Ssl – Trouble configuring apache server to proxy an SSL connection

apache-2.2mod-proxymod-sslsslvirtualhost

I'm running an application on Tomcat7 with Apache Portable Runtime, I bought an SSL certificate and configured it correctly – when I try to connect through the ip:port combination, it connects fine but warns me the certificate is issued to the domain name, not the IP.

The VPS I'm on doesn't have SELinux (and there's an issue installing), which is AFAIK required to have SSL be configured in apache, so I want to just route the requests to Tomcat, which does it on its end.

I configured apache to proxy the connections, first with port 80 that works perfectly:

NameVirtualHost www.mysite.com:80
<VirtualHost www.mysite.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName http://www.mysite.com
ServerAlias http://www.mysite.com
ProxyPass / http://localhost:8180/MYSITE/
ProxyPassReverse / http://localhost:8180/MYSITE/
ProxyPassReverseCookiePath /MYSITE/ /
</VirtualHost>

And then with the SSL port that doesn't want to work for some reason:

NameVirtualHost www.mysite.com:443
<VirtualHost www.mysite.com:443>
        SSLProxyEngine On
        ProxyPreserveHost On
        ProxyRequests Off
        ServerName https://www.mysite.com
        ServerAlias https://www.mysite.com
        ProxyPass / https://localhost:8443/MYSITE/
        ProxyPassReverse / https://localhost:8443/MYSITE/
        ProxyPassReverseCookiePath /MYSITE/ /
        CacheDisable *
</VirtualHost>

EDIT:
I added the

RequestHeader set Front-End-Https "On"

directive to the VirtualHost www.mysite.com:443, as per: http://www.gossamer-threads.com/lists/apache/users/396577

Here is the Tomcat APR Connector as configured in Tomcat's server.xml –

<Connector port="8443" maxHttpHeaderSize="16500"
                 maxThreads="150"
                 enableLookups="false" disableUploadTimeout="true"
                 acceptCount="100" scheme="https" secure="true"
                 SSLEnabled="true"
                 SSLCertificateFile="x509-cert-path"
                 SSLCertificateKeyFile="key-file-path"
 />

There were no errors/warnings enabling the virtual hosts and restarting apache. When I try to https, this is what I see in FFox:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

And in Chromium:

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Apache's error.log shows this warning message:

[warn] [client 216.58.38.90] proxy: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be www.mysite.com for uri /

I've spent days trying to configure it, and would be very grateful if someone explained what's going on and how to fix it.

Many thanks. Victor.

Best Answer

The error you're getting is probably due to the fact that your client (Firefox) is trying to use SSL, but you Apache virtual host does not have SSL enabled.

In order for your clients to be able to communicate via SSL with your front-end proxy, you're going to need to do SSL on the front-end, not in Tomcat. You gain absolutely nothing by using SSL between Apache and Tomcat.

In your <VirtualHost> block, you're going to need at least:

SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...

Also, note htat SELinux has absolutely nothing to do with SSL, other than the fact that a misconfigured SELinux environment could prevent Apache from being able to read the necessary SSL certificates.

If you're not using Apache as anything other than a simple proxy and you're really not comfortable with Apache configuration you could in theory get rid of it and just have Tomcat listen on port 443 (by modifying the appropriate Connector block).

Related Topic