Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Jira
Questions
Jira, Confluence, Bamboo, Crucible all behind Apache using mod_proxy with Multiple IP addresses

Jira, Confluence, Bamboo, Crucible all behind Apache using mod_proxy with Multiple IP addresses

Hi, I have got myself confused about using mod_proxy and our recent addition of multiple ip addresses.

Originally we had one ip address on our server (corp-jiraweb) and we needed the mod_proxy / reverse proxy
mechanism to redirect sites configured in DNS like

jira.onlifehealth.com
bamboo.onlifehealth.com
etc

to tomcat applications running on a single ip address (assigned to corp-jiraweb) using ports

so

jira.onlifehealth.com redirects to ajp://corp-jiraweb:8009/
confluence.onlifehelath.com redirects to ajp://corp-jiraweb:8019/
bamboo.onlifehealth.com redirects to http://corp-jiraweb:8084/<br< a=""> />crucible.onlifehealth.com redirects to http://corp-jiraweb:8060/<br< a=""> />
corp-jiraweb was one particular ip address 10.243.2.193

The connectors in the tomcat apps were set to listen to this single ip address but on the different ports.

This all worked well except we had scenarios where the certificate being presented to the client browser
was the first one apache came across.

So we switched to dedicated ip addresses and changed each tomcat application connector to listed on that address using
address="ipaddress" in the connector defi...

http://corp-jiraweb:8095/<br< a=""> /> ProxyPassReverse / http://corp-jiraweb:8095/<br< a=""> />
to

ProxyPass / http://10.243.3.11:8095/<br< a=""> /> ProxyPassReverse / http://10.243.3.11:8095/<br< a=""> />

Are we doing this correctly?
Are there any suggestions?
Could our setup contribute to any additional slowness?

# #########################################################
# onlifesites-mod_proxy.conf
# mod_proxy config for Onlife Jira and Confluence sites
#
# llyons
###########################################################

NameVirtualHost 10.243.2.193:80

<VirtualHost 10.243.2.193:80>
ServerName jira.onlifehealth.com
Redirect / https://jira.onlifehealth.com/<br< a=""> /></VirtualHost>
<VirtualHost 10.243.3.9:80>
ServerName crucible.onlifehealth.com
Redirect / https://crucible.onlifehealth.com/<br< a=""> /></VirtualHost>
<VirtualHost 10.243.3.8:80>
ServerName bamboo.onlifehealth.com
Redirect / https://bamboo.onlifehealth.com/<br< a=""> /></VirtualHost>
<VirtualHost 10.243.3.10:80>
ServerName confluence.onlifehealth.com
Redirect / https://confluence.onlifehealth.com/<br< a=""> /></VirtualHost>
NameVirtualHost 10.243.3.11:80
<VirtualHost 10.243.3.11:80>
ServerName crowd.onlifehealth.com
# Redirect / https://crowd.onlifehealth.com/<br< a=""> /> ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / http://corp-jiraweb:8095/<br< a=""> /> ProxyPassReverse / http://corp-jiraweb:8095/<br< a=""> /> <Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

NameVirtualHost 10.243.3.11:443
<VirtualHost 10.243.3.11:443>
ServerName crowd.onlifehealth.com

ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

SSLEngine On
SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/ssl/crowd.cert"
SSLCertificateKeyFile "C:/Program ...

http://corp-jiraweb:8095/<br< a=""> /> ProxyPassReverse / http://corp-jiraweb:8095/<br< a=""> /> <Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

NameVirtualHost 10.243.3.10:443

<VirtualHost 10.243.3.10:443>
ServerName confluence.onlifehealth.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>

Order deny,allow
Allow from all
</Proxy>
SSLEngine On
SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/ssl/confluence.cert"
SSLCertificateKeyFile "C...

http://corp-jiraweb:8060/<br< a=""> /> ProxyPassReverse / http://corp-jiraweb:8060/<br< a=""> /> <Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

NameVirtualHost 10.243.3.8:443
<VirtualHost 10.243.3.8:443>
ServerName bamboo.onlifehealth.com

ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

SSLEngine On
SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/ssl/bamboo.cert"
SSLCertificateKeyFile "C:/Program ...

http://corp-jiraweb:8084/<br< a=""> /> ProxyPassReverse / http://corp-jiraweb:8084/<br< a=""> />
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

4 answers

0 votes

So the question is: which is the correct way to install the suite into different server and let SSO working correctly?

like jira.mycompany.com confluence.mycompany.com etc.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

You are using IP-based virtual hosts, not name based ones, each using SSL only on its IP. So you can safely get rid of all the NameVirtualHost-Directives. This should not be the problem here...

See http://httpd.apache.org/docs/2.2/vhosts/ip-based.html

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

Ok, got back, first the explanation for the behavior:

Using VHOSTS with NAMES and SSL is a Bad Thing (TM). When the SSL is negociated, the server needs to read the virtual hosts in order to look for configuration. To determine the correct VHOST, it must get the Host header from the request. But to do that, it has to decipher it! So the server bangs into some sort of logical loop, it will pick up the first certificate and therefore it will run like you saw.

Next. let's define slow. HTTPs is a slow protocol and may be very CPU intensive. Ensure you have enough threads. Is your CPU 100% ? I think that you should look on apache forums for performance problems on Windows.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

... but you are on the right path, as far as I see.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Hi Radu,

When you say Using VHOSTS with NAMES and SSL is a Bad Thing (TM). What is the suggested approach? In earlier questions to this forum, most people said having Apache as the front end to the tomcat apps and using mod_proxy is the best thing.

Are you saying there is a better approach or just using SSL is a bad thing? What do you suggest?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Lance, your first config was wrong; the one with NameVirtualHost *:443

You are on the right path (IMHO the config is good), but you have to dig deeper into it. Is it slow only from a remote host ? Is it still slow only from the local machine ?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

Hi, first of all an advice: Never put real configurations like this on web. I know now that your machine is a windows one, Ips in your DMZ, ports, etc. I promise to go back to your question later.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase