HTTPD proxypass ssl to http

Question

Essentially I am having httpd reroute http requests to a certain location subdomain.domain.com/folder to Tomcat (http://localhost:8080/app/). This works fine using the ProxyPass and ProxyPassReverse functionality. When doing this with https however, my Tomcat instance is complaining that it does not know how to deal with the secure connection. Basically I am trying to have requests that come in on https://subdomain.domain.com/folder to be decrypted by apache and then sent over to http://localhost:8080/app/ . The relevant virtual host I have set up is this:

I hope that is clear. If you need more clarification, I can provide it.

<VirtualHost *:443>

        #  General setup for the virtual host                                                                                                                                                  
        DocumentRoot "/srv/www/docroot/"
        ServerName subdomain.domain.com
        #ServerAdmin webmaster@example.com                                                                                                                                                     
        ErrorLog /var/log/apache2/mydomain-ssl-error_log
        TransferLog /var/log/apache2/mydomain-ssl-access_log

        #   SSL Engine Switch:                                                                                                                                                                 
        #   Enable/Disable SSL for this virtual host.                                                                                                                                          
        SSLEngine on

    SSLCertificateFile /etc/apache2/certs/my-cert.crt
        SSLCertificateKeyFile /etc/apache2/certs/my-key.key
        SSLCertificateChainFile /etc/apache2/certs/DigiCertCA.crt

    #   Turn on proxy engine so urls can be forwarded                                                                                                                                      
        SSLProxyEngine on

    #   URLs to forward                                                                                                                                                                    
        <Location /folder>
          ProxyPass http://localhost:8080/app/
          ProxyPassReverse http://localhost:8080/app/
        </Location>

    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:                                                                                                                         
        SSLProtocol all -SSLv2 -SSLv3\

Tomcat config:

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               keystoreFile="/usr/share/apache-tomcat-7.0.27/.keystore" keystorePass="Kurusawa701"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

score 1 · Accepted Answer · edited Apr 13 '17 at 12:14

1

You don't provide the error message or a description of the Connection setup on the Tomcat side, so I'm guessing here:

Tomcat may think (incorrectly) it is providing the security. Reconfigure as described here.
EDIT: OP does not want Tomcat doing SSL, so this option deprecated...balancer approach
Leverage AJP instead: Apache page

Personally, I use AJP with Tomcat because it works better for my brain, or maybe I just have trouble with Java setups.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 23 '12 at 19:37

khoxsey

725
4
9

Sorry if it was not clear. I do not want Tomcat to deal with any encryption. I want apache to send the unencrypted message to Tomcat and then encrypt it on the way back to the client. Is this not possible with mod_proxy? – thatidiotguy Jul 23 '12 at 20:07
Not wanting Tomcat doing SSL is clear. The specific error message, and your Tomcat config, are not specified. – khoxsey Jul 23 '12 at 20:11
Is that enough? Or do you need engine or another directive? – thatidiotguy Jul 23 '12 at 20:35
That is enough information to show that you are configured with `secure="true"`, so Tomcat thinks it is handling SSL. Try reconfiguring Tomcat's `server.xml` as described in the first link I provided. – khoxsey Jul 23 '12 at 20:39

score 0 · Answer 2 · answered Aug 01 '12 at 00:52

Get rid of the 2nd Tomcat connector on port 8443 altogether. Change the redirectPort in the other one to 443. Get rid of the SSLProxyEngine directive, or turn it off. At present you are (a) able to receive HTTPS in Tomcat, which you don't want, and (b) sending HTTPS from Apache, because of the SSLProxyEngine, which you also don't want.

You will have great trouble redirecting /folder to /app, because the Tomcat web apps will generate internal self-referencing URLs starting with /app. There are various solutions such as ProxyPassReverse and mod_proxy_http, but in my opinion the cure is worse than the disease. Make them the same, e.g. /app /app, then you can get rid of ProxyPassReverse as well. Try to make your Apache completely transparent in terms of URLs, which may mean adjusting the names of the Tomcat web apps.

HTTPD proxypass ssl to http

2 Answers2