Score:0

Apache Web Server port 433 and Tomcat port 8080, redirect not working

in flag

My Apache webserver runs on port 433 with https protocol. I wish to run Tomcat on port 8080 because there is no need for additional encryption, Tomcat is on the same machine, so I don't need port 8433. But when I forward traffic from 433 to 8080 via iptables but I got an error: This site can’t provide a secure connection

ERR_SSL_PROTOCOL_ERROR

What configurations do I need in tomcat server.xml and apache.conf to make this work?

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />
    
    <!-- A "Connector" using the shared thread pool-->
    
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
<!-- I've tried this before when I thought I need an SSL for Tomcat. I think it's irrelevant now -->
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

in httpd.conf

<VirtualHost *:80>
     ServerAdmin root@localhost
     DocumentRoot "/var/www/html"
     DirectoryIndex index.html
     ServerName mydomain.zone
     ErrorLog "/var/log/httpd/mydomain.zone.error_log"
     CustomLog "/var/log/httpd/mydomain.zone.access_log" common
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomain.zone
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Include /etc/httpd/conf/httpd-le-ssl.conf

EDIT: I have tried, as suggested, with ProxyPass "/" "http://mydomain.zone:8080/" and ProxyPassReverse "/" "http://mydomain.zone:8080/". Still the same issue.

I wondered if there was any iptables rule that I implemented before, but it doesn't seem so. These are current active iptables rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_trusted
-N FWDI_trusted_allow
-N FWDI_trusted_deny
-N FWDI_trusted_log
-N FWDO_trusted
-N FWDO_trusted_allow
-N FWDO_trusted_deny
-N FWDO_trusted_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_trusted
-N IN_trusted_allow
-N IN_trusted_deny
-N IN_trusted_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i eth0 -g FWDI_trusted
-A FORWARD_IN_ZONES -g FWDI_trusted
-A FORWARD_OUT_ZONES -o eth0 -g FWDO_trusted
-A FORWARD_OUT_ZONES -g FWDO_trusted
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A INPUT_ZONES -i eth0 -g IN_trusted
-A INPUT_ZONES -g IN_trusted
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT
Score:1
ph flag

Use proxy pass instead of using iptables for port forwarding

LosmiNCL avatar
in flag
I have deleted my iptables rule and I've inserted: `ProxyPass / http://www.mydomain.zone:8080 ProxyPassReverse / http://www.mydomain.zone:8080` Now I have error: Service Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. (Tomcat is running I checked and Apache is restarted). Can you give me a more detailed answer?
Damn devil avatar
ph flag
ProxyPass "/" "http://www.example.com/" ProxyPassReverse "/" "http://www.example.com/"
Score:0
ph flag

ProxyPass "/" "http://www.example.com/" ProxyPassReverse "/" "http://www.example.com/"

modify your proxypass as mentioned above

Juan Salvador avatar
in flag
I got working solved in ubuntu, but in Centos Stream 9 i feel very lost
LosmiNCL avatar
in flag
I wrote this in conf/httpd.conf. It's not working. Maybe I should write it in conf/httpd-le-ssl.conf or in conf.d/ssl.conf?
Damn devil avatar
ph flag
**ProxyPass "/" "https://www.example.com/" ProxyPassReverse "/" "https://www.example.com/"** use this since it is a secure connection port you are trying to access . Ie use https insted of http
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.