SSL setup with apache in front of tomcat
i m trying to setup Apache with SSl and proxy SSL requests to my tomcat instance. I think i made the SSL work but theres still a error that shows up:
Bad Gateway The proxy server received an invalid response from an upstream server.
* SSL Virtualhost *
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost _default_:443>
SSLEngine On
SSLProxyEngine On
DocumentRoot "/var/apache-tomcat-7.0.34/webapps/Learn2Gether/"
SSLCertificateFile /etc/pki/tls/learn2gether/cert-6090205098829887.pem
SSLCertificateKeyFile /etc/pki/tls/learn2gether/private_key_unlocked.pem
SSLCertificateChainFile /etc/pki/tls/learn2gether/rubca-chain.pem
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ServerName www.learn2gether.rubel.rub.de
ServerAlias learn2gether.rubel.rub.de
#RewriteRule ^\/$ /Learn2Gether/index.html [PT]
##RewriteRule ^/(.*)$ /$1 [PT]
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
</VirtualHost>
~
HTTP VH redirect to HTTPS
NameVirtualHost *:80
<VirtualHost _default_:80>
ServerName www.learn2gether.rubel.rub.de
ServerAlias learn2gether.rubel.ruhr-uni-bochum.de
RewriteEngine on
# DocumentRoot "/var/apache-tomcat-7.0.34/webapps/Learn2Gether/"
RewriteCond %{HTTP_HOST} !^learn2gether.rubel.ruhr-uni-bochum\.de [NC]
RewriteRule ^/(.*)$ http://learn2gether.rubel.ruhr-uni-bochum.de/$1 [R=301,L]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [L]
#RewriteRule ^\/$ /Learn2Gether/index.html [PT]
#RewriteRule ^/(.*)$ /$1 [PT]
#ProxyPass / https://localhost:8443/
#ProxyPassReverse / https://localhost:8443/
</VirtualHost>
Tomcats apache connector
<Connector port="8443"
protocol="HTTP/1.1"
connectionTimeout="20000"
compression="on"
compressionMinSize="32"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,application/x-javascript,text/css"
redirectPort="8443"
URIEncoding="UTF-8"
proxyPort="443"
proxyName="learn2gether.rubel.ruhr-uni-bochum.de"
scheme="https"
secure="true"
/>
When proxying http or https to https you need to configure apache as an ssl client. When apache talks to your Tomcat server it functions as a web client after all. However Apache will usually not function as an SSL client out of the box.
Firstly I would suggest that you first consider if you really need this, why you are doing this. The common practice when Tomcat and Apache live on the same server is to have Tomcat just serve plain http (or ajp) and offload ssl to the Apache server. There is usually no need to have ssl between the apache and tomcat server. Not having ssl on the tomcat server is going to save you a lot of trouble.
All you need to do is for example define a HTTP connector on port 8080 in your tomcat instance, and redirect all requests there from within your apache SSL virtual host:
<VirtualHost _default_:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/learn2gether/cert-6090205098829887.pem
SSLCertificateKeyFile /etc/pki/tls/learn2gether/private_key_unlocked.pem
SSLCertificateChainFile /etc/pki/tls/learn2gether/rubca-chain.pem
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ServerName www.learn2gether.rubel.rub.de
ServerAlias learn2gether.rubel.rub.de
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
But if you still decide you do need ssl to ssl proxying you will need to add more changes. Apache needs to be able to function as an SSL client, as well as SSL server. When Apache talks to another server using https it is after all taking the role of client. This is not that easy, and there are a lot of problems you can run in to. You will need to add this:
# turn on SSL proxying.
SSLProxyEngine On
# to tell Apache where to find CA certificates to check server certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.
Then in this path you need to put the CA certificat used to sign the certificat used by the server you communicate with. If you use a "self signed" certificate you will need to put it in this dir.
Once you've done that you need to run "c_rehash" in that directory. c_rehash is part of a standard openssl distribution. c_rehash creates hashed aliases in this dir. Apache needs these.
In order to test if everything is there you can do the following:
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
if the connenction succeeds you'll get a prompt where you can type in a request. Just try something.
GET /
and see if you get something. If this test is succesfull apache should work too.
You can now add the ReWriteRule or Proxy statements to forward the connections to your https server.