I find Apache 2.2 and Reverse Proxy a very powerful tool. I use it all the time when setting up Shibboleth SP to secure all kinds of different applications. SpringSource is going to have a webinar on the “Secrets of Apache 2.2 Reverse Proxy”. I am very interested in seeing what new tips and tricks I might learn. Go and register for this FREE Webinar today.

Secrets of Apache 2.2 Reverse Proxy

The Apache Web Server has always been heavily used in reverse proxy environments. With the release of Apache 2.2, the capabilities of Apache as a reverse proxy has significantly enhanced. Apache now natively supports load balancing, failover detection and recovery, increased RFC compliance and the ability to proxy the AJP protocol.

Join Jim Jagielski, Chief Open Source Officer and Principal Software Engineer at SpringSource, for a webinar that will provide an overview of these new capabilities and introduce you to the advanced features of installing and configuring Apache as a robust, high-availability web server and reverse proxy, for HTTP and Tomcat servers.

Attend this webinar if you:

* Use Apache as a front-end to Tomcat
* Need load-balancing at the web tier
* Need to protect your business logic assets

This webinar is offered in two different time zones. Register for a session for clicking on the appropriate time below:
When: Tuesday, May 19, 2009
European Audiences 3:00 PM Central European Time
North American Audiences 11:00am Pacific/2:00pm Eastern

Speaker: Jim Jagielski
Chief Open Source Officer and Principal Software Engineer
SpringSource

Technical Level: Intermediate Technical Level

I don’t know if you have come across the all but wonderful Apache HTTP “502 Proxy Error”, but if you have you know it is a pain to diagnose. I just ran across this problem the other week. After much research, I found out that there are all kinds of little things that can cause this to happen. Everything from a application taking to long to respond to firewall and load balancer issues.

In my case we had a lot of things to look at. We were front ending a Glassfish cluster with a Apache HTTP server doing a proxy passthrough connection. The traffic between the HTTP server and the Glassfish cluster is being handled by a load balancer and passing through a firewall. What I discovered was that Glassfish would close a connection from the Proxy Server but the Proxy Server would see the connections as still being open. The next request would try to aquire, what it thought was a open connection, and would fail with this error.

To fix this issue I added the disablereuse and retry attributes to the ProxyPass connection. Here is a example of them being used. You need to set disableresue to On and retry to 0.

ProxyPass /example http://backend.example.com disableresue=On retry=0

I set retry to 0 so that that there is no wait in retrying a request. According to the Apache HTTP Documentation the disableresue should only be used in rare occasions where the connection is randomly dropped.

copied from the apache documentation

This parameter should be used when you want to force mod_proxy to immediately close a connection to the backend after being used, and thus, disable its persistent connection and pool for that backend. This helps in various situations where a firewall between Apache and the backend server (regardless of protocol) tends to silently drop connections or when backends themselves may be under round- robin DNS. To disable connection pooling reuse, set this property value to On.

Now that I have added these attributes I have not gotten the 502 Proxy Error once.

Phish is getting ready to start there new tour run this Friday at Hampton Colosseum. Since I easily got shut out for all three nights of that run, I am going to have to sit at home and wait for the downloads, so I can experience the magic of Phish for myself. This led me to find Mr. Miner's Phish Thoughts blog.

As I was looking through his blog, it appears that he is going to have the shows posted on the web for download within a hour after each show. Now of course he says that it might take more than a hour, but this should draw a ton of people to his site. In the facts section his response to the possiable huge traffic that he is expecting is this.

3. Isn’t the download link going to crater?
The files will be hosted on Amazon S3, so it shouldn’t.

There will also be a torrent (hosted by Amazon) that should be really fast if there are hundreds (perhaps thousands!?) of you grabbing it.

Well I know that I will be online checking to see if he has gotten the shows posted yet. This should also be a great test to see how efficient the download will be. I have been very interested in Amazon’s S3 service, and am very curious how things will pan out.

I will have to thank the administrator of “Mr. Miner's Phish Thoughts” site. He is doing a great thing by appeasing to my sense of impatience. He is also going above and beyond what could be expected of any taper. Now all I can do is hope and pray that Amazon can handle this type of bandwidth. I would expect that he is going to draw some amazing traffic after the show is done.

Also remember to go and sign up for free Soundboard Downloads provided by Phish's on LivePhish.com .

Today I setup my first IIS 6 web server with a Shibboleth SP . Now I have setup many instances of the Shibboleth SP in the Apache HTTP server and have had hardly any issues at all. This is not the case with IIS. The installation and setup of the filter in the Web Server went very smoothly. All of my issues came when configuring the shibboleth2.xml file.

What I discovered as my main issue was that IIS 6 seems to convert all url requests to be all lowercase. The information I was given by my client was mixed case. This created a issue where the http://localhost/Shibboleth.sso/Status page was showing that Shibboleth was setup correctly but the pages were not being secured correctly. To fix my issue I changed all mixed case domain names like Sp.Example.org to sp.example.org for both the ISAPI Site name and the Request Mapper Host name.

After I did that everything was working correctly. So if you are having issues with your site security working with Shibboleth and IIS then you might want to check the domain name entries. It appears that IIS is very sensitive to case sensitivity.

I have secured Wordpress sites with Shibboleth using the Wordpress HTTP Authentication Plugin . This seems to work ok, but now there is a better option. Thanks to Will Norris , who had created a new Wordpress Shibboleth Plugin .

This plugin is very nice written. Will seems to be leveraging the login link in Wordpress with Shibboleth Lazy Initialization. This makes for a very clean login procedure. I have done the same type of login method in Joomla, and the users have been very pleased. He also has created some nice ways to process the attributes from shibboleth and map them to Wordpress roles. This can all be done in the configuration of the plugin.

Keep in mind that you still need to setup the Apache Shibboleth SP, but that is a trivial task indeed.

If you would like to see a live demo of the plugin in action, you can checkout the video here or view it below.