Dear all,
We are trying to setup ICAT and TopCAT behind Apache with a
configuration very similar to what Rolf described (thanks Rolf, it saved
us a lot of time): Apache listening on
wwws.esrf.fr (port 443) and
redirecting the /icat/ urls to Glassfish on another machine serving ICAT
and TOPCAT in https mode (port 8181).
We are using a very similar Apache configuration (see below), but while
we can use the ICAT web service without any problem, accessing TOPCAT
using the external address leads to serialisation exceptions in
Glassfish (see below and attached file for the full log). If we use the
internal address and bypass Apache everything works fine.
I was wondering whether some of you already saw this error, and if
someone had a solution to offer ?
Rolf, could you share the versions you are using and confirm TOPCAT is
working on your setup ?
Exception in server.log:
"WebModule[]Exception while dispatching incoming RPC call
com.google.gwt.user.client.rpc.SerializationException: Type
'uk.ac.stfc.topcat.core.gwt.module.TFacility' was not assignable to
'com.google.gwt.user.client.rpc.IsSerializable' and did not have a
custom field serializer.For security purposes, this type will not be
serialized."
I noticed that the TFacility class has a "serialVersionUID = 1L", which
is the same for all other classes in the
uk.ac.stfc.topcat.core.gwt.module package, do you think it could be a
problem ?
Our software stack:
Apache 2.2.21
Glassfish 4.0 (b89)
JDK 1.7.0_45
ICAT 4.2.5
Topcat 1.9.0
---------------------------- Apache Conf ----------------------------
SSLProxyEngine On
ProxyPass /icat/
https://ovm-icat-sandbox.esrf.fr:8181/
<Location /icat/>
ProxyPassReverse
https://ovm-icat-sandbox.esrf.fr:8181/
ProxyPassReverseCookieDomain
ovm-icat-sandbox.esrf.fr wwws.esrf.fr
ProxyPassReverseCookiePath / /icat/
</Location>
<Location /icat/ICATService/>
AddOutputFilterByType SUBSTITUTE text/xml
Substitute
"s|
https://ovm-icat-sandbox\.esrf\.fr:8181/|
https://wwws.esrf.fr/icat/|q"
</Location>
-------------------------- End Apache Conf --------------------------
Thanks in advance.
Regards,
Christophe
On 22/11/2013 15:06, Rolf Krahl wrote:
> Dear all,
>
> as promised in yesterday's telco I want to share my configuration for
> proxying connections to ICAT through Apache using mod_proxy_http (as
> opposed to mod_jk).
>
> To get this working, you need to enable the modules mod_proxy_http,
> mod_proxy, and mod_substitute. Then, place the configuration sniplet
> below somewhere inside your <VirtualHost _default_:443> section in the
> Apache config.
>
> This example assumes that your Apache is listening on
www.example.org
> and your GlassFish is serving ICAT and TopCAT on
icat.example.org:8181.
> You may have both on the same machine.
>
> It furthermore assumes that ICAT and TopCAT are deployed on https, so
> even the local connection between Apache and GlassFish is encrypted.
> This is certainly a waste of resources, as each connection gets
> encrypted and decrypted twice. But it's somewhat easier to deploy it
> this way. This might be worth to be reconsidered when going into
> production.
>
> ---------------------------- Apache Conf ----------------------------
>
> SSLProxyEngine on
>
> # ICAT
> <LocationMatch "^/((ICATService|ICATCompatService)/.*)$">
> ProxyPassMatch
https://icat.example.org:8181/$1
> AddOutputFilterByType SUBSTITUTE text/xml
> Substitute "s|
https://icat\.example\.org:8181/|
https://www.example.org/|q"
> </LocationMatch>
>
> # TopCAT
> <LocationMatch "^/((TOPCATWeb|topcatweb|ExtGWT).*)$">
> ProxyPassMatch
https://icat.example.org:8181/$1
> </LocationMatch>
>
> ProxyPassReverse /
https://icat.example.org:8181/
>
> -------------------------- End Apache Conf --------------------------
>
> Let me add some comments: the configuration for TopCAT is pretty much
> straight forward. Each URL matching the regular expression
> "^/((TOPCATWeb|topcatweb|ExtGWT).*)$" belongs to TopCAT and is thus
> forwarded to GlassFish. The "$1" in ProxyPassMatch will be substituted
> by the matching string, which is the location here. That is wy it is
> important to formulate the regexp such that full location string
> matches, e.g. you need the ".*" inside the parentheses and the
> termination of the regexp by "$".
>
> The ProxyPassReverse will make sure that all references of
> "
https://icat.example.org:8181/" in the headers of the reply from
> GlassFish will be replaced by the original server name of the Apache.
> This will make local redirects using "Location"
et.al. work.
>
> For the ICAT, we need not only to manipulate the headers, but also the
> content in the reply. The Substitute directive replaces all
> occurrences of URLs to GlassFish by the corresponding URL to the Apache
> in the body of the reply. The AddOutputFilterByType directive applies
> this filter to all XML content served by GlassFish. This is needed
> because the ICAT WSDL contains a reference to the XSD in a separate XML
> document and from the client's point of view this reference must be
> diverted to Apache.
>
> You might add access rules inside the LocationMatch sections, to allow
> for instance access to TopCAT from everywhere but to ICAT only from
> some selected IP addresses.
>