You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by attacus <at...@trtk.ru> on 2009/06/15 22:42:02 UTC
Apache mod_jk HTTPS problem
Recently I registered the domain for my application IP. Now I use Apache and
mod_jk as front end for JBoss 4.2.2. I can access my application in three
ways: thorough localhost, IP and domain name. In case of HTTP all works fine
but requests for HTTPS pages are successfully only if I use localhost or IP.
The domain name doesn't work. In case with domain name Apache searches
static content instead of my dynamic JBoss-Tomcat-produced page, and finally
returns error 404. Please help me if you have any ideas where to dig.
RE: [OT] Apache mod_jk HTTPS problem
Posted by attacus <at...@trtk.ru>.
Thank you, Chris.
Customizing ServerName solved the problem.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, June 17, 2009 11:27 PM
To: Tomcat Users List
Subject: Re: [OT] Apache mod_jk HTTPS problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attacus,
On 6/16/2009 4:04 PM, attacus wrote:
> NameVirtualHost *:443
This ain't gonna work: SSL negotiation occurs /before/ the HTTP headers
are sent, meaning that the VirtualHost has already been chosen before
the "Server" header can be inspected. This will probably work with a
single VirtualHost on port 443, but it's not going to work if you add
others. Apache httpd will probably just choose the first one defined or
something.
> <VirtualHost *:443>
> ServerName *:443
This is not correct, either. If you're using name-based VirtualHosts,
you need to bind a name to the VirtualHost: something like
"www.myserver.com". Again, see the note above about NameVirtualHost not
working for HTTPS.
> ErrorLog "C:/tools/Apache2.2/logs/secure-channel-error.log"
This would be a good place to look for startup errors or warnings.
> JkMountFile conf/uriworkermap.properties
Is this the same JkMountFile you use for your (working) non-SSL VirtualHost?
> SSLCipherSuite
> ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
Note that this is an overly-complicated Ciphers line... you're using ALL
and then customizing it by adding other ciphers. It's the equivalent of:
SSLCipherSuite ALL:-ADH
or even
SSLCIpherSuite ALL:!ADH
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAko5Q20ACgkQ9CaO5/Lv0PBLEwCgvKwY0DBJBIa73+nTHeucscHl
7tAAnRA/SXg7OiBxm1bIZ2lcM2yvAQsp
=8WSd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Apache mod_jk HTTPS problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attacus,
On 6/16/2009 4:04 PM, attacus wrote:
> NameVirtualHost *:443
This ain't gonna work: SSL negotiation occurs /before/ the HTTP headers
are sent, meaning that the VirtualHost has already been chosen before
the "Server" header can be inspected. This will probably work with a
single VirtualHost on port 443, but it's not going to work if you add
others. Apache httpd will probably just choose the first one defined or
something.
> <VirtualHost *:443>
> ServerName *:443
This is not correct, either. If you're using name-based VirtualHosts,
you need to bind a name to the VirtualHost: something like
"www.myserver.com". Again, see the note above about NameVirtualHost not
working for HTTPS.
> ErrorLog "C:/tools/Apache2.2/logs/secure-channel-error.log"
This would be a good place to look for startup errors or warnings.
> JkMountFile conf/uriworkermap.properties
Is this the same JkMountFile you use for your (working) non-SSL VirtualHost?
> SSLCipherSuite
> ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
Note that this is an overly-complicated Ciphers line... you're using ALL
and then customizing it by adding other ciphers. It's the equivalent of:
SSLCipherSuite ALL:-ADH
or even
SSLCIpherSuite ALL:!ADH
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAko5Q20ACgkQ9CaO5/Lv0PBLEwCgvKwY0DBJBIa73+nTHeucscHl
7tAAnRA/SXg7OiBxm1bIZ2lcM2yvAQsp
=8WSd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [OT] Apache mod_jk HTTPS problem
Posted by attacus <at...@trtk.ru>.
Christopher, you right.
I fill like something is wrong here. I am not experienced in Apache
configuration. So please do not kick me hard. :)
#
# Use name-based virtual hosting.
#
NameVirtualHost *:443
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:443>
ServerName *:443
ErrorLog "C:/tools/Apache2.2/logs/secure-channel-error.log"
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog "C:/tools/Apache2.2/logs/secure-channel-access-error.log"
combined
ServerSignature On
JkMountFile conf/uriworkermap.properties
SSLEngine On
SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/tools/Apache2.2/conf/server.crt"
SSLCertificateKeyFile "C:/tools/Apache2.2/conf/server.key"
SSLCertificateChainFile "C:/tools/Apache2.2/conf/server.crt"
SSLOptions -StdEnvVars +ExportCertData
</VirtualHost>
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, June 16, 2009 7:07 PM
To: Tomcat Users List
Subject: Re: [OT] Apache mod_jk HTTPS problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attacus,
On 6/15/2009 4:42 PM, attacus wrote:
> In case with domain name Apache searches static content instead of my
> dynamic JBoss-Tomcat-produced page, and finally returns error 404.
> Please help me if you have any ideas where to dig.
Sounds like you don't have your httpd VirtualHost correct for handling
SSL. Feel free to post your VirtualHost configuration so we can take a look.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAko3tP8ACgkQ9CaO5/Lv0PDrPgCff1FQLdH+kfERBcmMMkNzL0dk
lVEAn2msnGQADq6NcmAIJuseQw0rodhL
=aytY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Apache mod_jk HTTPS problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attacus,
On 6/15/2009 4:42 PM, attacus wrote:
> In case with domain name Apache searches static content instead of my
> dynamic JBoss-Tomcat-produced page, and finally returns error 404.
> Please help me if you have any ideas where to dig.
Sounds like you don't have your httpd VirtualHost correct for handling
SSL. Feel free to post your VirtualHost configuration so we can take a look.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAko3tP8ACgkQ9CaO5/Lv0PDrPgCff1FQLdH+kfERBcmMMkNzL0dk
lVEAn2msnGQADq6NcmAIJuseQw0rodhL
=aytY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org