Trouble configuring apache server to proxy an SSL connection

ssl apache2 virtualhost mod-proxy mod-ssl

10,796

You don't need the 8443 HTTPS connector in Tomcat. Apache HTTPD should terminate the SSL connection, and speak plaintext to Tomcat, via ProxyPass / http://localhost:8080/MYSITE/. You just need a plaintext HTTP connector with port=8080, and address=127.0.0.1 so no outsiders can get at it.

Better still, dont' have any HTTP connectors in Tomcat, just an AJP connector, address=127.0.0.1 still, and use mod_proxy_ajp in Apache.

10,796

vivri

Updated on June 04, 2022

Comments

vivri almost 2 years

I'm running an application on Tomcat7 with Apache Portable Runtime, I bought an SSL certificate and configured it correctly - when I try to connect through the ip:port combination, it connects fine but warns me the certificate is issued to the domain name, not the IP.

The VPS I'm on doesn't have SELinux (and there's an issue installing), which is AFAIK required to have SSL be configured in apache, so I want to just route the requests to Tomcat, which does it on its end.

I configured apache to proxy the connections, first with port 80 that works perfectly:

NameVirtualHost www.mysite.com:80
<VirtualHost www.mysite.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName http://www.mysite.com
ServerAlias http://www.mysite.com
ProxyPass / http://localhost:8180/MYSITE/
ProxyPassReverse / http://localhost:8180/MYSITE/
ProxyPassReverseCookiePath /MYSITE/ /
</VirtualHost>

And then with the SSL port that doesn't want to work for some reason:

NameVirtualHost www.mysite.com:443
<VirtualHost www.mysite.com:443>
        SSLProxyEngine On
        ProxyPreserveHost On
        ProxyRequests Off
        ServerName https://www.mysite.com
        ServerAlias https://www.mysite.com
        ProxyPass / https://localhost:8443/MYSITE/
        ProxyPassReverse / https://localhost:8443/MYSITE/
        ProxyPassReverseCookiePath /MYSITE/ /
        CacheDisable *
</VirtualHost>

EDIT: I added the

RequestHeader set Front-End-Https "On"

directive to the VirtualHost www.mysite.com:443, as per: http://www.gossamer-threads.com/lists/apache/users/396577

Here is the Tomcat APR Connector as configured in Tomcat's server.xml -

<Connector port="8443" maxHttpHeaderSize="16500"
                 maxThreads="150"
                 enableLookups="false" disableUploadTimeout="true"
                 acceptCount="100" scheme="https" secure="true"
                 SSLEnabled="true"
                 SSLCertificateFile="x509-cert-path"
                 SSLCertificateKeyFile="key-file-path"
 />

There were no errors/warnings enabling the virtual hosts and restarting apache. When I try to https, this is what I see in FFox:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

And in Chromium:

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Apache's error.log shows this warning message:

[warn] [client 216.58.38.90] proxy: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be www.mysite.com for uri /

I've spent days trying to configure it, and would be very grateful if someone explained what's going on and how to fix it.

Many thanks. Victor.