Develop Reference

Load Balancer Health Check After Applying AWS SSL certificates

I created a load balancer with autoscaling group. It was working really fine until i applied SSL certificates and redirected the traffic to HTTPS. The load balancer health check is http one and i cannot move that check over to https because the certificates are applied on load balancer. So the current stack is Rails 4.2 , operating system is ubuntu, http entertainer is nginx and i have 5 instances running on Load Balancer. So i created a redirect on nginx like below
if ($scheme = http) {
return 301 mydomain.com$request_uri;
}
Then i tried this
if ($request_uri != "/public/health.html" ) {
set $balancer P;
}
if ($scheme = http) {
set $balancer "${balancer}C";
}
if ($balancer = PC) {
return 303 mydomain.com$request_uri;
}
With these redirections my site went down and on browser i was having an error of multiple redirections. This issue is making me crazy. Kindly please help. Your help will be appreciated a lot. Thanks

I had the exact same problem with my tomcat server (instances) and apachae server (load balancer). I also was getting multiple redirects in browser. I did two things:
Changed Load balancer listeners:
Changed a little in apache config:
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/$
Rewriterule ^(.*)$ https://www.example.com/ [L,R=301]
</Proxy>
RequestReadTimeout header=35 body=35
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
</VirtualHost>
<VirtualHost *:443>
RequestReadTimeout header=35 body=35
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
SSLEngine on
SSLCertificateFile /path/where/cert/stored/2_example.com.crt
SSLCertificateKeyFile /path/where/cert/stored/private-key.pem
SSLCertificateChainFile /path/where/cert/stored/1_root_bundle.crt
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
</VirtualHost>
I kept port 80 opened for health checks and 443 for site. This configuration might help you. Do let me know if you were able to solve your problem.

Very short and effective solution, that will work 100% on any AWS settings. Put this in your application controller.
before_filter :move_to_https if RAILS.env == "production"
def move_to_https
redirect_to request.url.gsub("http","https") unless request.url.include?("https")
end
This will convert any domain traffic to https and ip's will never be exposed via load balancer.

Something like this in your nginx configuration should work:
server {
listen 80;
server_name www.example.com;
location = /public/health.html {
return 200;
}
location / {
return 301 https://$http_host$request_uri;
}
}

Gerrit error log:"Unable to authenticate user by Authorization request header". what's going on?

I had install gerrit-v2.11 on ubuntu server v-12.04, using apache2 do Reverse Proxy. Here is my gerrit.config:
[gerrit]
basePath = git
canonicalWebUrl = http://192.168.26.47:8081
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
[sendemail]
smtpServer = smtp.exmail.qq.com
smtpServerPort = 465
smtpEncryption = ssl
smtpUser = gerrit#pisen.com.cn
smtpPass = PS1024mail
sslVerify = false
from=CodeReview<gerrit#pisen.com.cn>
[container]
user = mng
javaHome = /usr/lib/jvm/jdk1.8.0_65/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://192.168.26.47:8081/
[cache]
directory = cache
[download]
command = checkout
command = cherry_pick
command = pull
command = format_patch
scheme = http
scheme = anon_http
scheme = anon_git
scheme = repo_download
scheme = ssh
and the apache2 default file:
<VirtualHost *:8080>
ServerName 192.168.26.47
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /login/>
AuthType Basic
AuthName "Gerrit Code Review"
AuthBasicProvider file
AuthUserFile /adm-servers/gerrit/review_site/etc/passwords
Require valid-user
</Location>
AllowEncodedSlashes On
ProxyPass / http://192.168.26.47:8081/
ProxyPassReverse / http://127.0.0.1:8081/
Now it works. But, it takes very long time to login(about 1-2 min):
enter image description here
I checked the log file, there is one error:
[2016-03-18 09:51:24,268] INFO org.eclipse.jetty.server.ServerConnector : Started ServerConnector#5ced0537{HTTP/1.1}{192.168.26.47:8081}
[2016-03-18 09:51:24,268] INFO org.eclipse.jetty.server.Server : Started #13804ms
[2016-03-18 09:51:24,269] INFO com.google.gerrit.pgm.Daemon : Gerrit Code Review 2.11 ready
[2016-03-18 10:05:03,957] ERROR com.google.gerrit.httpd.auth.container.HttpLoginServlet : Unable to authenticate user by Authorization request header. Check container or server configuration.
I searched for this error information, and was told that the most probable reason was Gerrit and apache using the same port. Obviously, in my config file, this ports were not same as each other.
I also captured the packages:
enter image description here
The capture talk of that, the TCP connection colsed while login. And i doubt the error "Unable to authenticate user by Authorization request header" cause the connection to be colsed.
Any body know what's going on about "Unable to authenticate user by Authorization request header"?

I am Ok now,but not found the cause.
I will try a new environment to find it when I have the time.
Here is my config detail(init gerrit-2.12.war to '/usr/local/gerrit' ):
vim /etc/apache2/httpd.conf
<VirtualHost [My_IP]:80>
ServerName [My_IP]
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *:80>
Order deny,allow
Allow from all
</Proxy>
<Location '/login/'>
AuthType Basic
AuthName "YuhuiXU Gerrit Code Review"
Require valid-user
AuthBasicProvider file
AuthUserFile /usr/local/gerrit/etc/passwds
</Location>
AllowEncodedSlashes On
ProxyPass / http://[My_IP]:8081/
</VirtualHost>
vim /usr/local/gerrit/etc/gerrit.config
[gerrit]
basePath = git
canonicalWebUrl = http://test026:80/
[database]
type = mysql
hostname = localhost
database = reviewdb
username = gerrit
[index]
type = LUCENE
[auth]
type = HTTP
[receive]
enableSignedPush = false
[sendemail]
smtpServer = localhost
[container]
user = root
javaHome = /usr/lib/jvm/java-8-openjdk-amd64/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://[My_IP]:8081/
[cache]
directory = cache
Hope this will help you.

Trying to run Faye websocket on Apache using a proxy

I'm trying to use Faye gem on thin server with Rails in a production environment but I cannot make it work. I'm using apache 2.4 and ws_tunnel also proxy modules are enabled. My setup is like below.
Apache configuration
<VirtualHost *:443>
ServerName mysite.example.com
ServerAlias mysite.example.com
DocumentRoot /var/www/html/mysite/current/public
SSLEngine on
SSLCertificateFile "/etc/httpd/conf/keys/ServerCertificate.cer"
SSLCertificateKeyFile "/etc/httpd/conf/keys/example.com.key"
SSLCertificateChainFile "/etc/httpd/conf/keys/CACertificate-1.cer"
RewriteEngine On
SSLProxyEngine On
ProxyRequests off
ProxyPreserveHost on
ProxyPass /faye !
ProxyPassReverse /faye !
ProxyPass / balancer://thinservers/
ProxyPassReverse / balancer://thinservers/
<Proxy *>
Require all granted
</Proxy>
<Location /faye>
ProxyPass ws://localhost:9292
ProxyPassReverse ws://localhost:9292
</Location>
RequestHeader set X_FORWARDED_PROTO 'https'
# Custom log file locations
ErrorLog /etc/httpd/logs/error-unilever.log
CustomLog /etc/httpd/logs/access-unilever.log combined
</VirtualHost>
Faye.ru file
require 'faye'
Faye::WebSocket.load_adapter('thin')
app = Faye::RackAdapter.new(:mount => '/faye', :timeout => 25)
run app
And I'm starting faye with the following command
rackup faye.ru -E production -s thin
This way I can reach the faye.js by typing the following url from the browser.
https://mysite.example.com/faye/faye.js
But When I type https://mysite.example.com/faye/ for example, I get the following result
Sure you're not looking for /faye ?<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
root#localhost to inform them of the time this error occurred,
and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
which is strange because I only get "Sure you're not looking for /faye ?" in the development.
I'm calling the Faye in application.js as
client = new Faye.Client("https://mysite.example.com/faye/faye")
And I get an error like
POST https://mysite.example.com/faye/faye 400 (Bad Request)
I also tried to use the wss protocol in the proxy settings and also giving my certificate paths to thin to start with SSL but nothing worked.
I assume this may be happening because of the proxy or the ws_tunnel module because when I run the following command from the shell in the server
curl http://localhost:9292
I get only "Sure you're not looking for /faye ?" message.
Does anyone came accross something like this?
I would appreciate if someone could help me.
Thanks in advance.

For those who's having the same issue, my advice is to no matter which version of Apache you are using, just change it to nginx without any hesitation. It's been very easy to configure and run it.
I'm using the below configuration for my app named example. After setting up nginx correctly, everything else worked quite well.
hope this helps someone
# app: example
# locally running on port 7000
upstream example {
server 127.0.0.1:7000;
server 127.0.0.1:7001;
}
# Faye is set to run on port 9292
upstream example_socket{
server 127.0.0.1:9292;
}
server {
# listen 80 if it's a non SSL site
listen 443;
server_name www.example.com;
location /faye {
proxy_pass http://example_socket;
# Including common configurations
include /etc/nginx/conf.d/proxy.conf;
include /etc/nginx/conf.d/proxy_socket.conf;
}
location / {
root /var/www/vhost/example/current/public;
proxy_pass http://example;
# Including common configurations
# can be found on Internet easily
include /etc/nginx/conf.d/proxy.conf;
}
}

Apache2 Configuration That Allows a Subdomain Point to an Machine:Port

I own the domain, "peterlee.com.cn", and I added an A Record in my domain control panel:
RR Destination IP TTL
rs.peterlee.com.cn 10.50.10.75 1 hour
I have an RoR (Ruby on Rails) project running on 10.50.10.75:9051, which means the user can visit my RoR application by http://10.50.10.75:9051
I want to let the user visit it by http://rs.peterlee.com.cn, so I added the following VirtualHost File/Site:
<VirtualHost *:80>
ServerName rs.peterlee.com.cn
DocumentRoot /usr/website/myapp/current/public
PassengerEnabled off
ProxyPass / http://127.0.0.1:9051/
ProxyPassReverse / http://127.0.0.1:9051/
RackEnv production
RailsEnv production
<IfModule mod_rewrite.c>
RewriteEngine On
# Redirect all requests to the maintenance page if present
RewriteCond %{REQUEST_URI} !\.(css|gif|jpg|png)$
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]
</IfModule>
</VirtualHost>
After enabling the site and restarting the Apache2, I tried http://rs.peterlee.com.cn, it gives me the 500 Internal Server Error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, [no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Apache/2.2.22 (Ubuntu) Server at rs.peterlee.com.cn Port 80
Thanks.
Peter

I found the following warning in /var/log/apache2/error.log:
[Thu Jul 19 10:22:20 2012] [warn] proxy: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Thu Jul 19 10:22:20 2012] [warn] proxy: No protocol handler was valid for the URL /favicon.ico. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
So I enable the following modules:
sudo a2enmod proxy proxy_balancer proxy_http
After restarting Apache2, it worked!
Thanks anyway.
BTW: I start the service using Passenger:
passenger start -a 127.0.0.1 -p 9051 -e production -d

How to password control access to all urls except one in apache 2

I want to password protect all urls on my beta site at the moment. Except one url because it is called by flash and flash can't handle basic auth properly it seems. So i want to disable basic auth for that one url. This is my config in apache. Apache is a proxy for tomcat but that should not matter right ?
<IfModule mod_proxy_ajp.c>
ProxyRequests On
ProxyVia On
<Location /uploader>
Order allow,deny
Allow from all
ProxyPass ajp://localhost:8050/uploader
ProxyPassReverse ajp://localhost:8050/uploader
</Location>
<Location />
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted area"
AuthUserFile /etc/apache2/passwd/site-access
Require valid-user
ProxyPass ajp://localhost:8050/
ProxyPassReverse ajp://localhost:8050/
</Location>
</IfModule>
SO my thinking is that if http://www.example.com/uploader is called then the first location config is should be matched and no auth is required.
This does not seem to work i always get asked for auth. Any ideas ?
regards
Peter Delahunty

Add Satisfy Any to the uploader location:
<Location /uploader>
Order allow,deny
Satisfy Any
Allow from all
ProxyPass ajp://localhost:8050/uploader
ProxyPassReverse ajp://localhost:8050/uploader
</Location>
This is documented in the Apache docs, but under the description of the Require directive.