You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andy Ee <an...@sysatwork.com> on 2009/08/28 09:16:04 UTC
[users@httpd] Apache 2.2.11 with Reverse Proxy(HTTPS not consistent)
Dear All,
I have a web-server installed with Apache 2.2.11 (with reverse proxy
enabled) and a back-end server that is running Tomcat and hosting some JSP
web applications.
The external users are supposed to communicate with the JSP web applications
in HTTPS via the Apache reverse proxy, which establishes a HTTP session to
Tomcat.
The flow is as below:
External users --> HTTPS --> Apache Reverse proxy --> HTTP --> Tomcat (jsp
web apps)
My IE browser is able to establish a HTTPS session to the web application
without a problem. There is a username/password authentication form and I am
able to login as well. Here's the problem. Whenever after I logged in, the
HTTPS session breaks and becomes HTTP. I can still browse around the site
and do functions on HTTP session.
Is there anybody who experiences this as well? How do I keep the HTTPS going
and consistent?
I have checked the processes of the authentication and logging in, where the
web application will parse an action-servlet.xml file to determine the
redirection URL. Is there any issue with reverse proxy doing rewrites on XML
files?
Thank you.
Here is my SSL + Reverse Proxy config for Apache2:
# =================================================
# SSL/TLS settings
# =================================================
NameVirtualHost 192.168.0.20:443
Listen 443
SSLProtocol -all +TLSv1 +SSLv3
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shmcb:/usr/local/apache2/logs/ssl_scache(512000)
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLPassPhraseDialog builtin
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCryptoDevice pkcs11
SSLOptions +StrictRequire
# ================================================
# HOSTED SITES
# ================================================
<VirtualHost 192.168.0.20:443>
ServerAdmin admin@test.com
DocumentRoot /www/
ServerName abc.test.com
ServerAlias abc.test.com
Userdir disabled
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /usr/local/apache2/conf/certs/abc.test.com.crt
SSLCertificateKeyFile /usr/local/apache2/conf/certs/abc.test.com.pem
ProxyHTMLLogVerbose On
LogLevel Debug
ProxyRequests Off
ProxyPreserveHost On
ProxyHTMLExtended On
RewriteEngine on
RewriteRule ^/sg/test/project$ $1/sg/test/project/ [R]
ProxyPass /sg/test/project/
http://192.168.1.60:8080/sg/test/project/
ProxyHTMLURLmap http://192.168.1.60:8080/sg/test/project/
/sg/test/project/
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
<Location /sg/test/project/>
ProxyPassReverse /
AddOutputFilter xmlns .xhtml
Include /usr/local/apache2/conf/proxy_html.conf
SetOutputFilter proxy-html
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
RequestHeader unset Accept-Encoding
</Location>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
ErrorLog logs/sg_test-error_log
CustomLog logs/sg_test-access_log combined
</VirtualHost>
Best Regards,
Andy Ee
Re: [users@httpd] Apache 2.2.11 with Reverse Proxy(HTTPS not
consistent)
Posted by Krist van Besien <kr...@gmail.com>.
On Fri, Aug 28, 2009 at 9:16 AM, Andy Ee<an...@sysatwork.com> wrote:
> My IE browser is able to establish a HTTPS session to the web application
> without a problem. There is a username/password authentication form and I am
> able to login as well. Here’s the problem. Whenever after I logged in, the
> HTTPS session breaks and becomes HTTP. I can still browse around the site
> and do functions on HTTP session.
This is probably caused by your tomcat application. Many web
applications send a "redirect" after a user logs in, and if the
application doesn't know it has to send a https redirect it will send
a http redirect.
There are several things you can do:
1) Configure your tomcat application so that it sends https redirects
back. Often an application has a parameter with something like "base
url" or something like that. This should be set to the external url.
This is the best solution.
2) Use a ProxyPassReverse statement to rewrite redirects as they come
from the Tomcat server and are passed on to your users.
3) Use a rewrite rule to redirect incoming http requests to https.
1) is the best, 2) is also ok. 3) is a kludge.
A good way to debug problems like that is to use a proper browser like
Firefox, together with firefox extentions like Firebug and
LiveHTTPHeaders.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org