
-> -> SSLEngine On
-> -> SSLProxyEngine On
-> ->
-> -> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
-> -> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
-> ->
-> -> <Proxy *>
-> -> Order allow,deny
-> -> Allow from all
-> -> </Proxy>
-> ->
-> ->
-> -> Redirect / /xwikiv2/
-> ->
-> -> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
-> -> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
-> -> ProxyPreserveHost On
-> -> </VirtualHost>
-> ->
-> -> So all communication should be encrypted and the user should
-> -> immediately be redirected to the wiki.
-> ->
-> -> With these settings we encounter a strange behaviour. For example the
-> -> Blog refuses to create a new category (see: [xwiki-users] Server not
-> -> responding when creating a new Blog-Category). If I point my browser
-> -> directly to my-domain.de:8080 I can create categories.
-> ->
-> -> Is the config file correct? Is there a better way?
-> ->
-> -> Cheers,
-> -> Stephanie
-> ->
-> ->
-> -> _______________________________________________
-> -> users mailing list
-> -> users(a)xwiki.org
-> -> http://lists.xwiki.org/mailman/listinfo/users
-> ->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4:11 p.m.
Web server talks binary to ajp .. rather than text (http). Purely
performance.. There is no magic in the setup and xwiki is not doing
anything it would not do if served straight from tomcat.
Since you've eliminated the 8080 port and your only listing on 127.0.0.1 now your
less prone to that attack vector.. (your webserver is talking locally to
tomcat and tomcat is only listening locally for connections)
------
thanks
kevin.foote
On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
-> Hey Kevin,
->
-> thanks it works now.
-> What I do not understand, though is, why the apache-proxy (or xwiki)
-> handles http request different to ajp requests. But maybe I just need
-> to switch my brain on but right now it makes no sense to me...
->
-> Thanks,
-> Stephanie
->
->
->
-> Quoting "Kevin P. Foote" <kpfoote(a)iup.edu>du>:
->
-> >
-> > Stephanie..
-> >
-> > OK from your last post looks like some confusion.. so here goes:
-> >
-> > o Stop tomcat.
-> >
-> > o Backup your <tomcat location>/conf/server.xml file replace it with
this
-> > one ...
-> >
-> >
-> > ---- SERVER.XML 8< ----
-> > <?xml version="1.0" encoding="UTF-8"?>
-> >
-> > <Server port="8005" shutdown="SHUTDOWN">
-> >
-> > <Service name="Catalina">
-> >
-> > <Connector port="8009"
-> > address="127.0.0.1"
-> > URIEncoding="UTF-8"
-> > protocol="AJP/1.3"
-> > enableLookups="false"
-> > request.tomcatAuthentication="false"
-> > redirectPort="8443"
-> > scheme="https"
-> > proxyPort="443"/>
-> >
-> > <Engine name="Catalina" defaultHost="localhost">
-> > <Host name="localhost" appBase="webapps"
xmlValidation="false"
-> > xmlNamespaceAware="false"/>
-> > </Engine>
-> >
-> > </Service>
-> > </Server>
-> > ---- >8 END SERVER.XML ----
-> >
-> > o start tomcat verify localhost is listening on 8009
-> >
-> > o Inside your httpd conf where you have your virtual hosts defined..
-> > replace
-> >
-> > -OUT- ServerName www.my-domain.de
-> > +IN+ ServerName https://www.my-domain.de
-> >
-> > -OUT- ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
-> > +IN+ ProxyPass /xwikiv2 ajp://localhost:8009/xwikiv2
-> >
-> > o restart httpd
-> >
-> >
-> >
-> >
-> >
-> >
-> > ------
-> > thanks
-> > kevin.foote
-> >
-> > On Mon, 18 Apr 2011, Kevin P. Foote wrote:
-> >
-> > ->
-> > -> Stephanie -
-> > ->
-> > -> I use mod_jk for other reasons.. but mod_proxy_ajp is similar..
-> > there is no
-> > -> reason why this should not work ..
-> > ->
-> > -> Make some changes though..
-> > ->
-> > -> In your httpd conf where you have your virtual host defined
-> > ->
-> > -> change ServerName to the full address
-> > ->
-> > -> ServerName https://www.my-domain.de
-> > ->
-> > -> Dont proxy to tomcat via http... use tomcat in ajp mode ..
-> > -> disable port :8080 and server xwiki over :8009 only to local host via
-> > -> your <tomcat location>/conf/server.xml file. (usually all you need
to do
-> > -> is comment the 8080 stuff and uncomment the 8009.
-> > ->
-> > -> your proxy string will look something like this then..
-> > ->
-> > -> ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
-> > ->
-> > ->
-> > -> ------
-> > -> thanks
-> > -> kevin.foote
-> > ->
-> > -> On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
-> > ->
-> > -> -> Hello again,
-> > -> ->
-> > -> -> we are running a tomcat-server "behind" an apache-server.
In order to
-> > -> -> redirect the request we use the following configuration:
-> > -> ->
-> > -> -> <VirtualHost *:80>
-> > -> -> ServerName www.my-domain.de
-> > -> -> ServerAlias my-domain.de
-> > -> -> Redirect permanent / https://www.my-domain.de/
-> > -> -> </VirtualHost>
-> > -> ->
-> > -> -> <VirtualHost *:443>
-> > -> -> ServerName www.my-domain.de
-> > -> ->
-> > -> -> SSLEngine On
-> > -> -> SSLProxyEngine On
-> > -> ->
-> > -> -> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
-> > -> -> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
-> > -> ->
-> > -> -> <Proxy *>
-> > -> -> Order allow,deny
-> > -> -> Allow from all
-> > -> -> </Proxy>
-> > -> ->
-> > -> ->
-> > -> -> Redirect / /xwikiv2/
-> > -> ->
-> > -> -> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
-> > -> -> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
-> > -> -> ProxyPreserveHost On
-> > -> -> </VirtualHost>
-> > -> ->
-> > -> -> So all communication should be encrypted and the user should
-> > -> -> immediately be redirected to the wiki.
-> > -> ->
-> > -> -> With these settings we encounter a strange behaviour. For example
the
-> > -> -> Blog refuses to create a new category (see: [xwiki-users] Server
not
-> > -> -> responding when creating a new Blog-Category). If I point my
browser
-> > -> -> directly to my-domain.de:8080 I can create categories.
-> > -> ->
-> > -> -> Is the config file correct? Is there a better way?
-> > -> ->
-> > -> -> Cheers,
-> > -> -> Stephanie
-> > -> ->
-> > -> ->
-> > -> -> _______________________________________________
-> > -> -> users mailing list
-> > -> -> users(a)xwiki.org
-> > -> -> http://lists.xwiki.org/mailman/listinfo/users
-> > -> ->
-> > -> _______________________________________________
-> > -> users mailing list
-> > -> users(a)xwiki.org
-> > -> http://lists.xwiki.org/mailman/listinfo/users
-> > ->
-> > _______________________________________________
-> > users mailing list
-> > users(a)xwiki.org
-> > http://lists.xwiki.org/mailman/listinfo/users
-> >
->
->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
19 Apr
19 Apr
12:08 a.m.
On 04/18/2011 03:52 PM, lists(a)yhmail.de wrote:
Hey,
thanks it works now. At least I do not get any errors at the moment.
Could you explain to me what the difference is? (HTTP vs. ajp) When proxying?
ajp is a direct connection between httpd and tomcat, which basically
lets Tomcat take care of a request on behalf of httpd. The request
details are kept in place, including the hostname, the port, whether the
connection is secure (SSL/https) or not...
HTTP proxying means that httpd clones the initial client request as a
new http request to the Tomcat server. Thus, unless specifically
configured to try and pass some details from the initial request, Tomcat
will just see this as an ordinary request done to "localhost" on port 8080.
ProxyPass, ProxyPassReverse and ProxyPreserveHost try to keep the same
hostname (www.my-domain.de instead of localhost), but don't keep the
fact that HTTPS was used.
The problem with the blog is that unlike most parts of the wiki,
absolute URLs are used when creating a new category. This means that a
full URL, trying to match the requested URL, is computed. Now, since
Tomcat/XWiki doesn't really know the original URL, the generated URL
will be most likely wrong, pointing to the wrong host and port.
@Everybody: Thank you for your help.
Cheers,
Chris
Quoting "Kevin P. Foote"<kpfoote(a)iup.edu>iup.edu>:
>
> Stephanie -
>
> I use mod_jk for other reasons.. but mod_proxy_ajp is similar.. there is no
> reason why this should not work ..
>
> Make some changes though..
>
> In your httpd conf where you have your virtual host defined
>
> change ServerName to the full address
>
> ServerName https://www.my-domain.de
>
> Dont proxy to tomcat via http... use tomcat in ajp mode ..
> disable port :8080 and server xwiki over :8009 only to local host via
> your<tomcat location>/conf/server.xml file. (usually all you need to do
> is comment the 8080 stuff and uncomment the 8009.
>
> your proxy string will look something like this then..
>
> ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
>
>
> ------
> thanks
> kevin.foote
>
> On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
>
> -> Hello again,
> ->
> -> we are running a tomcat-server "behind" an apache-server. In order
to
> -> redirect the request we use the following configuration:
> ->
> -> <VirtualHost *:80>
> -> ServerName www.my-domain.de
> -> ServerAlias my-domain.de
> -> Redirect permanent / https://www.my-domain.de/
> -> </VirtualHost>
> ->
> -> <VirtualHost *:443>
> -> ServerName www.my-domain.de
> ->
> -> SSLEngine On
> -> SSLProxyEngine On
> ->
> -> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
> -> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
> ->
> -> <Proxy *>
> -> Order allow,deny
> -> Allow from all
> -> </Proxy>
> ->
> ->
> -> Redirect / /xwikiv2/
> ->
> -> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
> -> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
> -> ProxyPreserveHost On
> -> </VirtualHost>
> ->
> -> So all communication should be encrypted and the user should
> -> immediately be redirected to the wiki.
> ->
> -> With these settings we encounter a strange behaviour. For example the
> -> Blog refuses to create a new category (see: [xwiki-users] Server not
> -> responding when creating a new Blog-Category). If I point my browser
> -> directly to my-domain.de:8080 I can create categories.
> ->
> -> Is the config file correct? Is there a better way?
> ->
> -> Cheers,
> -> Stephanie
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
9:09 a.m.
Am 19.04.2011 00:08, schrieb Sergiu Dumitriu:
On 04/18/2011 03:52 PM, lists(a)yhmail.de wrote:
Thanks for the backgrounder !
Hey,
thanks it works now. At least I do not get any errors at the moment.
Could you explain to me what the difference is? (HTTP vs. ajp) When proxying?
ajp
is a direct connection between httpd and tomcat, which basically
lets Tomcat take care of a request on behalf of httpd. The request
details are kept in place, including the hostname, the port, whether the
connection is secure (SSL/https) or not...
HTTP proxying means that httpd clones the initial client request as a
new http request to the Tomcat server. Thus, unless specifically
configured to try and pass some details from the initial request, Tomcat
will just see this as an ordinary request done to "localhost" on port 8080.
ProxyPass, ProxyPassReverse and ProxyPreserveHost try to keep the same
hostname (www.my-domain.de instead of localhost), but don't keep the
fact that HTTPS was used. The problem with the blog is that unlike most parts of
the wiki,
absolute URLs are used when creating a new category. This means that a
full URL, trying to match the requested URL, is computed. Now, since
Tomcat/XWiki doesn't really know the original URL, the generated URL
will be most likely wrong, pointing to the wrong host and port.
Couldn't that / shouldn't that be changed so that its possible to
reliably operate
XWiki with all of its features behind a httpd ?
I think a lot of people are doing that (including me). Never tried
blogging though ....
Are other parts of XWiki also affected by this 'wrong' computation of
the url ?
kind regards
Andreas
@Everybody:
Thank you for your help.
Cheers,
Chris
Quoting "Kevin P. Foote"<kpfoote(a)iup.edu>iup.edu>:
> Stephanie -
>
> I use mod_jk for other reasons.. but mod_proxy_ajp is similar.. there is no
> reason why this should not work ..
>
> Make some changes though..
>
> In your httpd conf where you have your virtual host defined
>
> change ServerName to the full address
>
> ServerName https://www.my-domain.de
>
> Dont proxy to tomcat via http... use tomcat in ajp mode ..
> disable port :8080 and server xwiki over :8009 only to local host via
> your<tomcat location>/conf/server.xml file. (usually all you need to do
> is comment the 8080 stuff and uncomment the 8009.
>
> your proxy string will look something like this then..
>
> ProxyPass /xwikiv2 ajp://localhost:8009/<xwiki instance>
>
>
> ------
> thanks
> kevin.foote
>
> On Mon, 18 Apr 2011, lists(a)yhmail.de wrote:
>
> -> Hello again,
> ->
> -> we are running a tomcat-server "behind" an apache-server. In order
to
> -> redirect the request we use the following configuration:
> ->
> -> <VirtualHost *:80>
> -> ServerName www.my-domain.de
> -> ServerAlias my-domain.de
> -> Redirect permanent / https://www.my-domain.de/
> -> </VirtualHost>
> ->
> -> <VirtualHost *:443>
> -> ServerName www.my-domain.de
> ->
> -> SSLEngine On
> -> SSLProxyEngine On
> ->
> -> SSLCertificateFile /etc/apache2/ssl/my-domain.crt
> -> SSLCertificateKeyFile /etc/apache2/ssl/my-domain.key
> ->
> -> <Proxy *>
> -> Order allow,deny
> -> Allow from all
> -> </Proxy>
> ->
> ->
> -> Redirect / /xwikiv2/
> ->
> -> ProxyPass /xwikiv2 http://localhost:8080/xwikiv2
> -> ProxyPassReverse /xwikiv2 http://localhost:8080/xwikiv2
> -> ProxyPreserveHost On
> -> </VirtualHost>
> ->
> -> So all communication should be encrypted and the user should
> -> immediately be redirected to the wiki.
> ->
> -> With these settings we encounter a strange behaviour. For example the
> -> Blog refuses to create a new category (see: [xwiki-users] Server not
> -> responding when creating a new Blog-Category). If I point my browser
> -> directly to my-domain.de:8080 I can create categories.
> ->
> -> Is the config file correct? Is there a better way?
> ->
> -> Cheers,
> -> Stephanie
3:41 p.m.
On 04/19/2011 09:09 AM, Andreas Hahn wrote:
Am 19.04.2011 00:08, schrieb Sergiu Dumitriu:
It does work, if the configuration is correct.
On 04/18/2011 03:52 PM, lists(a)yhmail.de wrote:
Thanks for the backgrounder !
Hey,
thanks it works now. At least I do not get any errors at the moment.
Could you explain to me what the difference is? (HTTP vs. ajp) When proxying?
ajp
is a direct connection between httpd and tomcat, which basically
lets Tomcat take care of a request on behalf of httpd. The request
details are kept in place, including the hostname, the port, whether the
connection is secure (SSL/https) or not...
HTTP proxying means that httpd clones the initial client request as a
new http request to the Tomcat server. Thus, unless specifically
configured to try and pass some details from the initial request, Tomcat
will just see this as an ordinary request done to "localhost" on port 8080.
ProxyPass, ProxyPassReverse and ProxyPreserveHost try to keep the same
hostname (www.my-domain.de instead of localhost), but don't keep the
fact that HTTPS was used. The problem with the blog is that unlike most
parts of the wiki,
absolute URLs are used when creating a new category. This means that a
full URL, trying to match the requested URL, is computed. Now, since
Tomcat/XWiki doesn't really know the original URL, the generated URL
will be most likely wrong, pointing to the wrong host and port.
Couldn't that / shouldn't that be changed so that its possible to
reliably operate
XWiki with all of its features behind a httpd ? I think a lot of people are doing that (including me).
Never tried
blogging though ....
Are other parts of XWiki also affected by this 'wrong' computation of
the url ?
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
4:50 p.m.
Am 19.04.2011 15:41, schrieb Sergiu Dumitriu:
On 04/19/2011 09:09 AM, Andreas Hahn wrote:
I see. I just checked with my installation that Blog works ok. If I
understand correctly
that has to do with the fact that I'm just using simple HTTP proxying
(and not HTTPS,
in this case ajp should be used).
Am 19.04.2011 00:08, schrieb Sergiu Dumitriu:
It does work, if the configuration
is correct. On 04/18/2011 03:52 PM, lists(a)yhmail.de wrote:
Thanks for the backgrounder !
Hey,
thanks it works now. At least I do not get any errors at the moment.
Could you explain to me what the difference is? (HTTP vs. ajp) When proxying?
ajp
is a direct connection between httpd and tomcat, which basically
lets Tomcat take care of a request on behalf of httpd. The request
details are kept in place, including the hostname, the port, whether the
connection is secure (SSL/https) or not...
HTTP proxying means that httpd clones the initial client request as a
new http request to the Tomcat server. Thus, unless specifically
configured to try and pass some details from the initial request, Tomcat
will just see this as an ordinary request done to "localhost" on port 8080.
ProxyPass, ProxyPassReverse and ProxyPreserveHost try to keep the same
hostname (www.my-domain.de instead of localhost), but don't keep the
fact that HTTPS was used. The problem with the blog is that unlike most
parts of the wiki,
absolute URLs are used when creating a new category. This means that a
full URL, trying to match the requested URL, is computed. Now, since
Tomcat/XWiki doesn't really know the original URL, the generated URL
will be most likely wrong, pointing to the wrong host and port.
Couldn't that
/ shouldn't that be changed so that its possible to
reliably operate
XWiki with all of its features behind a httpd ? I think a lot
of people are doing that (including me). Never tried
blogging though ....
Are other parts of XWiki also affected by this 'wrong' computation of
the url ?
5:07 p.m.
Andreas
If your intercepting with anything (httpd,nginx,lighttpd), thus proxying, you should use
ajp.
Its simply faster..
------
thanks
kevin.foote
On Tue, 19 Apr 2011, Andreas Hahn wrote:
-> Am 19.04.2011 15:41, schrieb Sergiu Dumitriu:
-> > On 04/19/2011 09:09 AM, Andreas Hahn wrote:
-> >> Am 19.04.2011 00:08, schrieb Sergiu Dumitriu:
-> >>> On 04/18/2011 03:52 PM, lists(a)yhmail.de wrote:
-> >>>> Hey,
-> >>>>
-> >>>> thanks it works now. At least I do not get any errors at the
moment.
-> >>>> Could you explain to me what the difference is? (HTTP vs. ajp) When
proxying?
-> >>> ajp is a direct connection between httpd and tomcat, which basically
-> >>> lets Tomcat take care of a request on behalf of httpd. The request
-> >>> details are kept in place, including the hostname, the port, whether
the
-> >>> connection is secure (SSL/https) or not...
-> >>>
-> >>> HTTP proxying means that httpd clones the initial client request as a
-> >>> new http request to the Tomcat server. Thus, unless specifically
-> >>> configured to try and pass some details from the initial request,
Tomcat
-> >>> will just see this as an ordinary request done to "localhost"
on port 8080.
-> >>>
-> >>> ProxyPass, ProxyPassReverse and ProxyPreserveHost try to keep the same
-> >>> hostname (www.my-domain.de instead of localhost), but don't keep
the
-> >>> fact that HTTPS was used.
-> >> Thanks for the backgrounder !
-> >>
-> >>> The problem with the blog is that unlike most parts of the wiki,
-> >>> absolute URLs are used when creating a new category. This means that a
-> >>> full URL, trying to match the requested URL, is computed. Now, since
-> >>> Tomcat/XWiki doesn't really know the original URL, the generated
URL
-> >>> will be most likely wrong, pointing to the wrong host and port.
-> >> Couldn't that / shouldn't that be changed so that its possible to
-> >> reliably operate
-> >> XWiki with all of its features behind a httpd ?
-> > It does work, if the configuration is correct.
->
-> I see. I just checked with my installation that Blog works ok. If I
-> understand correctly
-> that has to do with the fact that I'm just using simple HTTP proxying
-> (and not HTTPS,
-> in this case ajp should be used).
->
->
-> >> I think a lot of people are doing that (including me). Never tried
-> >> blogging though ....
-> >> Are other parts of XWiki also affected by this 'wrong' computation
of
-> >> the url ?
-> >>
-> >
->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
5:51 p.m.
Am 19.04.2011 17:07, schrieb Kevin P. Foote:
Andreas
If your intercepting with anything (httpd,nginx,lighttpd), thus proxying, you should use
ajp.
Its simply faster..
thanks Kevin, I'll check that out soon ...
------
thanks
kevin.foote
On Tue, 19 Apr 2011, Andreas Hahn wrote:
-> Am 19.04.2011 15:41, schrieb Sergiu Dumitriu:
-> > On 04/19/2011 09:09 AM, Andreas Hahn wrote:
-> >> Am 19.04.2011 00:08, schrieb Sergiu Dumitriu:
-> >>> On 04/18/2011 03:52 PM, lists(a)yhmail.de wrote:
-> >>>> Hey,
-> >>>>
-> >>>> thanks it works now. At least I do not get any errors at the
moment.
-> >>>> Could you explain to me what the difference is? (HTTP vs. ajp)
When proxying?
-> >>> ajp is a direct connection between httpd and tomcat, which
basically
-> >>> lets Tomcat take care of a request on behalf of httpd. The request
-> >>> details are kept in place, including the hostname, the port, whether
the
-> >>> connection is secure (SSL/https) or not...
-> >>>
-> >>> HTTP proxying means that httpd clones the initial client request as
a
-> >>> new http request to the Tomcat server. Thus, unless specifically
-> >>> configured to try and pass some details from the initial request,
Tomcat
-> >>> will just see this as an ordinary request done to
"localhost" on port 8080.
-> >>>
-> >>> ProxyPass, ProxyPassReverse and ProxyPreserveHost try to keep the
same
-> >>> hostname (www.my-domain.de instead of localhost), but don't keep
the
-> >>> fact that HTTPS was used.
-> >> Thanks for the backgrounder !
-> >>
-> >>> The problem with the blog is that unlike most parts of the wiki,
-> >>> absolute URLs are used when creating a new category. This means that
a
-> >>> full URL, trying to match the requested URL, is computed. Now,
since
-> >>> Tomcat/XWiki doesn't really know the original URL, the generated
URL
-> >>> will be most likely wrong, pointing to the wrong host and port.
-> >> Couldn't that / shouldn't that be changed so that its possible
to
-> >> reliably operate
-> >> XWiki with all of its features behind a httpd ?
-> > It does work, if the configuration is correct.
->
-> I see. I just checked with my installation that Blog works ok. If I
-> understand correctly
-> that has to do with the fact that I'm just using simple HTTP proxying
-> (and not HTTPS,
-> in this case ajp should be used).
->
->
-> >> I think a lot of people are doing that (including me). Never tried
-> >> blogging though ....
-> >> Are other parts of XWiki also affected by this 'wrong'
computation of
-> >> the url ?
-> >>
-> >
->
-> _______________________________________________
-> users mailing list
-> users(a)xwiki.org
-> http://lists.xwiki.org/mailman/listinfo/users
->
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4996
days inactive
4997
days old
16 comments
6 participants
participants (6)
-
Andreas Hahn -
Guillaume Fenollar -
Kevin P. Foote -
lists@yhmail.de -
Paul Libbrecht -
Sergiu Dumitriu