Reverse SSL proxy for Apche Tomcat

lpwevers · 01-18-2017, 08:52 AM

Dear Experts,

I'm trying to access a Tomcat server via Apache 2.4, configured as a reverse proxy server. All communication should take place using HTTPS.

On the reverse proxy I've installed the proper certificates and setup the forwarding to the tomcat server. However, whenever I try to access it, I get the following error message:

Code:

HTTP Status 500 - None of SP's internal[https://digsvw164.xxxxx.local:8100/dispatcher] and external address[[https://sb1web.xxxxx.nl:8100/dispatcher]] haven't been found in value of the "x-forwarded-for" header [172.29.38.10]

Where 172.29.38.10 is the IP address of the machine I'm coming from. If I access the tomcat server directly all is fine.

My apache configuration for this host is:

Code:

<VirtualHost *:8100>
    ServerAdmin                support@xxxxx.nl
    ServerName                 sb1web.xxxxx.nl
    SSLEngine                  on
    SSLProtocol                all -SSLv2 -SSLv3
    SSLCipherSuite             ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
    SSLCertificateFile         /etc/apache2/ssl.crt/xxx_nl.crt
    SSLCertificateKeyFile      /etc/apache2/ssl.key/xxx_nl.key
    SSLCertificateChainFile    /etc/apache2/ssl.crt/xxx_nl.ca-bundle
    SSLProxyEngine             On
    SSLProxyVerify             none
    SSLProxyCheckPeerCN        off
    SSLProxyCheckPeerName      off
    SSLProxyCheckPeerExpire    off
    ProxyRequests              On
    ProxyPreserveHost          Off
    ProxyBadHeader             Ignore
    ProxyPass                  / https://172.29.38.164:8100/ retry=0 timeout=5 KeepAlive=on
    ProxyPassReverse           / https://172.29.38.164:8100/
</VirtualHost>

I also tried fiddling around with directives like

Code:

    RemoteIPHeader             X-Forwarded-For
    RemoteIPInternalProxy      172.29.38.0/24

in various forms, but all to no avail.

Any help would be greatly appriciated.

Coffee!!! · 01-20-2017, 09:55 AM

You're proxy configuration is incorrect (you only need 3 things for a reverse proxy to work, unless you have some really odd information passed in headers):

ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / https://websitename.nl/

I use this on my servers that host Tomcat based applications to secure the front end with Apache web server and it works like a charm.

lpwevers · 01-20-2017, 10:03 AM

Quote:

Originally Posted by Coffee!!!

You're proxy configuration is incorrect (you only need 3 things for a reverse proxy to work, unless you have some really odd information passed in headers):

ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / https://websitename.nl/

I use this on my servers that host Tomcat based applications to secure the front end with Apache web server and it works like a charm.

Hi,

Thanks for your suggestions. But I my case I also need the reverse proxy to take care of the certificate handling for me. That's basically the reset of the configuration in there. Also, I need the ServerName directive. The reverse proxy handles many more hosts, so I need it to determine to what host to send the request.

But I notice that you have

Code:

ProxyPreserveHost On

where I have it set to Off. I'll change that and see if it does the trick for me.

Guino · 03-18-2017, 03:22 AM

Hello lpwevers,

I notice that you try to publish SAP B1 Browser Access on Internet using Apache Reverse proxy.
I am currently trying to do the same thing and i have the same errors you mentionned.

Did you finally find a way to solve the issue ?

Guillaume

mkLnxAdm · 08-25-2022, 03:24 AM

Hello lpwevers,

I have a similar problem with SAP B1 just like Guino

Were you able to solve it and access the site correctly?

Kind regards
mkLnxAdm

elgrandeperro · 08-25-2022, 11:09 AM

I think it is checking the URL, so you need to pass it:

ProxyPassReverse / https://sb1web.xxxxx.nl:8100 and not

If you use Preserve, I think it will pass: https://sb1web.xxxxx.nl

could be wrong, it might work.

mkLnxAdm · 08-26-2022, 05:44 AM

So you suggest turning ProxyPreserveHost Off?

elgrandeperro · 08-26-2022, 08:27 AM

I would, and control from ProxyPassReverse.

Your app is checking for 2 names, I don't know the distinction between internal and external. Obviously by the naming of the internal it seems to be the way to call it locally.

https://digsvw164.xxxxx.local:8100 https://sb1web.xxxxx.nl:8100

Since Cert checking is off, either might work.

lpwevers · 08-28-2022, 03:02 AM

Quote:

Originally Posted by mkLnxAdm

Hello lpwevers,

I have a similar problem with SAP B1 just like Guino

Were you able to solve it and access the site correctly?

Kind regards
mkLnxAdm

Hi,

Well to be honest, I don't remember; it's been 5 years since I had this issue and we're not using SAP B1 anymore. I do however, very vaguely recall that the only option was to switch to ngnix instead of Apache.

Kind regards,
Louis

mkLnxAdm · 08-29-2022, 02:55 AM

Hello,

yeah 5 years is a long time but still thanks for your reply

I'll probably need to switch to nginx too because that's the proxy SAP recommends.

Kind regards,
mkLnxAdm

elgrandeperro · 08-29-2022, 07:38 AM

You can see how has more straightforward proxy "masquerading" directives in this link:

https://www.supereasy.com/how-to-con...-proxy-easily/

It is the same problem; you have to pass the right values to the proxied internal server.