SSL setup with apache in front of tomcat

apache-2.2 ssl mod-rewrite virtualhost tomcat

i m trying to setup Apache with SSl and proxy SSL requests to my tomcat instance. I think i made the SSL work but theres still a error that shows up:

Bad Gateway

The proxy server received an invalid response from an upstream server.

* SSL Virtualhost *

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost _default_:443>
SSLEngine On
SSLProxyEngine On
DocumentRoot "/var/apache-tomcat-7.0.34/webapps/Learn2Gether/"

SSLCertificateFile /etc/pki/tls/learn2gether/cert-6090205098829887.pem
SSLCertificateKeyFile /etc/pki/tls/learn2gether/private_key_unlocked.pem
SSLCertificateChainFile /etc/pki/tls/learn2gether/rubca-chain.pem


BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

ServerName www.learn2gether.rubel.rub.de
ServerAlias learn2gether.rubel.rub.de

#RewriteRule ^\/$ /Learn2Gether/index.html [PT]
##RewriteRule ^/(.*)$ /$1 [PT]

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/

</VirtualHost>
~

HTTP VH redirect to HTTPS

NameVirtualHost *:80

<VirtualHost _default_:80>
   ServerName www.learn2gether.rubel.rub.de
   ServerAlias learn2gether.rubel.ruhr-uni-bochum.de
RewriteEngine on
# DocumentRoot "/var/apache-tomcat-7.0.34/webapps/Learn2Gether/"
RewriteCond %{HTTP_HOST} !^learn2gether.rubel.ruhr-uni-bochum\.de [NC]
RewriteRule ^/(.*)$ http://learn2gether.rubel.ruhr-uni-bochum.de/$1 [R=301,L]

RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [L]

#RewriteRule ^\/$ /Learn2Gether/index.html [PT]
#RewriteRule ^/(.*)$ /$1 [PT]

#ProxyPass / https://localhost:8443/
#ProxyPassReverse / https://localhost:8443/
</VirtualHost>

Tomcats apache connector

    <Connector port="8443"
  protocol="HTTP/1.1"
   connectionTimeout="20000"
    compression="on"
     compressionMinSize="32"
      noCompressionUserAgents="gozilla, traviata"
       compressableMimeType="text/html,text/xml,text/javascript,application/x-javascript,text/css"
        redirectPort="8443"
         URIEncoding="UTF-8"
          proxyPort="443"
           proxyName="learn2gether.rubel.ruhr-uni-bochum.de"
            scheme="https"
             secure="true"
/>

When proxying http or https to https you need to configure apache as an ssl client. When apache talks to your Tomcat server it functions as a web client after all. However Apache will usually not function as an SSL client out of the box.

Firstly I would suggest that you first consider if you really need this, why you are doing this. The common practice when Tomcat and Apache live on the same server is to have Tomcat just serve plain http (or ajp) and offload ssl to the Apache server. There is usually no need to have ssl between the apache and tomcat server. Not having ssl on the tomcat server is going to save you a lot of trouble.

All you need to do is for example define a HTTP connector on port 8080 in your tomcat instance, and redirect all requests there from within your apache SSL virtual host:

<VirtualHost _default_:443>
SSLEngine On

SSLCertificateFile /etc/pki/tls/learn2gether/cert-6090205098829887.pem
SSLCertificateKeyFile /etc/pki/tls/learn2gether/private_key_unlocked.pem
SSLCertificateChainFile /etc/pki/tls/learn2gether/rubca-chain.pem


BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

ServerName www.learn2gether.rubel.rub.de
ServerAlias learn2gether.rubel.rub.de

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

</VirtualHost>

But if you still decide you do need ssl to ssl proxying you will need to add more changes. Apache needs to be able to function as an SSL client, as well as SSL server. When Apache talks to another server using https it is after all taking the role of client. This is not that easy, and there are a lot of problems you can run in to. You will need to add this:

# turn on SSL proxying.
SSLProxyEngine On

# to tell Apache where to find CA certificates to check server certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.

Then in this path you need to put the CA certificat used to sign the certificat used by the server you communicate with. If you use a "self signed" certificate you will need to put it in this dir.

Once you've done that you need to run "c_rehash" in that directory. c_rehash is part of a standard openssl distribution. c_rehash creates hashed aliases in this dir. Apache needs these.

In order to test if everything is there you can do the following:

 openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443

if the connenction succeeds you'll get a prompt where you can type in a request. Just try something. 

 GET /

and see if you get something. If this test is succesfull apache should work too.

You can now add the ReWriteRule or Proxy statements to forward the connections to your https server.

Related

Redirect loop using cloudflare's Flexible ssl
VPS Administration for the Absolute Beginner
How should someone create an encrypted password for /etc/shadow?
Kernel Tuning with Privileged Docker Container
Is it possible to use etckeeper with a single shared git repository?
Isolating Apache virtualhosts from the rest of the system
Test-driven development for infrastructure deployments?
simple postfix configuration - forward all incoming email to single address
How to deploy applications (in .tar.gz) with Puppet?
The same IP on multiple interfaces
Get list of DHCP clients with KVM+libvirt?
Hacking prevention, forensics, auditing and counter measures