Re: Proxy GlassFish through Apache using mod_proxy_http

93 views
Skip to first unread message

Christophe CLEVA

unread,
Dec 17, 2013, 10:52:37 AM12/17/13
to icatproje...@googlegroups.com
Dear all,

We are trying to setup ICAT and TopCAT behind Apache with a
configuration very similar to what Rolf described (thanks Rolf, it saved
us a lot of time): Apache listening on wwws.esrf.fr (port 443) and
redirecting the /icat/ urls to Glassfish on another machine serving ICAT
and TOPCAT in https mode (port 8181).

We are using a very similar Apache configuration (see below), but while
we can use the ICAT web service without any problem, accessing TOPCAT
using the external address leads to serialisation exceptions in
Glassfish (see below and attached file for the full log). If we use the
internal address and bypass Apache everything works fine.

I was wondering whether some of you already saw this error, and if
someone had a solution to offer ?

Rolf, could you share the versions you are using and confirm TOPCAT is
working on your setup ?

Exception in server.log:
"WebModule[]Exception while dispatching incoming RPC call
com.google.gwt.user.client.rpc.SerializationException: Type
'uk.ac.stfc.topcat.core.gwt.module.TFacility' was not assignable to
'com.google.gwt.user.client.rpc.IsSerializable' and did not have a
custom field serializer.For security purposes, this type will not be
serialized."

I noticed that the TFacility class has a "serialVersionUID = 1L", which
is the same for all other classes in the
uk.ac.stfc.topcat.core.gwt.module package, do you think it could be a
problem ?

Our software stack:
Apache 2.2.21
Glassfish 4.0 (b89)
JDK 1.7.0_45
ICAT 4.2.5
Topcat 1.9.0

---------------------------- Apache Conf ----------------------------

SSLProxyEngine On

ProxyPass /icat/ https://ovm-icat-sandbox.esrf.fr:8181/
<Location /icat/>
ProxyPassReverse https://ovm-icat-sandbox.esrf.fr:8181/
ProxyPassReverseCookieDomain ovm-icat-sandbox.esrf.fr wwws.esrf.fr
ProxyPassReverseCookiePath / /icat/
</Location>

<Location /icat/ICATService/>
AddOutputFilterByType SUBSTITUTE text/xml
Substitute
"s|https://ovm-icat-sandbox\.esrf\.fr:8181/|https://wwws.esrf.fr/icat/|q"
</Location>

-------------------------- End Apache Conf --------------------------

Thanks in advance.
Regards,
Christophe

On 22/11/2013 15:06, Rolf Krahl wrote:
> Dear all,
>
> as promised in yesterday's telco I want to share my configuration for
> proxying connections to ICAT through Apache using mod_proxy_http (as
> opposed to mod_jk).
>
> To get this working, you need to enable the modules mod_proxy_http,
> mod_proxy, and mod_substitute. Then, place the configuration sniplet
> below somewhere inside your <VirtualHost _default_:443> section in the
> Apache config.
>
> This example assumes that your Apache is listening on www.example.org
> and your GlassFish is serving ICAT and TopCAT on icat.example.org:8181.
> You may have both on the same machine.
>
> It furthermore assumes that ICAT and TopCAT are deployed on https, so
> even the local connection between Apache and GlassFish is encrypted.
> This is certainly a waste of resources, as each connection gets
> encrypted and decrypted twice. But it's somewhat easier to deploy it
> this way. This might be worth to be reconsidered when going into
> production.
>
> ---------------------------- Apache Conf ----------------------------
>
> SSLProxyEngine on
>
> # ICAT
> <LocationMatch "^/((ICATService|ICATCompatService)/.*)$">
> ProxyPassMatch https://icat.example.org:8181/$1
> AddOutputFilterByType SUBSTITUTE text/xml
> Substitute "s|https://icat\.example\.org:8181/|https://www.example.org/|q"
> </LocationMatch>
>
> # TopCAT
> <LocationMatch "^/((TOPCATWeb|topcatweb|ExtGWT).*)$">
> ProxyPassMatch https://icat.example.org:8181/$1
> </LocationMatch>
>
> ProxyPassReverse / https://icat.example.org:8181/
>
> -------------------------- End Apache Conf --------------------------
>
> Let me add some comments: the configuration for TopCAT is pretty much
> straight forward. Each URL matching the regular expression
> "^/((TOPCATWeb|topcatweb|ExtGWT).*)$" belongs to TopCAT and is thus
> forwarded to GlassFish. The "$1" in ProxyPassMatch will be substituted
> by the matching string, which is the location here. That is wy it is
> important to formulate the regexp such that full location string
> matches, e.g. you need the ".*" inside the parentheses and the
> termination of the regexp by "$".
>
> The ProxyPassReverse will make sure that all references of
> "https://icat.example.org:8181/" in the headers of the reply from
> GlassFish will be replaced by the original server name of the Apache.
> This will make local redirects using "Location" et.al. work.
>
> For the ICAT, we need not only to manipulate the headers, but also the
> content in the reply. The Substitute directive replaces all
> occurrences of URLs to GlassFish by the corresponding URL to the Apache
> in the body of the reply. The AddOutputFilterByType directive applies
> this filter to all XML content served by GlassFish. This is needed
> because the ICAT WSDL contains a reference to the XSD in a separate XML
> document and from the client's point of view this reference must be
> diverted to Apache.
>
> You might add access rules inside the LocationMatch sections, to allow
> for instance access to TopCAT from everywhere but to ICAT only from
> some selected IP addresses.
>

glassfish_log.odt

christophe.cleva

unread,
Dec 17, 2013, 3:40:17 PM12/17/13
to icatproje...@googlegroups.com
I have additional information regarding this issue, there is also in the server.log the following lines:

[2013-12-16T17:27:00.953+0100] [glassfish 4.0] [INFO] [] [javax.enterprise.web] [tid: _ThreadID=33 _ThreadName=http-listener-2(2)] [timeMillis: 1387211220953] [levelValue: 800] [[
  WebModule[null] ServletContext.log():UtilityService: ERROR: The serialization policy file '/icat/topcatweb/24E129A9FC5707FA755C9DD2E662A2E4.gwt.rpc' was not found; did you forget to include it in this deployment?]]

[2013-12-16T17:27:00.954+0100] [glassfish 4.0] [INFO] [] [javax.enterprise.web] [tid: _ThreadID=33 _ThreadName=http-listener-2(2)] [timeMillis: 1387211220954] [levelValue: 800] [[
  WebModule[null] ServletContext.log():UtilityService: WARNING: Failed to get the SerializationPolicy '24E129A9FC5707FA755C9DD2E662A2E4' for module 'https://wwws.esrf.fr/icat/topcatweb/'; a legacy, 1.3.3 compatible, serialization policy will be used.  You may experience SerializationExceptions as a result.]]

It seems this is a common problem with GWT behind a reverse proxy. Please see the following pages for details about it:

http://stackoverflow.com/questions/1517290/problem-with-gwt-behind-a-reverse-proxy-either-nginx-or-apache
http://stackoverflow.com/questions/7610969/what-is-the-effect-of-reverse-proxy-on-a-gwt-application
http://code.google.com/p/google-web-toolkit/issues/detail?id=4817
http://www.mograblog.com/2013/04/gwt-and-reverse-proxy-is-no-go.html

I am trying to find a workaround that does no require to modify the code, but so far to no avail.

Regards,
Christophe

Rolf Krahl

unread,
Dec 18, 2013, 8:44:22 AM12/18/13
to icatproje...@googlegroups.com
Christophe,

Am Dienstag, 17. Dezember 2013, 11:52:37 schrieb Christophe CLEVA:
>
> Rolf, could you share the versions you are using and confirm TOPCAT is
> working on your setup ?

Yes, TopCAT is working fine in my setup. My software stack:
Apache 2.2.16
GlassFish 3.1.2.2
openjdk-6-jdk 6b27-1.12.6
ICAT 4.2.5
TopCAT 1.9.0

The whole thing is running on a Debian 6.0 Squeeze using the
distributions dafault versions of the packages as far as possible.
This is the reason why i'm still using JDK 6 and thus am stuck to ICAT
4.2.5 on this installation at the moment. Early next year I want to
upgrade the whole thing to the current Debian stable (7.0 Wheezy) with
JDK 7 so that I can also upgrade to ICAT 4.3.*.


Concerning your problems with the proxying, the main difference that I
can spot between your configuration and mine is that you are using a
Location container, while I did it in a LocationMatch.

Indeed, Location seem to be more natural at first glance and I tried
it also at first. But I didn't get it working. Unfortunately I
didn't thoroughly document what configuration I tried and what the
problems were. But I remember that I had problems with TopCAT and the
proxy. My suspicion was that parameters in the query string were not
passed through properly and I even vaguely remember that there was
some note about this in the Apache documentation on Location. Anyway,
I switched to LocationMatch for this reason and then it worked.

Obviously, if you use LocationMatch, it is crucial to catch the whole
query string including all parameters with the parantheses in the
regular expression and you need to pass it to GlassFish in the
ProxyPassMatch.

HTH
Rolf

--
Rolf Krahl <rolf....@helmholtz-berlin.de>
Helmholtz-Zentrum Berlin für Materialien und Energie (HZB)
Albert-Einstein-Str. 15, 12489 Berlin
Tel.: +49 30 8062 12122
signature.asc
Reply all
Reply to author
Forward
0 new messages