6 Replies Latest reply on Mar 15, 2012 11:52 PM by Udo

    Apache + SSL + XE + GlassFish

    866756
      Can anyone provide insight into how to convert all http calls from apache as proxy to https that get routed to Glassfish hosting listener?

      Here's what I'd like to setup:
      Step 1: Convert/Route all calls to subdomain.domain.com hosted on Apache to https and
      Step 2: The calls then should point to Apex on different server

      Step 2 is already accomplished along with part of step 1 (thanks to all in this forum). Here's what I had added to partly accomplish in step 1 within vhosts section

      RewriteCond %{HTTPS} off
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

      Now I am wondering how do I let apache serve SSL and then point to Apex app? I will plan to add 443 proxyport on Glassfish JVM options.

      Thanks
      Raja
        • 1. Re: Apache + SSL + XE + GlassFish
          866756
          Anyone has ideas how to setup HTTPS proxy on existing HTTP apache proxy?
          • 2. Re: Apache + SSL + XE + GlassFish
            Udo
            Hello Raja,

            sorry for the late response. I'm actually not a GlassFish expert, so I hoped somebody else might join in. I know that this kind of setup will work on Tomcat...
            Just to be sure we're talking about the same scenario, I'll "draw" a small request path for your scenario. Please correct me if I got it wrong:
            Client ---> <HTTPS> ---> Apache/Proxy ---> <AJP> ---> GlassFish/APEX Listener ---> <JDBC> ---> DB/APEX
            So the SSL-part will just be on the frontend towards client, the AJP-part shall not be replaced by HTTPS, right?
            In that case, the reverse proxy rules should be the same like in the HTTP scenario you've already configured successfully. You'll have to modify your rewrite rules to work on https:// as well (and change the http-rule to redirect to https:// instead of proxying), and you'll have to configure your GlassFish, as you've already indicated.
            I will plan to add 443 proxyport on Glassfish JVM options.
            Right, you'll definetly have to do that. Note that if you can't have both HTTP and HTTPS proxy port in the same JVM environment. As far as I know, GlassFish doesn't support adding these directives to a certain listener (whereas Tomcat allows you to do so for each connector...). So if you intend to have the HTTP option still available, you'll probably have to do that on a separate instance.
            Additionally, you'll probably also have to define the URL scheme for your listener. This would be done by setting the JVM option
            scheme=https
            Unfortunately, I currently don't have access to my testing environment. I'd have tested this myself otherwhise.
            If this doesn't work, perhaps some GlassFish-related forum might be able to provide you more help on configuring an SSL proxy in front of that container. I assume this shouldn't be an unusual scenario, so there should be people who could provide the configuration steps... I'd be interested to know the solution, so please post your results here.

            Thanks,

            Udo
            • 3. Re: Apache + SSL + XE + GlassFish
              866756
              Udo -

              Your understanding of what I am attempting to accomplish is spot on. Also I only need to support HTTPS and don't need to support both HTTP and HTTPS. You had mentioned

              "You'll have to modify your rewrite rules to work on https:// as well (and change the http-rule to redirect to https:// instead of proxying), and you'll have to configure your GlassFish, as you've already indicated."

              I am bit unclear on how to accomplish that. I am not sure if its just changing from http to https. Based on my limited understanding the ports are different and I attempted to change all call from http to https on the apache using the directive -


              RewriteCond %{HTTPS} off
              RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

              This made all calls from port 80 to 443 however the proxy is not picking up to route them to <AJP> ---> GlassFish/APEX Listener ---> <JDBC> ---> DB/APEX

              I will check once again and add the scheme=https and report back any findings.

              Thanks again
              Raja
              • 4. Re: Apache + SSL + XE + GlassFish
                Udo
                Hello Raja,
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
                This is a rather generic approach. Previously you also had
                RewriteRule ^/$ http://subdomain.domain.com/apex/ [R]
                ... which lead to a redirect and hence a second request that fit to your other(reverse proxy) rules. I'm not sure in which order you have the rewrite rules now, but your https rewrite is not doing the redirect to the +/apex/+ context, so I wonder which one would actually do it and if it is effective at the point it is needed...
                Could you please post the current state of your config section? I'm not sure I actually get all changes you've made from the last thread.

                Thanks,

                Udo
                • 5. Re: Apache + SSL + XE + GlassFish
                  866756
                  Udo -

                  Here's the currrent virtual hosts file contents.

                  <VirtualHost *:80>
                  ServerAdmin webmaster@domain.com
                  DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/sub.domain.com/"
                  ServerName sub.domain.com

                  ServerAlias www.sub.domain.com
                  #Alias /i "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/sub.domain.com/i"

                  RewriteEngine on

                  Redirect permanent / https://sub.domain.com/
                  RewriteCond %{HTTPS} off
                  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

                  RewriteRule ^/$ http://sub.domain.com/apex/ [R]
                  RewriteRule ^/apex/$ http://50.xx.xx.xx:8080/apex/f?p=xxx:1 [P]
                  RewriteRule ^/apex/(.*)$ http://50.xx.xx.xx:8080/apex/$1 [P]

                  <Location />
                  Order allow,deny
                  Allow from all
                  </Location>

                  <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/sub.domain.com/i">

                  Order allow,deny
                  Allow from all
                            
                  </Directory>
                  ErrorLog "logs/sub.domain.com-error.log"
                  CustomLog "logs/sub.domain.com-access.log" common
                  </VirtualHost>

                  Please let me know if you suspect anything that requires edit/change.

                  Thanks again,

                  Raja
                  • 6. Re: Apache + SSL + XE + GlassFish
                    Udo
                    Hello Raja,

                    your VirtualHost is for port 80 (HTTP) only. You need a second one for your SSL environment on port 443. This will also be one of the reasons why you don't see anything happening on the reverse proxy path. I wonder who is catching up on the SSL requests at the moment?!
                    Anyway, my next shot at your scenario would look as follows:
                    -----
                    h4. VirtualHost for HTTP-Part
                    <VirtualHost *:80>
                    ServerAdmin webmaster@domain.com
                    DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/sub.domain.com/"
                    ServerName sub.domain.com
                    
                    ServerAlias www.sub.domain.com
                    
                    RewriteEngine On
                    RewriteCond %{HTTPS} off
                    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
                    
                    ErrorLog "logs/sub.domain.com-error.log"
                    CustomLog "logs/sub.domain.com-access.log" common
                    </VirtualHost>
                    -----
                    h4. VirtualHost for HTTPS-Part
                    <VirtualHost *.sub.domain.com:443>
                    
                    # General setup for the virtual host, inherited from global configuration
                    DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/sub.domain.com/"
                    
                    ServerName sub.domain.com:443
                    ServerAlias www.sub.domain.com:443
                    
                    #   SSL Engine Switch:
                    #   Enable/Disable SSL for this virtual host.
                    SSLEngine on
                    
                    #   SSL Protocol support:
                    # List the enable protocol levels with which clients will be able to
                    # connect.  Disable SSLv2 access by default:
                    SSLProtocol all -SSLv2
                    
                    #   SSL Cipher Suite:
                    # List the ciphers that the client is permitted to negotiate.
                    # See the mod_ssl documentation for a complete list.
                    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
                    
                    #   Server Certificate:
                    # Point SSLCertificateFile at a PEM encoded certificate.  If
                    # the certificate is encrypted, then you will be prompted for a
                    # pass phrase.  Note that a kill -HUP will prompt again.  A new
                    # certificate can be generated using the genkey(1) command.
                    SSLCertificateFile /path/to/your/certs/sub.domain.com.crt
                    
                    #   Server Private Key:
                    #   If the key is not combined with the certificate, use this
                    #   directive to point at the key file.  Keep in mind that if
                    #   you've both a RSA and a DSA private key you can configure
                    #   both in parallel (to also allow the use of DSA ciphers, etc.)
                    SSLCertificateKeyFile /path/to/your/keys/sub.domain.com.key
                    
                    SetEnvIf User-Agent ".*MSIE.*" \
                             nokeepalive ssl-unclean-shutdown \
                             downgrade-1.0 force-response-1.0
                    
                    RewriteEngine On
                    # Sanity: If request doesn't match domain, rewrite to domain
                    RewriteCond %{HTTP_HOST}        !^sub\.domain\.com [NC]
                    RewriteCond %{HTTP_HOST}        !^$
                    RewriteRule ^(.*)               https://sub.domain.com/$1 [R,L]
                    
                    # Redirect / to /apex
                    RewriteRule ^/$ /apex/ [R]
                    # ... and push forward
                    RewriteRule ^/apex/$ http://50.xx.xx.xx:8080/apex/f?p=xxx:1 [P]
                    RewriteRule ^/apex/(.*)$ http://50.xx.xx.xx:8080/apex/$1 [P]
                    
                    <Location />
                    Order allow,deny
                    Allow from all
                    </Location>
                    
                    <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/sub.domain.com/i">
                    
                    Order allow,deny
                    Allow from all
                    
                    </Directory>
                    # Use separate log files for the SSL virtual host; note that LogLevel
                    # is not inherited from httpd.conf.
                    LogLevel warn
                    ErrorLog "logs/sub.domain.com-ssl-error.log"
                    CustomLog "logs/sub.domain.com-ssl-access.log" common
                    </VirtualHost>
                    -----
                    h4. Summary of JVM directives
                    http.proxyHost=sub.domain.com
                    and http.proxyPort=443
                    scheme=https
                    -----
                    Note that I included several directives that concern the SSL basic configuration for that virtual host. These might not fit to your scenario. You'll usually find more information on these and other SSL-related directives in the example configuration shipped with mod_ssl (e.g. ssl.conf or even as part of your httpd.conf). Probably you already have a virtual host configured for SSL. If so, you could start from the point where the RewriteEngine is turned on.

                    One more thing: Your HTTP Host is configured to serve both www.sub.domain.com and sub.domain.com. SSL-Certificates might only be valid for a certain domain. I assumed you have a wildcard certificate for your sub.domain.com or at least one that also covers www.sub.domain.com . If that's not the case, you should change the redirect in your VirutalHost for HTTP to redirect to the actual HTTPS domain you want to use instead of using the hostname that the request came in for. Of course, you should also modify the configuration of the VirtualHost for SSL accordingly to just serve for that single domain name.

                    I hope this helps you get your scenario working with HTTPS as well.

                    -Udo