Ssl – How to configure Apache to act as an SSL proxy to an application server

apache-2.2httpsPROXYsslweb-server

I have one physical server that runs:

an Apache (httpd) server
another web server (let's say Tomcat for sake of argument) on port 1234

Can I configure the Apache server to act as a proxy for SSL traffic, while keeping the application server blissfully unaware of SSL?

What I imagine is:

Traffic to http://myserevr.com/app is redirected to https://myserver.com/app
Traffic to https://myserver.com/app is proxied to the application server.
My SSL certificate is only installed on the Apache server, not on the Application server
Other traffic to the Apache server (http://myserver.com/anotherapp) is served directly from the Apache server

What's the best setup to achieve this? (On Ubuntu, if that matters)

Best Answer

If Tomcat runs on the standart ports (8080 - HTTP, 8009 - AJP) add this to yours Apache configuration:

<VirtualHost _default_:443>
    .......
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location /app>
        ProxyPass        ajp://localhost:8009/app
        ProxyPassReverse ajp://localhost:8009/app
    </Location>

    #<Location /app>
    #    ProxyPass        http://localhost:8080/app
    #    ProxyPassReverse http://localhost:8080/app
    #</Location>

    <Location "/app/WEB-INF/">
        deny from all
    </Location>    
   ..........
</VirtualHost>

<VirtualHost *:80>
   ...........
    RewriteEngine On
    RewriteRule ^/app$  https://%{HTTP_HOST}%{REQUEST_URI} [R]
   ...........
</VirtualHost>

Related Solutions

Apache – Configuring VirtualHost with Mod-Proxy and SSL

At last I found a way to make it work. First I tried Dave Cheney suggestion, so I installed an other certificate for the apache server redirected to Tomcat non SSL port (so the proxy was redirecting to http://localhost:8080/). Unfortunately it did not fully work as in the web browser the https was transformed to http immediately upon connection. So I reverted to using https://localhost:8443/ and the final touch to make it work was to add again SSLProxyEngine.

Here is the resulting VirtualHost configuration:

<VirtualHost 1.2.3.4:443>
    ServerName host.domain.org

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine on
    SSLProxyEngine On
    SSLCertificateFile /etc/apache2/ssl/certificate.crt
    SSLCertificateKeyFile /etc/apache2/ssl/certificate.key

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
</VirtualHost>

Ssl – Restrict Apache to only allow access using SSL for some directories

The SSLRequireSSL directive is what you're looking for.

Inside your <VirtualHost>, or at the top level if you're not using virtual hosts:

<Directory /topsecret>
  SSLRequireSSL
</Directory>

Or in .htaccess:

SSLRequireSSL

Best Answer

Related Solutions

Apache – Configuring VirtualHost with Mod-Proxy and SSL

Ssl – Restrict Apache to only allow access using SSL for some directories

Related Topic