|
Home > Archive > Apache Server configuration support > March 2005 > SSL Reverse Proxy to non-SSL WebLogic server gets redirected to http (non-SSL)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL Reverse Proxy to non-SSL WebLogic server gets redirected to http (non-SSL)
|
|
| mike.gillan@gmail.com 2005-01-13, 5:57 pm |
| Hello,
I'm trying to use Apache as a secure reverse proxy in front of WebLogic
in order to encrypt the data between the client and server. The traffic
flow should look like this:
Client <---SSL---> Apache <---HTTP---> WebLogic
So the client makes the request to https://securesite.domain.com,
Apache handles the SSL handshake and properly forwards the request to
WebLogic, at http://appserver.domain.com:port. Unfortunately as soon as
the request makes it to WebLogic, a "302 Moved Temporarily" response is
returned, with a Location header "Location:
http://appserver.domain.com:port/index.jsp" (This is just the web app
sending the client to the welcome page.) I have a rewrite rule that
correcly translates "appserver.domain.com:port" to
"securesite.domain.com", but the problem is the final destination that
is sent to the client is http://securesite.domain.com/index.jsp
(Non-SSL). Since there is nothing listening on port 80, this breaks.
Here is the config file I'm using (directories abbreviated with ...,
but they are actaully real directories):
#------------------------------------------------------------------------
# securesite.domain.com
# Description: Shared intranet development environment
# - Listens on port 443 (SSL)
# - Handles secure traffice for the shared intranet
#------------------------------------------------------------------------
Listen <IPaddress>:443
<VirtualHost <IPaddress>:443>
ServerName securesite.domain.com
ServerAdmin admin@email.com
DocumentRoot /apps/apache2/...
RewriteEngine On
#---------------------------------------------------------------------
# Infrastructure Component: SSL Configuration
# Owner: WHS - Mike Gillan
# URI Pattern(s): N/A
#---------------------------------------------------------------------
SSLEngine on
SSLProtocol SSLv3
SSLCipherSuite HIGH:+MEDIUM
SSLCACertificateFile /apps/apache2/.../root.cer
SSLCertificateFile /apps/apache2/.../securesite.crt
SSLCertificateKeyFile /apps/apache2/.../securesite.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#--- End SSL Configuration ---
#---------------------------------------------------------------------
# Application: Secure WebLogic Reverse Proxy
# Owner: ***
# URI Pattern(s): /application
#---------------------------------------------------------------------
RewriteRule ^/application(.*) http://appserver.domain.com:port$1
[P,NC]
ProxyPassReverse /application http://appserver.domain.com:port
#--- End SWRP ---
</VirtualHost>
#--- End securesite.domain.com
------------------------------------------
I could setup a proxy there to rewrite ^/(.*) to https, but this breaks
the SSL security as requests (particulary POST requests) will first be
sent in clear HTTP before being rewritten to HTTPS...
Does anyone know how I can get that destination location to be HTTPS
instead of HTTP? I'm at a loss! Thanks very much in advance for any
help!!!
Mike Gillan
mike.gillan@gmail.com
| |
| ge0rge 2005-01-14, 2:49 am |
| <mike.gillan@gmail.com> wrote ...
snip
>...but the problem is the final destination that
> is sent to the client is http://securesite.domain.com/index.jsp
> (Non-SSL). Since there is nothing listening on port 80, this breaks.
....
> #---------------------------------------------------------------------
>
> RewriteRule ^/application(.*) http://appserver.domain.com:port$1
> [P,NC]
> ProxyPassReverse /application http://appserver.domain.com:port
>
> #--- End SWRP ---
>
> </VirtualHost>
> #--- End securesite.domain.com
> ------------------------------------------
>
>
> I could setup a proxy there to rewrite ^/(.*) to https, but this breaks
> the SSL security as requests (particulary POST requests) will first be
> sent in clear HTTP before being rewritten to HTTPS...
On the right track (almost)
>
> Does anyone know how I can get that destination location to be HTTPS
> instead of HTTP? I'm at a loss! Thanks very much in advance for any
> help!!!
You need another virtual host section that is listening on port 80 and when
requests are received on apache port 80, you have a rewrite rule that sends
a redirect to the client ... requesting the original request to be sent
back to apache again but to its https port. Something like this -
> Listen <IPaddress>:80
> <VirtualHost <IPaddress>:80>
....
RewriteRule ^/(.*) https://securesite.domain.com$1 [R,NC]
....
> </VirtualHost>
I haven't checked for syntactical correctness but basically this ensures
that apache will only accept https requests. All http traffic is redirected
back as https... but there is no defence if after the form is received, the
person fills in his credit card details and password and decides to change
the protocol from https to http deliberately (don't ask me why she'd do
that).
--
"Every man has his price. Mine is $3.95."
| |
| mike.gillan@gmail.com 2005-01-14, 5:54 pm |
| Hi ge0rge... you're right! Thanks very much... I was thinking that they
would be redirected to an http page and then be posting in a non-secure
way, but I didn't think the whole thing through. Now that I think about
it, I realize the transaction would go like this:
1. Client requests https://securesite.com/
2. WebLogic redirects to http://securesite.com/index.jsp
3. Client requests http://securesite.com/index.jsp
4. Apache on port 80 catches the request, and redirects the client to
https://securesite.com/index.jsp
5. Client requests and gets this page, then posts to it over SSL
Thanks very much, I'll try that right now and (although I'm sure it
will...) I'll let you know if it works! 
Sincerely,
Mike Gillan
| |
|
|
| dewrich 2005-03-25, 12:53 am |
| quote:
Originally posted by ge0rge
<mike.gillan@gmail.com> wrote ...
snip
>...but the problem is the final destination that
> is sent to the client is http://securesite.domain.com/index.jsp
> (Non-SSL). Since there is nothing listening on port 80, this breaks.
......
> #---------------------------------------------------------------------
>
> RewriteRule ^/application(.*) http://appserver.domain.com:port$1
> [P,NC]
> ProxyPassReverse /application http://appserver.domain.com:port
>
> #--- End SWRP ---
>
> </VirtualHost>
> #--- End securesite.domain.com
> ------------------------------------------
>
>
> I could setup a proxy there to rewrite ^/(.*) to https, but this breaks
> the SSL security as requests (particulary POST requests) will first be
> sent in clear HTTP before being rewritten to HTTPS...
On the right track (almost)
>
> Does anyone know how I can get that destination location to be HTTPS
> instead of HTTP? I'm at a loss! Thanks very much in advance for any
> help!!!
You need another virtual host section that is listening on port 80 and when
requests are received on apache port 80, you have a rewrite rule that sends
a redirect to the client ... requesting the original request to be sent
back to apache again but to its https port. Something like this -
> Listen <IPaddress>:80
> <VirtualHost <IPaddress>:80>
......
RewriteRule ^/(.*) https://securesite.domain.com$1 [R,NC]
......
> </VirtualHost>
I haven't checked for syntactical correctness but basically this ensures
that apache will only accept https requests. All http traffic is redirected
back as https... but there is no defence if after the form is received, the
person fills in his credit card details and password and decides to change
the protocol from https to http deliberately (don't ask me why she'd do
that).
--
"Every man has his price. Mine is $3.95."
-----------------
Hi I found this a very useful thread of help, but my question is how would I configure this setup for Tomcat
WITHOUT having to use the ApacheToTomcat Connector mod_jk.
Thanks in advance,
-Dewayne |
|
|
|
|