how to tell tomcat to use web proxy?

[JohnLCaron]

Date: Fri, 2 Oct 2015 14:59:00 +0100
From: Alan Iwi [email protected] (ESGF)

Appears to be actually a tomcat problem? but maybe we can help him out anyway?

We do have this page:

http:https://www.unidata.ucar.edu/software/thredds/v5.0/tds/reference/TomcatBehindProxyServer.html

from Jenn, a long time ago.

ESGF was using TDS 4.3, not sure what version of Tomcat. Upon upgrading to Tomcat 8, the proxy thing stopped working.

From Alan:

Do any of you have a setup where you are compelled to make outgoing http
connections via a proxy (that must be configured explicitly in clients
rather than with transparent redirect in your firewall)?

I am having difficulty in telling tomcat to use our site proxy. It needs
to do this when talking to the attribute service at PCMDI for CMIP5 data,
and despite my attempts to configure the proxy, it is trying to talk
directly (and inevitably failing).

I set the following environment variables (via /etc/esg.env):

<<<<<
http_proxy=http:https://wwwcache.rl.ac.uk:8080/
https_proxy=http:https://wwwcache.rl.ac.uk:8080/
no_proxy=127.0.0.1,ceda.ac.uk,rl.ac.uk,localhost
JAVA_OPTS="-Dhttp.proxyHost=wwwcache.rl.ac.uk -Dhttp.proxyPort=8080
-Dhttps.proxyHost=wwwcache.rl.ac.uk -Dhttps.proxyPort=8080
-Dhttp.nonProxyHosts=127.0.0.1|localhost|rl.ac.uk|ceda.ac.uk"

The JAVA_OPTS is based on various online references - search e.g. for
"java -Dhttp.proxyPort" to see the sort of stuff I found.

On client request to download a data file, following openid
authentication, I end up with a process trying to talk to PCMDI but failing
because outgoing ports 80 and 443 not via the proxy are blocked at our
site-wide outgoing firewall:

Here is the connection status (from 'lsof'):

<<<<<
jsvc 27172 tomcat 97r IPv4 4822177
0t0 TCP 130.246.142.220:60254->MailScanner has detected a
possible fraud attempt from "198.128.245.159:443" claiming to be MailScanner
warning: numerical links are often malicious: 198.128.245.159:443
http:https://198.128.245.159:443 (SYN_SENT)

Here 130... is our server, 198... is pcmdi9.llnl.gov, and SYN_SENT means
that it has initiated the handshake procedure for setting up a TCP
connection but has yet to see any reply.

Eventually and unsurprisingly:

<<<<<
[INFO] org.apache.commons.httpclient.HttpMethodDirector: I/O exception
(java.net.ConnectException) caught when processing request: Connection
timed out

Here is the command line for the process (from 'ps'), confirming that the
flags in JAVA_OPTS indeed materialise on the command line.

<<<<<
jsvc.exec -Djava.awt.headless=true
-Dcom.sun.enterprise.server.ss.ASQuickStartup=false
-Dcatalina.home=/usr/local/tomcat -Dtds.content.root.path=/esg/content
-Djava.util.prefs.userRoot=/esg/content/thredds/javaUtilPrefs -pidfile
/var/run/tomcat-jsvc.pid -cp
/usr/local/apache-tomcat-8.0.26/bin/bootstrap.jar:/usr/local/apache-tomcat-8.0.26/bin/tomcat-juli.jar:/usr/local/apache-tomcat-8.0.26/bin/commons-daemon.jar
-outfile /usr/local/tomcat/logs/catalina.out -errfile
/usr/local/tomcat/logs/catalina.err -user tomcat -Xmx2048m -server
-Xms1024m -XX:MaxPermSize=512m -Dhttp.proxyHost=wwwcache.rl.ac.uk
-Dhttp.proxyPort=8080 -Dhttps.proxyHost=wwwcache.rl.ac.uk
-Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=127.0.0.1|localhost|rl.ac.uk|
ceda.ac.uk -Dsun.security.ssl.allowUnsafeRenegotiation=false
org.apache.catalina.startup.Bootstrap

and looking at the process environment ('e' flag on 'ps') confirms that
the variables set above (including http_proxy etc) are all still present.

I am pretty sure I didn't previously have to do any more than what I have
already done here.

What have I missed please?

Thanks,
Alan

[cofinoa]

The Jenn's web page refers to reverse proxy.

But Alan's problem is a http proxy configuration to access internet which requires to an web client to configure a proxy server to access internet.

I guess that Alan's problem relates with the fact that the application is using a different Java HTTP library taht the java.net one which are the instructions corresponds to.

Antonio

[JohnLCaron]

looks like not in TDS

[DennisHeimbigner]

It appears that starting with some version of apache httpclient 4.x,
apache httpcient library will ignore the proxy -D flags unless you tell it otherwise
(see http:https://stackoverflow.com/questions/30630330/what-java-properties-to-pass-to-a-java-app-to-authenticate-with-a-http-proxy near the bottom).
So, try adding this flag: -Djava.net.useSystemProxies=true
and see if that helps.

[DennisHeimbigner]

I have not heard back; did the suggested fix work?

[DennisHeimbigner]

Since there is no response, I am closing this issue.