Apache Proxy to Tomcat

I am using Apache Tomcat 8.5.4 with JasperReports Server 6.3.0. When I access the server using http://localhost:8080/jasperserver everything works great.

In my httpd.conf file for Apache 2.4, I have

<VirtualHost *:80>
  ProxyPass        /jasperserver http://localhost:8080/jasperserver
  ProxyPassReverse /jasperserver http://localhost:8080/jasperserver

I also have some other webapps on the Tomcat server, and the proxy for them works perfectly.

When I go to http://localhost/jasperserver (without the port), the login page displays without problem. However, as soon as I log in, everything goes crazy. It appears that the browser will try to reload the page indefinitely. The url switches back and forth between /jasperserver and /jasperserver/whatever_page_it_is_supposed_to_load.

Anyone have any explanation for this behavior or have any ideas on how to fix it?


It appears from the logs that this has to do with the cross-site request forgery (CSRF) prevention, but I'm still not sure how to solve it.

ict-programmer's picture
Joined: May 19 2014 - 5:26pm
Last seen: 3 years 2 months ago

3 Answers:

To some degree, this can be solved by simply adding ProxyPreserveHost On to the VirtualHost like

<VirtualHost *:80>
  ProxyPreserveHost On
  ProxyPass        /jasperserver http://localhost:8080/jasperserver
  ProxyPassReverse /jasperserver http://localhost:8080/jasperserver

I say "to some degree" because although everything behaves correctly from the user's perspective, I am still seeing an error in the logs with:

[SECURITY FAILURE context=Unknown_context, key=image, type(AlphaNumUnderscore)=^[\p{L}\p{M}\p{N}\p{Pc}]*$, input=img_0_0_24.png, maxLength=100, isBlackList=false]

I'm not sure what that is about, but at least it seems to display correctly.


My next step was to use SSL for Apache so that the VirtualHost is *:443. When using the same proxy settings, I now get an infinite loop again. Help!


The issue is apparently caused by CSRFGuard where the request is coming from https://domain.com/jasperserver but after the proxy it is http://domain.com/jasperserver. For now, in /WEB-INF/csrf/jrs.csrfguard.properties, I just set "org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false" and that fixes the problem. However, I don't know that that is the best long term solution, so I am certainly open to more suggesstions. There is probably something with how the request is forwarded that would fix this.

ict-programmer's picture
Joined: May 19 2014 - 5:26pm
Last seen: 3 years 2 months ago
I'm hoping you find the solution, because I'm seeing the same thing.
My HTTPS site is on port 443 on the same hostname as JasperReports Server on port 8080.
Here's my config:
RedirectMatch permanent ^/jasperserver(/.*)?$ https://example.com/path/to/jasper$1
<Location "/path/to/jasper">
  ProxyPassReverseCookiePath /jasperserver /path/to/jasper
I needed RedirectMatch and ProxyPassReverseCookiePath because my reverse proxy is on a different path from the Tomcat app.
sbw's picture
Joined: Aug 10 2016 - 1:30pm
Last seen: 4 years 6 months ago

I had a similar issue.

The page was infinitly reloading on every post request.

And logs were telling me 

potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:1**.***.***.143, method:POST, uri:/jrs/flow.html, error:required token is missing from the request)

Found out that CSRF token was missing.

The proxy server didnt allow underscores in csrf tokens.

I am using Nginx and have to set it to

underscores_in_headers on;

Hopefully it will help you

Shownofear1's picture
Joined: Jul 21 2015 - 7:33pm
Last seen: 4 years 10 months ago