Tomcat – Apache SSL reverse proxy to a Embed Tomcat

apache-2.2mod-proxymod-ssltomcat

I'm trying to put in place a reverse proxy for an application that is running a tomcat embed server over SSL. The application needs to run over SSL on the port 9002 so I have no way of "disabling SSL" for this app. The current setup schema looks like this:

[192.168.0.10:443 - Apache with mod_proxy] --> [192.168.0.10:9002 - Tomcat App]

After googling on how to make such a setup (and testing) I came across this:

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137

Which lead to make my current configuration (to try to emulate the –secure-protocol=sslv3 option of wget)

/etc/apache2/sites/enabled/default-ssl:

<VirtualHost _default_:443>

    SSLEngine On
    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    SSLProxyEngine On
    SSLProxyProtocol SSLv3
    SSLProxyCipherSuite SSLv3
    ProxyPass /test/ https://192.168.0.10:9002/
    ProxyPassReverse /test/ https://192.168.0.10:9002/

    LogLevel debug
    ErrorLog /var/log/apache2/error-ssl.log
    CustomLog /var/log/apache2/access-ssl.log combined
</VirtualHost>

The thing is that the error log is showing error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

Complete request log:

[Wed Mar 13 20:05:57 2013] [debug] mod_proxy.c(1020): Running scheme https handler (attempt 0)
[Wed Mar 13 20:05:57 2013] [debug] mod_proxy_http.c(1973): proxy: HTTP: serving URL https://192.168.0.10:9002/
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2011): proxy: HTTPS: has acquired connection for (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2067): proxy: connecting https://192.168.0.10:9002/ to 192.168.0.10:9002
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2193): proxy: connected / to 192.168.0.10:9002
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2444): proxy: HTTPS: fam 2 socket created to connect to 192.168.0.10
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to 192.168.0.10:9002 (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection to child 0 established (server demo1agrubu01.demo.lab:443)
[Wed Mar 13 20:05:57 2013] [info] Seeding PRNG with 656 bytes of entropy
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/connect initialization
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: unknown state
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1897): OpenSSL: read 7/7 bytes from BIO#7f122800a100 [mem: 7f1230018f60] (BIO dump follows)
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1869): | 0000: 15 03 01 00 02 02 50                             ......P          |
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in unknown state
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] SSL Proxy connect failed
[Wed Mar 13 20:05:57 2013] [info] SSL Library Error: 336032002 error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection closed to child 0 with abortive shutdown (server example1.domain.tld:443)
[Wed Mar 13 20:05:57 2013] [error] (502)Unknown error 502: proxy: pass request body failed to 172.31.4.13:9002 (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [error] [client 192.168.0.10] proxy: Error during SSL Handshake with remote server returned by /dsfe/
[Wed Mar 13 20:05:57 2013] [error] proxy: pass request body failed to 192.168.0.10:9002 (172.31.4.13) from 172.31.4.13 ()
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (172.31.4.13)
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection closed to child 6 with standard shutdown (server example1.domain.tld:443)

If I do a 

wget --secure-protocol=sslv3 --no-check-certificate https://192.168.0.10:9002/

it works perfectly, but from apache is not working.

I'm on an Ubuntu Server with the latest updates running apache2 with mod_proxy and mod_ssl enabled:

~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"

~# dpkg -s apache2
...
Version: 2.2.22-1ubuntu1.2
...

~# dpkg -s openssl
...
Version: 1.0.1-4ubuntu5.7
...

Hope that anyone may help

Best Answer

It sounds like you may want to try to edit the server.xml for your Tomcat application, and where the Connector port is defined, add something like:

proxyName="mysite.example.com" proxyPort="443" scheme="https" secure="true"
Related Topic