Apache connection issues on Centos 7


#1

Recently installed Lucee on Blueonyx 5209 (Centos 7) connected to apache and all was fine. One day about a week later cfm pages started being rendered as text (showing cfm code) and lucee admin was returning 404. After some investigation I discovered lucee was up and running on port 8888. Not through Apache on 80.

What’s going on? This is a major bug and security issue.


#2

more than likely your /etc/httpd/conf/httpd.conf was replaced by a new file or overwritten.

With luck you have a httpd.conf.bak file.

Open that up and at the end of that file you should have something near the bottom that starts with IfModule mod_proxy.c

Copy that and all contents below it to the end of the file to your httpd.conf file
restart apache.


#3

Hi Terry,

That was one of the things I checked. I do have a conf.bak but I think it was created when lucee was installed as it does NOT contain mod_proxy.c or load mod_cfml.so

here is what’s in that section of my current httpd.conf

Any thoughts are much appreciated, I’m at a loss.

ProxyPreserveHost On ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1$2 ProxyPassMatch ^/(.+\.cfchart)(/.*)?$ http://127.0.0.1:8888/$1$2 ProxyPassMatch ^/(.+\.cfml)(/.*)?$ http://127.0.0.1:8888/$1$2 # optional mappings #ProxyPassMatch ^/flex2gateway/(.*)$ http://127.0.0.1:8888/flex2gateway/$1 #ProxyPassMatch ^/messagebroker/(.*)$ http://127.0.0.1:8888/messagebroker/$1 #ProxyPassMatch ^/flashservices/gateway(.*)$ http://127.0.0.1:8888/flashservices/gateway$1 #ProxyPassMatch ^/openamf/gateway/(.*)$ http://127.0.0.1:8888/openamf/gateway/$1 #ProxyPassMatch ^/rest/(.*)$ http://127.0.0.1:8888/rest/$1 ProxyPassReverse / http://127.0.0.1:8888/

LoadModule modcfml_module modules/mod_cfml.so
CFMLHandlers “.cfm .cfc .cfml”
ModCFML_SharedKey “4b9e064d11cd47bd016c2d720e4f0c91390461b8949d968bf59b7fa143906681”
LogHeaders false
LogHandlers false
LogAliases false
VDirHeader false

Include conf.modules.d/*.conf
Include /etc/httpd/conf/vhosts/site1
Include /etc/httpd/conf/vhosts/site2
Include /etc/httpd/conf/vhosts/site3
Include /etc/httpd/conf/vhosts/preview


#4

if it is truly a centos rpm, then mod proxy is part of the httpd compile since centos 4

run a
httpd -M 2>&1 | grep proxy

You should get something like

proxy_module (shared)
proxy_ajp_module (shared)
proxy_balancer_module (shared)
proxy_connect_module (shared)
proxy_express_module (shared)
proxy_fcgi_module (shared)
proxy_fdpass_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_scgi_module (shared)
proxy_wstunnel_module (shared)

I would then go check the /etc/httpd/cond.modules.d/00-proxy.conf

you should have

This file configures all the proxy modules:

LoadModule proxy_module modules/mod_proxy.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

if you do not, then i would back up your httpd.conf file to /root then do a reinstall of httpd.

yum reinstall httpd httpd-devel


#5

Everything is just as you listed.


#6

make sure the permissions on the directory /var/www/html are in the same group as you are running lucee.

try a

chown -R apache.apache /var/www/html

additionally, check to see what SELINUX is set to
run
sestatus

if it comes back as enforcing, disable it temporarily with
setenforce 0


#7

I’m running lucee as tomcat, could that be the problem? otherwise, group is tomcat and selinux is disabled.

I always ran ColdFusion as nobody without any problems. Tried that with lucee and this issue was why I switched to tomcat… however, after a week of running fine - same issue.


#8

Adobe ColdFusion is a bit more forgiving when it comes to configuration errors.

If you are running Lucee or Coldfusion via Apache, then the user and group running Lucee or Coldfusion must have read and execute permissions to the directories in question.

If you are running Lucee as a WAR, then the permissions would just be with Tomcat and the directories it is installed.

for testing, restart lucee as root and see if that clears up the issue.

i


#9

It does not. When I try to view the lucee admin on port 80 I get this error:
The requested URL /lucee/admin/server.cfm was not found on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

She’s up and running on 8888.

Completely ignoring apache.


#10

Something in your configuration is off.

Take a look at the catilina.out file.


#11

I’ve never heard of a Blueonyx 5209, but this might be an Apache “order of execution” problem. Your proxy config is correct, but it sounds like Apache is simply ignoring that config and instead using the default request handler which is to display files as plain text. Perhaps an auto-update ran or something like that which borked your previously working config.

One thing you could try is to take the proxy config and add it directly to the virtual host config for your sites. This will hopefully move your proxy config “higher up the chain” so that it might get executed before the default handler picks it up. Do you have anything surrounding your proxy config? Like an <IfModule> or something like that? That might also be preventing it from being used.

There might also be something in the apache error logs that could point you in the right direction. Worth a look anyway.

Whatever the reason, Apache is the problem in that your proxy config is being ignored, so that’s what needs to be addressed. You and Terry were on the absolute right track there, just needs more digging.

Hope this helps.


#12

Jordan,

Thanks for the suggestion, when i get time I’ll try moving the proxy config.

Other things came up that have kept me from working on this, but, I do need to get it working if possible.


#13

Still trying to solve this problem. Nothing in pache error logs, there is this error in the lucce exceptions.log:

“ERROR”,“http-nio-8888-exec-8”,“08/05/2017”,“21:30:02”,"",";class redefinition failed: attempted to change superclass or interfaces;lucee.runtime.exp.NativeException: class redefinition failed: attempted to change superclass or interfaces


#14

What user do you have Apache and lucee running as?

for simplicity i usually keep them in the same username and group.

This is what I have for a a lucee box running 7.x

<IfModule mod_proxy.c>
        ProxyPreserveHost On
        ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1$2
        ProxyPassMatch ^/(.+\.cfchart)(/.*)?$ http://127.0.0.1:8888/$1$2
        ProxyPassMatch ^/(.+\.cfml)(/.*)?$ http://127.0.0.1:8888/$1$2
        # optional mappings
        #ProxyPassMatch ^/flex2gateway/(.*)$ http://127.0.0.1:8888/flex2gateway/$1
        #ProxyPassMatch ^/messagebroker/(.*)$ http://127.0.0.1:8888/messagebroker/$1
        #ProxyPassMatch ^/flashservices/gateway(.*)$ http://127.0.0.1:8888/flashservices/gateway$1
        #ProxyPassMatch ^/openamf/gateway/(.*)$ http://127.0.0.1:8888/openamf/gateway/$1
        #ProxyPassMatch ^/rest/(.*)$ http://127.0.0.1:8888/rest/$1
        ProxyPassReverse / http://127.0.0.1:8888/
</IfModule>

#15

apache is running as apache.
I’ve tried both ‘nobody’ and ‘tomcat’ for lucee. nobody worked for about a week. tomcat for almost a month. Both stopped serving on 80 for no apparent reason (why is what I’m trying to figure out) My apache conf never changed. I seriously doubt it is an apache issue.


#16

So, I re-read this thread and I’m not sure where I got the notion earlier that Apache was returning content in plain text. I am sorry for my misdiagnosis there.

Your 403 errors may be related to this:
http://utdream.org/post.cfm/apache-2-4-403-forbidden-ah01630-client-denied-by-server-configuration

If that’s not it, then I’m on board with what Terry was eluding to earlier, that this is a permission issue with the Tomcat user. The user that you’re running Tomcat as needs read access to your CFM templates, and write access to the “WEB-INF” directory.

After assigning permissions, you can ‘su’ to a user account (assuming it has a shell) and see if I can navigate to the web site directory as that user in order to be sure that user can read and access those files. System users don’t typically have shells though, so it’d be a good idea to remove the shell once you’re done testing it for security reasons.

Hope this helps!


#17

Jordan,

Thanks for the reply. If I hit the pages on port 8888 they display fine and CF works as it should. If it was a permissions problem wouldn’t it not work on any port?

It may well be permissions related in that tomcat isn’t serving through apache… for some reason tomcat can’t use the mod_proxy and I don’t know enough about tomcat to even know where to look. The error I posted above shows up in both the lucee application and error logs. Also lucee cAny help on what it means is much appreciated.


#18

Hi Jim,

Yep. If you can hit it on port 8888 and have everything working as it should than it’s not an issue with Tomcat. Good call.

mod_proxy actually has nothing at all to do with Tomcat directly. It just means Apache will pull the site through port 8888 in the same way your browser does when you hit port 8888 directly. (See how your mod_proxy config points to port 8888 too?) If it’s the mod_proxy part that’s not working, then you know the problem is with Apache.

I checked up on the BlueOnyx thing, and it looks like a hosting control panel of sorts. I’m surprised I’ve not heard of it until now. (http://www.blueonyx.it/) I’ve worked with several control-panels in my time, and many of them require specific kinds of configurations in order for custom configs like those used with Lucee to stay permanent. For example, cPanel requires Apache configs in a config file that’s unique to each user. Without that unique config, your Apache configs will get overwritten each time a new patch comes along. Could something like that be the reason your specific users only work for a short period of time?

Maybe try something other than BlueOnyx (I like VirtualMin - also free and OSS) and see if that clears up the majority of your issues?


#19

Centos runs Apache as user “apache” in group “apache”.

If Apache doesnt have permissions to access the lucee application, then you will get an error.

Try either adding your tomcat user for Lucee to the apache group, or running tomcat as the same user as apache is running. Restart the services.


#20

Terry, Jordan,

BlueOnyx has it’s own java and tomcat server. I left the BO tomcat disabled and it initially worked… but, I’m beginning to wonder if maybe there could be some kind of conflict with the two versions? (shouldn’t be ports - BO tomcat isn’t running)

Would it be possible to configure lucee to use the BO Java and tomcat? And if so, where do I start?