0

i have apache 2.2.3 and jboss 5.1 installed in my server, in apache i have 2 apps in php+mysql and in jboss i have in the root app (/) liferay portal. i used mod_proxy to reach the jboss app :

<VirtualHost server_ip:80>
ServerName intranet.mycompany.com
ProxyPreserveHost On
ProxyPass / balancer://jbosscluster/
ProxyPassReverse / http://server_ip:8080
</VirtualHost>

but now i have to enable https only in intranet.mycompany.com, and i dont know where configure the ssl, in apache, jboss, both. i tried in jboss in the server.xml, generating a selfsigned certificate with keytool, but apache doesnt forward to https://server_ip:8443

i will appreciate your help.

2 Answers2

1

If everything is on the same server, all you need to do is set up SSL in Apache - you make sure mod_ssl is installed and pretty much use the default config style to make it run. The Apache <=> JBoss communication will happen internally on the same server as usual and be unencrypted.

Given a standard linux (CentOS, e.g.) box with the mod_ssl package installed:

# SSL Basics
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
  ...config stuff...
  ServerName intranet.mycompany.com
  ProxyPreserveHost On
  ProxyPass / balancer://jbosscluster/
  ProxyPassReverse / http://127.0.0.1:8080

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /path/to/server.pem
  SSLCertificateKeyFile /path/to/server.pem

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  ...more config stuff...
</VirtualHost>

The file server.pem contains both the unencrypted server key and the server cert returned from the upstream authority.

/usr/bin/openssl genrsa -des3 1024 > server.key.encrypted
/usr/bin/openssl rsa -in server.key.encrypted -out server.key

/usr/bin/openssl req -new -key server.key -out server.csr

cat server.key > server.pem
cat server.crt >> server.pem

That's the basic idea -- server.crt is the file given back to you from Thawte, etc. after you gave them the server.csr file (and money).

  • thanks for the answer. i will try to configure ssl in apache then. –  Jan 29 '10 at 01:14
  • hi, i configured ssl in apache, and there is no messages in the ssl erro log, but the explorer never gets the page, 'an error ocurred: the connection to te server was reseted while the page was loaded.' so what colud be the problem –  Jan 29 '10 at 16:27
0

troyengel's answer will give you the HTTPS access through your Apache configuration but if I understood your question correctly you need intranet.mycompany.com to be accessible via HTTPS only and not by HTTP?

If that's the case I would modify your existing VirtualHost declaration to be something along the lines of:

<VirtualHost server_ip:80>
    ServerName intranet.mycompany.com

    RewriteEngine On

    RewriteCond %{HTTPS} !=on
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</VirtualHost>

This is in addition to troyengel's SSL VirtualHost configuration. This should then redirect anything going to http://intranet.mycompany.com -> https://intranet.mycompany.com automatically keeping the requested URI.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40