All geek questions in one place

Error setting apache server for SSL proxy connection

I run the application on Tomcat7 with Apache Portable Runtime, I bought an SSL certificate and configured it correctly - when I try to connect via the ip: port combination, it connects normally, but it warns me that the certificate is issued with a domain name, not IP.

There is no SELinux in the VPS on which I am installed (and there is a problem with the installation) that AFAIK is required to configure SSL in apache, so I just want to redirect requests to Tomcat, which does it on its end.

I configured apache for proxy connections, first with port 80, which works fine:

NameVirtualHost www.mysite.com:80 <VirtualHost www.mysite.com:80> ProxyPreserveHost On ProxyRequests Off ServerName http://www.mysite.com ServerAlias http://www.mysite.com ProxyPass / http://localhost:8180/MYSITE/ ProxyPassReverse / http://localhost:8180/MYSITE/ ProxyPassReverseCookiePath /MYSITE/ / </VirtualHost>

And then with an SSL port that doesn’t want to work for any reason:

 NameVirtualHost www.mysite.com:443 <VirtualHost www.mysite.com:443> SSLProxyEngine On ProxyPreserveHost On ProxyRequests Off ServerName https://www.mysite.com ServerAlias https://www.mysite.com ProxyPass / https://localhost:8443/MYSITE/ ProxyPassReverse / https://localhost:8443/MYSITE/ ProxyPassReverseCookiePath /MYSITE/ / CacheDisable * </VirtualHost>

EDIT : I added

 RequestHeader set Front-End-Https "On"

VirtualHost directive www.mysite.com-00-0043, according to: http://www.gossamer-threads.com/lists/apache/users/396577

Here is the Tomcat APR Connector, as configured in Tomcat server.xml -

 <Connector port="8443" maxHttpHeaderSize="16500" maxThreads="150" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="x509-cert-path" SSLCertificateKeyFile="key-file-path" />

There were no errors / warnings allowing virtual hosts to restart apache. When I try https, this is what I see in FFox:

 SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

And in Chromium:

 Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Apache error.log shows this warning:

 [warn] [client 216.58.38.90] proxy: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be www.mysite.com for uri /

I spent days trying to tune it, and would be very grateful if someone explained what was happening and how to fix it.

Many thanks. Victor.

+4
source share
1 answer

You do not need the 8443 HTTPS connector in Tomcat. Apache HTTPD should stop using the SSL connection and speak plain text in Tomcat through ProxyPass / http://localhost:8080/MYSITE/. You just need a plaintext HTTP connector port=8080 and address=127.0.0.1 , so no outsider can get it.

Even better, you do not have HTTP connectors in Tomcat, only an AJP connector, address=127.0.0.1 also use mod_proxy_ajp in Apache.

+7
source

Source: https://habr.com/ru/post/1495768/

More articles:


All Articles