Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
stelgenkamp Absent Member.
Absent Member.
1008 views

Need help with vhost or reverseproxy setup

Hello.

I need help with creating either a vhost or reverseproxy setup for Filr

Setup : I have a machine which is running an apache webserver on server.mydomain.com
I have installed a Filr VA on the internal network on 192.168.168.13

Now I want to ask your help :
Can I create a vhost or Reverse proxy for setting up access on :
https://server.mydomain.com/filr/

How Can I do this?
Do I need other ports to be opened/forwarder in my firewall ?

Stephan
0 Likes
15 Replies
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

On 29/04/2019 11:34, stelgenkamp wrote:
>
> Hello.
>
> I need help with creating either a vhost or reverseproxy setup for Filr
>
> Setup : I have a machine which is running an apache webserver on
> server.mydomain.com
> I have installed a Filr VA on the internal network on 192.168.168.13
>
> Now I want to ask your help :
> Can I create a vhost or Reverse proxy for setting up access on :
> https://server.mydomain.com/filr/
>
> How Can I do this?
> Do I need other ports to be opened/forwarder in my firewall ?
>
> Stephan
>
>

----------
Yes, you can do this easily. I have walked through this in presentation
"Hiding Tomcat behind Apache" which you may find on https://netlab1.net/
in the section titled Presentations of long term utility. That material
discusses creating a Apache web server proxy to enable use of people
friendly URLs to Filr and similar.
Thanks,
Joe D.
0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

Thank you for your help Joe.
But even after studying your documents, I still cannot get it to work.

For ajp to work I enabled the ajp in the filr config.
So here is my setup :
<Location /filr>
Options +FollowSymLinks
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}/ssf/a [QSA,R]
</Location>

<Location /ssf>
RewriteEngine On
Rewritecond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/%{REQUEST_URI} [QSA,R]

ProxyPass ajp://192.168.168.13:8009/ssf
ProxyPassReverse ajp://192.168.168.13:8009/ssf
</Location>

With 192.168.168.13 being the Filr adress on the internal network.

The rewrite works, to domain ssf/a however it says acces denied.
What could be wrong ?

You also mention the host name in the filr config.
in your documents you have entered : filr.jrdresearch.net
Do I enter : filr.server.mydomain.com? Or server.mydomain.com? Or server.mydomain.com/filr ?
0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

Also is the :
RewriteRule (.*) https://%{HTTP_HOST}/ssf/a [QSA,R]
Correct ?
Or should it be :
RewriteRule (.*) https://%{HTTP_HOST}/filr/ssf/a [QSA,R]
0 Likes
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

The ajp pathway was for efficiency and convenience. In Apache one needs
to include proxy_ajp in the list of APACHE_MODULES= (located in
/etc/sysconfig/apache on SLES machines).
Then we can do some testing manually, by web browing Filr,
note the URL bar entries, and we emulate those entries in the Apache
conf file of interest. That's where the ssf variants were found.
As for the proxy line details, the [QSA,R] clause ends a line, nothing
after it. As my doc says, that handles query strings correctly.
My doc's use of DNS name filr.jrdresearch.net was an old valid one and
any real URL will do (filr in the host DNS name is of no importance
whatsoever, just my machinery). The active ingredient is the URI's /filr
term, which is picked up by the Apache <Location> clauses.
Another quick check is see if Filr is listening on port 8009.
Within Filr command netstat -nltp (numeric, listeners, tcp, print
program) will turn up the suspects.
That access denied part very likely comes from Filr's actions.
Your script is like mine (because I did cutting and pasting from a live
system). Thus some examination of Filr's Tomcat config file is in order.
With that examination one also observes what a browser's URL bar says if
we go directly to Filr (as discussed on slide 18 of my doc). If that
proves to be inconclusive then we can use https: rather than ajp: in the
proxy commands.
Btw, your message has some asterisk brackets which I presume are from
cutting and pasting rather than being in the active conf file.
Thanks,
Joe D.


On 29/04/2019 16:24, stelgenkamp wrote:
>
> Thank you for your help Joe.
> But even after studying your documents, I still cannot get it to work.
>
> For ajp to work I enabled the ajp in the filr config.
> So here is my setup :
> *<Location /filr>
> Options +FollowSymLinks
> RewriteEngine On
> RewriteRule (.*) https://%{HTTP_HOST}/ssf/a [QSA,R]
> </Location>
>
> <Location /ssf>
> RewriteEngine On
> Rewritecond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}/%{REQUEST_URI} [QSA,R]
>
> ProxyPass ajp://192.168.168.13:8009/ssf
> ProxyPassReverse ajp://192.168.168.13:8009/ssf
> </Location> *
> With 192.168.168.13 being the Filr adress on the internal network.
>
> The rewrite works, to domain ssf/a however it says acces denied.
> What could be wrong ?
>
> You also mention the host name in the filr config.
> in your documents you have entered : filr.jrdresearch.net
> Do I enter : filr.server.mydomain.com? Or server.mydomain.com? Or
> server.mydomain.com/filr ?
>
>


0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

Hello Joe,

Thanks for your help.
So first step is
Another quick check is see if Filr is listening on port 8009.
when i use 192.168.168.13:8009 it is not responding ( reinitialising)
Within Filr command netstat -nltp (numeric, listeners, tcp, print
program) will turn up the suspects.

8009 shows listen but again, not able to connect on this port.
observes what a browser's URL bar says if
we go directly to Filr

https://192.168.168.13:8443/ssf/a/c/p_name
your message has some asterisk
Yes the last 2 asteriks are not in the file.

So the http://server.mydomain.com/filr
Translates to https://server.mydomain.com/ssf/a
But cannot access further.
0 Likes
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

On 30/04/2019 11:24, stelgenkamp wrote:
>
> Hello Joe,
>
> Thanks for your help.
> So first step is
> *Another quick check is see if Filr is listening on port 8009.*
> when i use 192.168.168.13:8009 it is not responding ( reinitialising)
> *Within Filr command netstat -nltp (numeric, listeners, tcp, print
> program) will turn up the suspects.*
> 8009 shows listen but again, not able to connect on this port.
> *observes what a browser's URL bar says if
> we go directly to Filr*
> https://192.168.168.13:8443/ssf/a/c/p_name
> *your message has some asterisk*
> Yes the last 2 asteriks are not in the file.
>
> So the http://server.mydomain.com/filr
> Translates to https://server.mydomain.com/ssf/a
> But cannot access further.
>
>

-------------
A likely guess is the firewall not being open for port 8009.
It is our fate to deal with tiny but vital details, one after another,
without visible end.
Thanks,
Joe D.
0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

It must be something like that, because also connecting straight to the Appliance :
https://192.168.168.13:8009/
I cannot connect : secure connection failed.
The firewall config says the port is open.
Any ideas ?
0 Likes
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

On 01/05/2019 09:54, stelgenkamp wrote:
>
> It must be something like that, because also connecting straight to the
> Appliance :
> https://192.168.168.13:8009/
> I cannot connect : secure connection failed.
> The firewall config says the port is open.
> Any ideas ?
>
>

-----------
Well, some simple suggestions. First, turn off any firewall for a
moment to ensure that is not filtering. Filr has its own internal
version which we control via Filr's admin console on port 9443. The
second suggestion is to reflect upon just how matters are tested because
TCP port 8009 is tied to protocol ajp which is not telnet nor ssh nor
even http etc.
As a check, from a nearby Linux machine I gave command
telnet filr-box 8009
The screen remained blank, though the cursor moved along with my typing,
as expected when there is no telnet echo from the server side. However,
the TCP connection was made.
Thanks,
Joe D.
0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

Aha, that explains the connection. Please see my actions :
- In Filr's admin console, I can see the ports are open. There is no possiblity in the config to completely shutdown the firewall.
- I also did the telnet from the webserver box. it connects, so there should no problem there.
- I tried also connecting on the ios app ; it gives me the same error.
BUT : when it says unsecure connection it gives me the possibily to import the certificate of the webserver box, not of the filr box.
Is that correct ?
- On the filr config screen, the reverse proxy says it is not enabled ? Could that be the problem ?
0 Likes
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

On 03/05/2019 15:44, stelgenkamp wrote:
>
> Aha, that explains the connection. Please see my actions :
> - In Filr's admin console, I can see the ports are open. There is no
> possiblity in the config to completely shutdown the firewall.
> - I also did the telnet from the webserver box. it connects, so there
> should no problem there.
> - I tried also connecting on the ios app ; it gives me the same error.
> BUT : when it says unsecure connection it gives me the possibily to
> import the certificate of the webserver box, not of the filr box.
> Is that correct ?
> - On the filr config screen, the reverse proxy says it is not enabled ?
> Could that be the problem ?
>
>

-------------
I suspect the missing reverse proxy is at the heart of this difficulty.
Creating a simple test one ought to provide an answer.
The Filr firewall seems to be buried deeply in the Java code, alas. We
can see its many rules by, as root on Filr, command
iptables -L -vn
and they are present even if the firewall is shown as down (at least
that occurs on Filr v4 here but I could check more thoroughly).
We are chipping away at nearly the last defenses thrown up by Filr.
Hopefully we won't have to tunnel beneath the castle walls.
Thanks,
Joe D.
0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

Chipping away at the last defenses ?
iptabled -L -vn shows it is accepting at all needed ports : 80, 8080, 44, 8443, 8009
I have fiddled around with the settings enabling/disabling port redirection
I have tried changing the ports of the port redirection.
Anything which could trigger the enabled reverse proxy.
Nothing.

Then I thought, well I most have broken something with all these settings.
I have reinstalled the entire Appliance.
Tried again, still nothing.
in the Configuration Summary:
Reverse Proxy : Enabled: false
Could this be a bug in the setup of the Appliance ? I am using version 4.0.0.155
Will send you a copy of the Configuration Summary.
Thank you so much for your help!
0 Likes
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

On 04/05/2019 13:24, stelgenkamp wrote:
>
> Chipping away at the last defenses ?
> iptabled -L -vn shows it is accepting at all needed ports : 80, 8080,
> 44, 8443, 8009
> I have fiddled around with the settings enabling/disabling port
> redirection
> I have tried changing the ports of the port redirection.
> Anything which could trigger the enabled reverse proxy.
> Nothing.
>
> Then I thought, well I most have broken something with all these
> settings.
> I have reinstalled the entire Appliance.
> Tried again, still nothing.
> in the Configuration Summary:
> Reverse Proxy : Enabled: false
> Could this be a bug in the setup of the Appliance ? I am using version
> 4.0.0.155
> Will send you a copy of the Configuration Summary.
> Thank you so much for your help!
>
>

----------
If you contact me directly (email) then I can provide an old-ish
presentation about the subject which might have a useful hint or two.
Thanks,
Joe D.
jrd@netlab1.net

0 Likes
stelgenkamp Absent Member.
Absent Member.

Re: Need help with vhost or reverseproxy setup

Dear Joe,
I have found your presentation Hiding Tomcat behind Apache,
and gone through it. I am sure the Filr Application is not working properly.
The apache log on the proxy box is stating :
client denied by server configuration: proxy:ajp://192.168.168.13:8009/ssf/a

Have send you an email with my thoughts on this.
0 Likes
jrd
New Member.

Re: Need help with vhost or reverseproxy setup

On 05/05/2019 12:54, stelgenkamp wrote:
>
> Dear Joe,
> I have found your presentation Hiding Tomcat behind Apache,
> and gone through it. I am sure the Filr Application is not working
> properly.
> The apache log on the proxy box is stating :
> client denied by server configuration:
> proxy:ajp://192.168.168.13:8009/ssf/a
>
> Have send you an email with my thoughts on this.
>
>

----------
For the benefit of other readers, I found the supplied Filr
configuration to be duplicating the Apache proxy setup. That is, in
Filr's configuration the "network" configuration page has a proxy
section and there if one ticks the box to proxy (and thus use its port
mapping) then that conflicts with using an external Apache server doing
the same thing. So, don't let Filr get into the proxy business (don't
check that proxy box).
We shall see how this plays out over the next few days.
Thanks,
Joe D.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.