8 posts categorized "mod_proxy"


Basic Mod_jk and Mod_proxy_ajp Configuration

Let's say you don't feel like compiling mod-jk yourself and you can't find a binary of mod_jk compiled against your platform. Or maybe you just simply don't want to use mod_jk. If you're using apache 2.2, you can use mod_proxy_ajp in place of mod_jk in order to talk to your tomcat servers as it is already "built-in" to apache.

If you're running apache 2.2 and tomcat 5.5 or 6.0 locally, this post is for you. I'll create a base configuration that includes everything you would need to talk to a local tomcat instance using mod_proxy_ajp while also providing you with the basic mod_jk equivalent configuration for comparison.

mod_proxy_ajp configuration

The first thing you are going to want to make sure you add are the correct shared modules to the apache httpd.conf. It is also important to stress that when proxying requests to a back end server, you are configuring apache to work in reverse-proxy mode for these types of requests. The following items will get you off and running communicating to your local tomcat/jboss/geronimo/jetty-hosted webapp.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

ProxyRequests Off

ProxyPass /webapp ajp://localhost:8009/webapp
ProxyPassReverse /webapp ajp://localhost:8009/webapp

<Proxy /webapp>
Order Deny,Allow
Allow from All

<Proxy /webapp/WEB-INF>
Order Deny,Allow
Deny from All

The first two lines are self-explanatory and load the modules that provide proxy and proxy-with-ajp support. The third line enables reverse proxy mode--don't ask me why it is worded this way because it is a common question that everyone asks and the documentation on httpd.apache.org doesn't really provide a reason why. The next two lines are required but seem a bit redundant--again, don't ask me why both are needed. One would assume that since this is a reverse proxy, only ProxyPassReverse would really be needed but both appear to be necessary. The next blocks of code are standard blocks--one allowing All access to the newly mounted webapp and the other denying access to WEB-INF. In 13 lines, we have created a basic mod_proxy_ajp mount to a tomcat instance running on localhost with the added bonus of only needing to add it all in the one httpd.conf configuration file.

Corresponding mod_jk entries reside in two different files, httpd.conf and workers.properties. Although you can place all of these entries in httpd.conf using mod_jk-specific directives, I don't know anyone who actually does it.

mod_jk configuration

Changes to http.conf:

LoadModule jk_module modules/mod_kl.so

JkWorkersFiles conf/workers.properties

JkLogFile logs/mod_jk.log <!although this should be piped to rotatelogs -->
JkLogLevel info
JkMount /webapp ajp13

<Location /webapp>
Order Deny,Allow
Allow from All

<Location /webapp/WEB-INF>
Order Deny,Allow
Deny from All

and the changes necessary to workers.properties

 # Define 1 real worker using ajp13

# Set properties for worker1 (ajp13)


Two files and 17 lines (excluding the 2 comment lines in workers.properties) to achieve the same affect that 13 lines in a mod_proxy_ajp configuration provides.


The X-Forwarded-For Header

Most mainstream proxy servers support what is known as the X-Forwarded-For header, which is a custom header that gets inserted into the HTTP request by the proxy so that the Client IP Address can be read by the target web/app server. The Wikipedia article describes it much better than I could--this article focuses on how to set things up on your BigIP or your apache server so that this useful IP address can get passed along to your upstream server.

For all intents and purpsoses, the BigIP is a reverse proxy--a high end, load-balancing, application delivery proxy, but nevertheless, it is a proxy. By default, requests sent to it are natted to a load-balanced node. By default, the web server does not see the IP address of the end-user--it sees the IP address of the bigip. This makes setting up things like IP Address Restrictions or Geo-Location services difficult because all your users will look like they are coming from the same place inside your network.
mod_proxy load-balancing requests to an upstream application server puts the apache httpd server in reverse proxy mode for that particular web app as well--so for those web applications that need to see the client ip address for reasons similar to the above, then they are out of luck as well.

Enabling the X-Forwarded-For Header in the BigIP

The X-Forwarded-For header is enabled and disabled from within the HTTP profile in the 9.x version of the BigIP software. If you are using the base http profile in your VIPs (or if you are using an HTTP profile that uses the base http profile as a "parent profile") and you have not modified the base http profile, then this option is disabled by default. Enabling is simply a matter of selecting "Enabled" from the dropdown labeled "XForwarded-for" and you are all set!

Ok....you aren't really all set. All this does is configure VIPs that utilize this particular profile to insert the X-Forwarded-For header in requests that will be routed to a particular web server. If the web server doesn't know what to do with this header, it will cheerfully ignore it. F5 also developed an isapi plug-in for IIS that will write the IP address of the client into the web server's log in place of the BigIPs address. For apache web servers, you will need to modify the LogFormat directive so that you drop the %h (client ip) field and replace it with the %{X-Forwarded-For}i field.

Enabling the X-Forwarded-For Header in mod_proxy

Now that you are passing the client IP address to your web server, what if you want to pass the client IP address along to your application servers as well? Well, if you're using mod_proxy_http (or mod_proxy_balancer with workers that are using mod_proxy_http), then you don't really need to do anything. The documentation on the apache site implies that mod_proxy automatically forwards three headers (X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server).


Useful Offsite Trinket - Using Apache Virtual Hosts and ProxyPass Together

Found this useful trinket off of dzone today for setting up mod_proxy within a virtual host.