[Deploying Sakai] Proxying through Apache

Adams, David da1 at vt.edu
Tue Jun 23 07:07:16 PDT 2009 

On each of our app servers we run Tomcat behind httpd using mod_proxy.
(We load balance the servers behind a BIG-IP, but that doesn't change
the configuration meaningfully.) I prefer mod_proxy because the httpd
config is a lot simpler, but honestly Tomcat and Sakai are designed to
use mod_jk for connectivity. Mod_proxy still works, though. Here's our
config.

Tomcat runs on 8080 and only listens for connections on the loopback
interface. Here's the *entire* Tomcat server.xml:
-----
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">
    <Connector port="8080" enableLookups="false" URIEncoding="UTF-8"
               proxyName="scholar.vt.edu" proxyPort="443"
               scheme="https" address="localhost"
               maxThreads="150" />
    <Engine name="Catalina" defaultHost="localhost">
      <Host name="localhost" appBase="webapps" />
    </Engine>
  </Service>
</Server>
-----
We don't have Tomcat running the SSL for us. But, there are some
important settings in there. proxyName and proxyPort in particular have
to be set to the correct public values. 'address="localhost"' binds us
to only accept locally sourced connections. And here's the key to
working with Sakai using mod_proxy on httpd without enabling SSL on
Tomcat: 'scheme="https"', but *not* 'secure="true"'.

If you've found the docs about "force.url.secure=443" etc, ignore those,
that only fixes a couple of things. Sakai is very flaky about writing
self-referent URLs (that's partially, but not all, Tomcat's fault). But
if you set scheme="https" and set your serverUrl property in
sakai.properties, everything should work.

Then, we have httpd listening with SSL on port 8043 and handling a few
rewrites and request logging. But here's the essential httpd config that
you could just drop at the end of the default config and it should work:
-----
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
-----
If you need to exclude any paths from the proxy (ie stuff you want
hosted by Apache) you can just include a line like this *before* the
ProxyPass line above:

ProxyPass /apachehostedpath !

Then if you set serverUrl in your sakai.properties to whatever the real
endpoint is:
-----
serverUrl=https://scholar.vt.edu
-----

If you still have trouble, I suggest breaking it down into each part of
the puzzle and making sure you can make each piece work independently of
the others and in each possible pairing. Then if you can identify the
pieces that are giving you trouble, we can probably provide more
focussed advice.

David Adams
Director of Systems Integration and Support
Virginia Tech Learning Technologies


> -----Original Message-----
> From: production-bounces at collab.sakaiproject.org [mailto:production-
> bounces at collab.sakaiproject.org] On Behalf Of Paul Gibbs
> Sent: Tuesday, June 23, 2009 9:30 AM
> To: production at collab.sakaiproject.org
> Subject: [Deploying Sakai] Proxying through Apache
> 
> Does anyone have any advice on configuring Sakai with Apache? I have
> had a hard time getting the resources I've found online to work for
me.
> 
> Ultimately, what I'd like to do is run Apache as a front-end for Sakai
> on the same machine and have users log in via 443. Is this how most of
> you are currently set up?
> 
> Thank you!
> 
> Paul Gibbs

More information about the production mailing list