Forum OpenACS Q&A: reverse proxy via apache...

Collapse
Posted by David Kuczek on
I recently set up apache as a reverse proxy and everything seems to run okay. But there is one thing that isn't right: My Webalizer doesn't recognize sites/visits anymore while hits/kbytes are shown correctly.

Is the aolserver access file losing information for sites/visits while being proxied through apache? How can I fix this?

Thanks

Collapse
Posted by Patrick Giagnocavo on
The bad news is that your access.log files will have only the IP address of the requesting Apache process, which is the same IP as your machines.

The good news is that you can easily add a CustomLog entry in your Apache config file to put a logfile in your home directory or wherever you want it that does have the IPs of those visiting.

Collapse
Posted by David Kuczek on
Hello Patrick,

would I have to point webalizer to that new apache generated logfile and completely neglect access.log? How exactly would the CustomLog entry look like?

Thanks

Collapse
Posted by russ m on
I don't know how far away we are from having AOLServer 4 as the recommended server for OpenACS, but nslog in AOLServer 4 now logs as the remote host whatever was in the X-Forwarded-For: header (if it exists) in order to handle this type of situation.
Collapse
Posted by Andrew Piskorski on
My guess is not very far. People seem to keep slowly turning up one or two bugs in each AOLsever 4.0 beta, which are then quickly fixed. And some OpenACS folks have been using the 4.0 betas for a long time now and are satisfied with it. So my guess is once 4.0 final and a matching nsopenssl are released (not sure when that will happen, or if it already has), OpenACS will want to start recommending it. Maybe even start requiring AOLserver 4.0 as of OpenACS 5.0, I dunno.
Collapse
Posted by C. R. Oldham on
One showstopper is nsopenssl, which does not work with 4.0 yet.  Scott Goodwin is working on it.
Collapse
Posted by Peter Alberer on

We have tried both apache and Pound as ssl-reverse-proxy solutions for openacs. As far as the logging is concerned if you use apache you only need to use the apache http log, that contains all the info you should need. With the following config file lines the log file should look like the aolserver access.log:

HostnameLookups Off
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog logs/access_log combined

If you want to use apache you will probably need some rewrite rules for redirects coming from the backend server that would otherwise by-pass the proxy server. OpenACS uses returnredirect quite a lot and you need to deal with that.

Pound is another option, it is a small reverse-ssl-proxy that lets you load balance requests based on url matching, it checks that status of the backend-servers and it has (as far as i know) most of the proxy-features apache can offer. Pound also takes care of the X-Forwarded-for headers and keeps a combined log file for all requests.

Collapse
Posted by Peter Alberer on
One showstopper is nsopenssl, which does not work with 4.0 yet. Scott Goodwin is working on it

If you use a ssl-reverse-proxy, aolserver does not need ssl, as only the traffic between the users browser and the reverse-proxy is via https. The proxy can connect to the backend server via http. Both apache and pound support that solution.

Collapse
Posted by Brad Duell on
Collapse
Posted by David Kuczek on
If you want to use apache you will probably need some rewrite rules for redirects coming from the backend server that would otherwise by-pass the proxy server. OpenACS uses returnredirect quite a lot and you need to deal with that.

Hey Peter,

what do you mean with "rewrite rules"? Currently I have Apache running as a proxy server and everything but the visits problem "seems" okay...

Beginners Question: Where will I find the logfile that apache creates?

Thanks
Collapse
Posted by David Kuczek on
Another thing: What are the pros and cons of apache, pound and squid... I only want to have virtual hosts running on my machine and aolserver's virtual hosts didn't really work...
Collapse
Posted by Peter Alberer on
Beginners Question: Where will I find the logfile that apache creates?

If you use a config file directive like the one mentioned above:
CustomLog logs/access_log combined
the logfile will be in APACHE_HOME/logs/access_log.

what do you mean with "rewrite rules"?

when one of the backend servers returns a http 302 status code the proxy and/or the backend server has to take care of the server/protocol it sends the browser to. If you have a website like www.test.com with backends www1.test.com, www2.test.com, www3.test.com all redirects should go to www.test.com and not directly to one of the backends. In addition the redirects should use the right protocol (http/https). Using ad_returnredirect (which returns to the host in the http location header) instead of ns_returnredirect seems to take care of the correct host. But if you use a ssl-reverse-proxy that connects to the backend server via http, aolserver will return a redirect to http and could miss the proxy (if it just listens to https). The proxy can rewrite this to use the right protocol.

The relevante directive for apache is proxypassreverse, Pound will do this automatically i think. I must admit i have not tried a lot of variations of apache functionalities (proxypass and url-rewriting can get rather complex) as we use pound for now.