I've setup a Apache reverse proxy(which receives traffic from outside world via a firewall) with the below configuration:
<VirtualHost *:443>
ServerName xyz.example.com
ProxyRequests Off
ProxyPass / https://internal-voyager-dev-1960104633.us-east-1.elb.amazonaws.com/
ProxyPassReverse / https://internal-voyager-dev-1960104633.us-east-1.elb.amazonaws.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLEngine on
SSLOptions +StrictRequire
SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
.
.
>
This reverse proxy is pointing to a AWS ALB on listener port 443. So the ALB then processes the request based on the rule where HOST(xyz.example.com) is mapped to a target group. But This is not working, I am getting a 502 bad gateway error.
.
If I make config changes like pointing reverse proxy to a http://alb-cname and use the listener port 80 of AWS ALB then I am able to bring up the application but as we use a rails application we get the error saying HTTP Origin header didn't match request.base_url
Appreciate any ideas as to how I can solve this issue.
Related
I have some dockers containers deployed on AWS EC2, that listens on http.
My idea is using nginx as reverse proxy, to pass traffic from https, to http://localhost.
Each container listens on a specific http port. The EC2 instance will accept traffic just on http:80 and http:443 and I will use subdomain to chose the right port.
So I should have:
https://backend.my_ec2instance.com --> http://localhost:4000
https://frontend.my_ec2instance.com --> http://localhost:5000
I'v got my free TSL certificate from Let's Encrypt (it's just on file containing public and private keys), and put it in
/etc/nginx/ssl/letsencrypt.pem
Then I have configured nginx in this way
sudo nano /etc/nginx/sites-enabled/custom.conf
and wrote
server {
listen 443 ssl;
server_name backend.my_ec2instance;
# Certificate
ssl_certificate letsencrypt.pem;
# Private Key
ssl_certificate_key letsencrypt.pem;
# Forward
location / {
proxy_pass http://localhost:4000;
}
}
server {
listen 443 ssl;
server_name frontend.my_ec2instance;
# Certificate
ssl_certificate letsencrypt.pem;
# Private Key
ssl_certificate_key letsencrypt.pem;
# Forward
location / {
proxy_pass http://localhost:5000;
}
}
then
sudo ln -s /etc/nginx/sites-available/custom.conf /etc/nginx/sites-enbled/
Anyway, if I open my browser on https://backend.my_ec2instance it's not reachable.
http://localhost:80 instead correctly shows the nginx page.
HTTPS default port is port 443. HTTP default port is port 80. So this: https://localhost:80 makes no sense. You are trying to use the HTTPS protocol on an HTTP port.
In either case, I don't understand why you are entering localhost in your web browser at all. You should be trying to open https://frontend.my_ec2instance.com in your web browser. The locahost address in your web browser would refer to your local laptop, not an EC2 server.
Per the discussion in the comments you also need to include your custom Nginx config in the base configuration file.
I have built a Websocket on Ubuntu 20.04 (LAMP) stack using Ratchet.
I followed this article https://www.twilio.com/blog/create-php-websocket-server-build-real-time-even-driven-application to build the websocket.
I Followed this article Does an Application Load Balancer support WebSockets? to configure my webserver.
Configured Security Group - Inbound rules TCP 8080
Configured Load balancer
Created Target group (TCP) for port 8080
Enabled Stickyness (1 hour)
SSL is configured and created in AWS Certificate Manager
Apache configuration
<VirtualHost *:80>
ServerName chat.domain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/websites/chat.domain.com/public
<Directory /var/www/websites/chat.domain.com/public/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/chat.domain.com/error.log
CustomLog ${APACHE_LOG_DIR}/chat.domain.com/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName chat.domain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/websites/chat.domain.com/public
<Directory /var/www/websites/chat.domain.com/public/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
ProxyPass / https://chat.domain.com:8080/
ProxyPassReverse / https://chat.domain.com:8080/
<Location "/">
ProxyPass "wss://chat.domain.com:8080/"
</Location>
ErrorLog ${APACHE_LOG_DIR}/chat.domain.com/error.log
CustomLog ${APACHE_LOG_DIR}/chat.domain.com/access.log combined
</VirtualHost>
Every thing is in place and running but I get
WebSocket connection to 'wss://chat.domain.com:8080/' failed:
Here is my chrome inspect
I have even tried to Open traffic to ALL ports (Inbond) just to check the security group but still getting the same error.
I doubt the problem is configuring Load Balancer, Security Group and Target group?
Any help or suggestion?
Finally I found the solution. The port 8080 should have been added to firewall and I had to create a new target group for port 8080 which then I had to create a load balancer with port http:8080 and point to the target group.
I have a spring-boot application running on EC2 instance and it's publicly accessible from an elastic IP say 123.456.78.90 with the help of apache httpd server. I have given the following virtual host entry in httpd.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName 123.456.78.90
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
Now, I have installed Jenkins on the same EC2 instance and want it to be accessible from my elastic IP 123.456.78.90 but maybe by specifying a different port like 9090 so when I give 123.456.78.90:9090 it takes me to Jenkins but when I give 123.456.78.90 it takes me to my spring-boot application. I am not sure what is the best way to configure it. For setting up Jenkins I tried the following virtual host entry in my httpd.conf file but its not working.
<VirtualHost *:9090>
ProxyPreserveHost On
ProxyRequests Off
ServerName 123.456.78.90:9090
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
I would appreciate if I am pointed in the right direction.
UPDATE: I have the simple rule for directing the inbound traffic over http
Why not just use the port directly in jenkins, i.e. 8080 instead of routing it through apache?
Anyways I think the problem is due to the lack of a listening directive in apache for port 9090
See https://httpd.apache.org/docs/2.4/bind.html
Have you tried to follow the manual on https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+Ubuntu, the Setting up an Apache Proxy for port 80 -> 8080 section. I think just change the 80 from 9090 and then the manual might work for you.
Also if you are using EC2, you may have to do some security configuration about the port that can be accessed from outside network in you AWS console
I have a WSO2IS 5.0.0 instance running on a VM behind a load balancer. The load balancer listens for HTTPS on port 443, handles all SSL and forwards plain HTTP to the VM on port 80.
I have configured the WSO2IS instance to have only one HTTP connector on port 80 in catalina-server.xml, and configured all the URLs I can find in the config to point to the load balancer using HTTPS.
I can visit the carbon webapp via the load balancer on 443 fine. However when I successfully log in, the webapp returns a redirect to HTTP on port 80, NOT to HTTPS on port 443 as it should. This makes it impossible to use the carbon webapp.
If I change proxyPort in the HTTP connector in catalina-server.xml, it does then return a redirect to port 443 - but the URL is plain HTTP, not HTTPS, so it still fails.
How can I tell carbon to send a redirect to HTTPS even though tomcat itself is listening via HTTP?
Thanks in advance!
You can use proxy port in this scenario.
You can configure in tomcat/catalina-server.xml as below with 2 connectors. http url will anyway redirect to https url. Do you mean management console as webapp?
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
proxyPort="80"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
bindOnInit="false"
sslProtocol="TLS"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
You should have the mapping to your load balancer in your etc/hosts file as :
is.50.com
In Your Load balancer you should have as below. E.g., apache2
<Virtualhost *:443>
ServerName is.50.com
ServerAlias is.50.com
ProxyPreserveHost On
SSLEngine On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
stickysession=JSESSIONID
ProxyPass / https://<carbonIP>:<port>/
ProxyPassReverse / https://<carbonIP>:<port>/
</Virtualhost>
Then your access URL will be, as below.
https://is.50.com/carbon
or
http://is.50.com/carbon which will redirect to https.
We are using Amazon Elastic Load Balancer and have 2 apache servers behind it.
However, we are not able to get the X-Forwarded-Headers on the application side
I read a similar post, but could not find a solution to it
Amazon Elastic load balancer is not populating x-forwarded-proto header
This is how ELB listeners are configured
HTTP 80 HTTP 80 N/A N/A
TCP 443 TCP 443 N/A N/A
Should changing the 443 port to HTTPS(Secure HTTP) instead of TCP populate the headers
Other options are SSl(Secure TCP)
If this works, I would also like to know why and what makes the difference
Amazon now supports using a tcp header to pass the source along as discussed in this article.
Apache does not as time support proxy protocol natively. If you read the comments there are source patches to allow apache to handle it or you could switch to nginx.
I had the same request.
I have an AWS Load Balancer pointing to a Webserver on the port 80.
All the HTTPS request are resolved using an AWS SSL Certificate but my client asked me also to redirect all the 80 port request to the HTTPS.
I'm using an Apache server, so I needed to add the following lines to the Virtual Host config file (httpd.conf)
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R=301,L]
Then I restarted the apache service and Woala!
Below is the Virtual host config, you will need to do the same for your subdomains, example www.yourdomain.com
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R=301,L]
ServerAdmin webmaster#yourdomain.com
DocumentRoot "/apache2/htdocs/YourDomainFolderWeb"
ServerName yourdomain.com
ErrorLog "logs/yourdomain.com-error_log"
CustomLog "logs/yourdomain.com-access_log" common
</VirtualHost>
Hope it works.
More info at:
https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/
Best