261766 – tomcat mod_proxy setup (privileged ports workaround)

Bug 261766 - tomcat mod_proxy setup (privileged ports workaround)

Summary: tomcat mod_proxy setup (privileged ports workaround)

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Java (show other bugs)
Hardware:	All Linux

Importance:	High enhancement
Assignee:	Java team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-03-08 20:24 UTC by Trenton D. Adams
Modified:	2009-03-08 21:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Trenton D. Adams 2009-03-08 20:24:25 UTC

I was looking at the old bug http://bugs.gentoo.org/show_bug.cgi?id=75224 about setting up tomcat on privileged ports.

Instead of setting it up on privileged ports, why not do this by setting up server.xml to have a jvmRoute, and installing something in /etc/apache2/vhosts.d/ which does mod_proxy/ajp???  That way, tomcat does not have to be setup on privileged ports, as apache already is.

You could add a use flag "apache2" or "proxy", or something of the like to the tomcat package, and voila, it installs the appropriate conf in /etc/apache2/vhosts.d/

If you need help with that, let me know.

Reproducible: Always

Comment 1 Mike Weissman 2009-03-08 20:49:52 UTC

what's wrong with just using mod_jk with optional mod_proxy to fit your env?

Our mod_jk ebuild works right out of the box with our tomcat ebuilds.

mod_jk handles port 80/443 requests and sends them to the appropriate AJP connector.
 You can optional use mod_proxy to ProxyPass requests to different webapps or however you want to set it up, etc..

You only need to really specify and jvmRoute if you are planning on doing clustering via AJP, which mod_jk already supports, and the server.xml file already has commented examples of this. 

While you CAN run tomcat 5.x on port 80 i don't see why you would want to nor why our ebuild should suppor this.  Tomcat is good at serving Servlets (JSP Pages, etc..), but it's not as feature rich when it comes to dealing with static content like images or normal html pages or when using other server side languages like php, thus i feel that this is a waste of time. 

Mod_jk is production level software that can be used in robust J2EE environments.

-weisso

Comment 2 Trenton D. Adams 2009-03-08 21:02:16 UTC

FYI: mod_jk is deprecated I believe.  mod_proxy_ajp now supports everything, including load balancing.

I agree, running tomcat on a privileged port is a bad idea.

Anyhow, my point is having it setup automatically for the user.  It's really quick for newbies to figure out how it works if it is setup, and there is a small note upon ebuild emerge.

To avoid conflicts with apache URLs, the Gentoo apache conf could default to using "/webapp/" as the url path prefix.  Then you just proxy everything under /webapp/ to ajp://localhost:8009/.  But, I tried that, and it doesn't work because the tomcat docs do a redirect to /docs/.  So, I wonder if there is a way of convincing a tomcat context that it exists somewhere else, when being accessed via a proxy?  Or do we simply have to have one proxy for each context?

server.xml...

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
        proxyName="localhost" proxyPort="80" />
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">

/etc/apache2/vhosts.d/00_default_vhost.conf...
  <IfDefine PROXY>
    ProxyRequests On
    ProxyVia On

    <Proxy *>
      Order Deny,Allow
      Deny from all
      Allow from 127.0.0.1
    </Proxy>
    <Location /manager>
      ProxyPass ajp://localhost:8009/manager
      ProxyPassReverse ajp://localhost:8009/manager
    </Location>
    <Location /docs>
      ProxyPass ajp://localhost:8009/docs
      ProxyPassReverse ajp://localhost:8009/docs
    </Location>

  </IfDefine>

Comment 3 Trenton D. Adams 2009-03-08 21:08:26 UTC

Oops, ProxyRequests should be Off.

Comment 4 Mike Weissman 2009-03-08 21:36:07 UTC

(In reply to comment #2)
> FYI: mod_jk is deprecated I believe.  mod_proxy_ajp now supports everything,
> including load balancing.

mod_jk is NOT deprecated, it is still currently being developed. 

>Anyhow, my point is having it setup automatically for the user.  It's really
>quick for newbies to figure out how it works if it is setup, and there is a
>small note upon ebuild emerge.

  If it's a bad idea, which it is, then we don't want to support it NOR encourage it. Suggestions should be given to do things the proper way and best suited for Production level environments.

>To avoid conflicts with apache URLs, the Gentoo apache conf could default to
>using "/webapp/" as the url path prefix.  Then you just proxy everything under
>/webapp/ to ajp://localhost:8009/.  But, I tried that, and it doesn't work
>because the tomcat docs do a redirect to /docs/.  So, I wonder if there is a
>way of convincing a tomcat context that it exists somewhere else, when being
>accessed via a proxy?  Or do we simply have to have one proxy for each context?

 Your configuration issues with mod_proxy_ajp or mod_jk is not relevant to this bug. If you feel there is an issue with those Apache Mod's, Please open up a new bug with test case that shows an issue with the software.

   You should consult the documentation on mod_jk and mod_proxy to better understand how to forward a multiple proxy setup to different AJP connections.
 
thanks,
weisso

Comment 5 Alistair Bush (RETIRED) gentoo-dev

2009-03-08 21:42:34 UTC

WONTFIX, as outlined in the post above.

Comment 6 Trenton D. Adams 2009-03-08 21:44:30 UTC

WOW, you guys really do live up to the rumours.