Using Apache as proxy results in occasional 403

Hi, I’m trying to configure Apache in order to serve as a proxy for my VAADIN (version 7.3.6) application that’s deployed on a Tomcat server.

The configuration seemed to work just fine at first. I can login and use the app. However, after a few clicks within the application, VAADIN comes up with a notification:
“UIDL could not be read from server. Check servlets mapping. Error code: 403”.

After this message appears and I try to reload the page (Hitting F5 in the browser) I can’t access the webapp at all anymore, resulting in a 403 error. When I wait for a few seconds and reload the entire page again (F5), I can access the webapp again. A few clicks after successful login result in the same situation over and over again.

When the error appears the following lines are found in the Apache error log:

  1. (When still in the application)
    client denied by server configuration: proxy:, referrer:

  2. (After hitting F5 and the page is denied completely)
    client denied by server configuration: proxy:

Apache configuration as follows: (The site is supposed to be served as HTTPS only)

<VirtualHost *:80>
  HostnameLookups Off
  UseCanonicalName Off

  ProxyRequests Off

  Redirect /VAADIN/
  Redirect /UIDL/
  Redirect /

<VirtualHost _default_:443>
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile ...
  SSLCertificateKeyFile ...

  SSLProtocol all -SSLv2
  SSLHonorCipherOrder On
  SSLCipherSuite ...
  SetEnv no-gzip

  ProxyRequests Off

  ProxyPass /VAADIN/
  ProxyPass /UIDL/
  ProxyPass /

  ProxyPreserveHost on
  ProxyPassReverseCookiePath / /

  <Proxy *>
    Order deny,allow
    Allow from all


buddy, and what about using mod_jk instead?


Well, I also tried using mod_proxy_ajp…
Using AJP I get the same problem, the logfile looks as following:
client denied by server configuration: proxy:ajp://, referrer:

I had the same problem with a http to https rewrite rule (occasional = many requests, for example resizing a browser window with a v-leaflet map). I had to deactivate mod-evasive (Dos/DDoS prevention):

a2dismod mod-evasive
service apache2 restart

Changing the configuration for mod-evasive could also help…