1

I have a load balancer with 3 web servers (a, b and c) behind it, all running apache and RHEL 8. What I am trying to do is relatively simple - I want to get the apache server-status for the boxes behind the load balancer, via http://loadbalancer/a/server-status, http://loadbalancer/b/server-status etc.

Server-status works fine when accessing these boxes directly using http://ipofbox:8000/server-status

In my httpd.conf for the load balancer I have the following lines.

<VirtualHost *:80> ProxyRequests off #Start Proxy balancer block and define cluster <Proxy balancer://thecluster> BalancerMember http://172.31.19.205:8080 BalancerMember http://172.31.28.85:8080 loadfactor=3 BalancerMember http://172.31.28.49:8080 #weighted traffic byte count balancing ProxySet lbmethod=bytraffic nofailover=off </Proxy> ProxyPass /worksa http://172.31.19.205:8080 ProxyPass /worksb http://172.31.28.85:8080 ProxyPass /worksc http://172.31.28.49:8080 ProxyPass /a http://172.31.19.205:8000 ProxyPass /b http://172.31.28.85:8000 ProxyPass /c http://172.31.28.49:8000 #pass through any other proxy requests ProxyPass / balancer://thecluster/ #route traffic back through the cluster and act as a load balancer, ensure headers generated from any workers are modified to point to the load balancer, masking the backend web servers #ProxyPassReverse / balancer://thecluster/ #balancer-manager GUI via port 80 <Location /balancer-manager> SetHandler balancer-manager </Location> #don't pass requests to the BM through to the cluster ProxyPass /balancer-manager ! <Location "/~Alice"> AuthType Digest AuthName "private" AuthDigestDomain "/~Alice" AuthDigestProvider file AuthUserFile "/etc/httpd-auth/digest_passwords_file2" Require valid-user </Location> <Location "/~Bob"> AuthType Digest AuthName "private" AuthDigestDomain "/~Bob" AuthDigestProvider file AuthUserFile "/etc/httpd-auth/digest_passwords_file2" Require valid-user </Location> </VirtualHost> <VirtualHost *:8000> ProxyRequests off #server-info GUI via port 8000 <Location /server-info> SetHandler server-info </Location> #server-status GUI via port 8000 <Location /server-status> SetHandler server-status </Location> <Location "/server-info"> AuthType Digest AuthName "realm" AuthDigestDomain "/server-info" AuthDigestProvider file AuthUserFile /etc/httpd-auth/digest_passwords_file Require valid-user </Location> <Location "/server-status"> AuthType Digest AuthName "realm" AuthDigestDomain "/server-status" AuthDigestProvider file AuthUserFile /etc/httpd-auth/digest_passwords_file Require valid-user </Location> </VirtualHost>

EDIT: it seems to be getting through now, but this time I'm getting a 400 bad request. The error log on the backend server serving the request reads:

[auth_digest:error] [pid 9105:tid 139830629422848] [client ***.***.***.***:50720] AH01786: uri mismatch - </a/server-info/> does not match request-uri </server-info/>

It seems when digest authentication is enabled, it fails when accessing from the load balancer. On worksa I have the following:

On worksa I have the following:

<VirtualHost *:8000> #balancer-manager GUI via port 8000 <Location /balancer-manager> SetHandler balancer-manager </Location> #Req 4.b <Location "/server-info"> SetHandler server-info AuthType Digest AuthName "realm" AuthDigestDomain "/server-info" AuthDigestProvider file AuthUserFile /etc/httpd-auth/digest_passwords_file Require valid-user </Location> # Req 4.a, Req 4.b <Location "/server-status"> SetHandler server-status AuthType Digest AuthName "realm" AuthDigestDomain "/server-status" AuthDigestProvider file AuthUserFile /etc/httpd-auth/digest_passwords_file Require valid-user </Location> </VirtualHost>

Secondly, when trying to access http://loadbalancer/worksa/index.html I get a 403 forbidden, the access log of worksa says as follows

(13)Permission denied: file permissions deny server access: /var/www/html/index.html.

I've used chmod 0644 on index.html and it doesn't seem to help.

In summary, http://loadbalancer/a/server-info asks for credentials then returns 400 bad request, and http://loadbalancer/a/index.html returns 403 forbidden.

Many thanks.

Improve this question
0

1 Answer 1

Reset to default
0

Move the specific ProxyPass directives before the balancer ProxyPass which then matches everything else with /. And remove the trailing slashes.

Here's the first vhost:

<VirtualHost *:80> ProxyRequests off #Start Proxy balancer block and define cluster <Proxy balancer://thecluster> BalancerMember http://172.31.27.155:8080 BalancerMember http://172.31.21.185:8080 loadfactor=3 BalancerMember http://172.31.28.201:8080 #weighted traffic byte count balancing ProxySet lbmethod=bytraffic nofailover=off </Proxy> ProxyPass /worksa http://172.31.27.155:8080 ProxyPass /worksb http://172.31.21.185:8080 ProxyPass /worksc http://172.31.28.201:8080 # pass through balancer member ProxyPass /a http://172.31.27.155:8000 ProxyPass /b http://172.31.21.185:8000 ProxyPass /c http://172.31.28.201:8000 # pass through any other proxy requests ProxyPass / balancer://thecluster/ #route traffic back through the cluster and act as a load balancer, ensure headers generated from$ #ProxyPassReverse / balancer://thecluster/ </VirtualHost>

You might need to tweak access control on the backend to prevent a "403 Forbidden":

<Location /server-status> SetHandler server-status # limit to ip addresses, hosts or whatever you need Require ip 172.31 </Location>
Improve this answer
3
  • Hi, thanks very much for looking at my request, but I'm still getting the same error message. Also, when I try to enter loadbalancer/worksa/index.html I get a 403 forbidden - the access log of worksa says file permissions are the issue - (13)Permission denied: [client 172.31.28.124:33218] AH00132: file permissions deny server access: /var/www/html/index.html. Commented Apr 22, 2021 at 8:16
  • Check if SELinux is enabled and remove authentication to keep it simple for testing. You can enable it later. Commented Apr 22, 2021 at 9:35
  • I fixed the 403 forbidden - it was WinSCP - when I create .html files through that program for some reason it does not handle permissions as it says it does. Still have the same issue with the server-config however. I have disabled SELinux on all boxes, thanks. Commented Apr 22, 2021 at 10:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.