httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Herb Burnswell <>
Subject [users@httpd] mod_proxy - sticky sessions configuration help
Date Mon, 26 Feb 2018 19:50:42 GMT

I am setting up a frontend HTTPD load balancer to a backend Tomcat
application using mod_proxy.  I have not done so previously and am looking
for some guidance.  Here is a diagram of what it will look like:

|   Firewall Public   |
|      +------+   +-------+  +-------+      |
|      | httpd|   | httpd |  | httpd   |      |
|      |    1 |       |   2   |  |   3       |      |
|      +------+   +-------+  +-------+      |
|   Firewall Private   |
|    +--------+  +---------+  +--------+      |
|    | tomcat |  |tomcat   |  |tomcat|      |
|    |   1       |  |    2      |  |   3        |      |
|    +--------+  +---------+  +--------+      |

The HTTPD 1-3 servers are in a DMZ subnet and will proxy back to internal
Tomcat application on a different subnet.  I had this working without
sticky sessions (which are needed) but now when I try to set up the
configuration with sticky sessions I receive a 500 error in a browser.

Here is what I receive in the logs:

access_log: - - [26/Feb/2018:09:48:34 -0800] "GET /favicon.ico HTTP/1.1"
500 527 "" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186
Safari/537.36" "C1A3CF4AB2A4E8952C259E2F1B97A203.node1"


[Mon Feb 26 09:48:34.714703 2018] [proxy:warn] [pid 37884] [client] AH01144: No protocol handler was valid for the URL
/favicon.ico. If you are using a DSO version of mod_proxy, make sure the
proxy submodules are included in the configuration using LoadModule.,

I believe the favicon.ico 'error' is benign, but if it is I'd like to
supress it.  But I do receive a standard 500 error in the browser.

The 'login.jsp' is a redirect from the backend application.  If I go
directly to one of the application servers:

The page loads properly and gives the following URL in the browser:

Here is the complete httpd.conf file.  I only want the proxy to listen on
port 443.  This system will only function as a DMZ proxy to the backend
application.  Ideally the configuration is as minimal as possible with no
extra/unnecessary directives:

Listen 443 https

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied

ErrorLog        "logs/error_log"
TransferLog     "logs/access_log"
LogLevel        warn

<IfModule log_config_module>

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" \"%{JSESSIONID}C\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %I %O" combinedio


        CustomLog "logs/access_log" combined


AddDefaultCharset UTF-8

<IfModule mime_magic_module>

    MIMEMagicFile conf/magic


SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost _default_:443>


        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

        SSLCertificateFile /etc/pki/tls/certs/cert.crt

<Proxy balancer://mycluster>

        BalancerMember route=node1
        BalancerMember route=node2
        ProxySet lbmethod=bybusyness


SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPass / balancer://mycluster stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster stickysession=JSESSIONID


Any guidance is greatly appreciated.  Thanks in advance..


View raw message