0

I'm configuring an Apache 2.2 front end to pass through specific apps to Tomcat via mod_proxy_ajp. Some of these apps, like the login/auth service, I want to enforce accepting HTTPS hits only.

My httpd-proxyajp.conf file has stanzas in it like this per app:

  ProxyPass /auth-1.0 ajp://localhost:8009/auth-1.0
  ProxyPassReverse /auth-1.0 ajp://localhost:8009/auth-1.0

  <Proxy /auth-1.0>
    Order Deny,Allow
    Allow from All
  </Proxy>

  <Proxy /auth-1.0/WEB-INF>
    Order Deny,Allow
    Deny from All
  </Proxy>

And I don't want to redirect http hits to them - it kinda defeats the purpose if someone writes a client that blindly passes their login credentials all the way to me in the clear and I just make them pass them encrypted a second time via a redirect. So I don't want to do the common solution,

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/auth-1.0 https://%{HTTP_HOST}%{REQUEST_URI}

I really want to throw an error instead.

Complication: Doing this on Amazon EC2 so can't use IP-based virtual hosts and can't use name-based because I'm using SSL. I'd prefer to do this without vhosting anyway; I need the apps to be served off the same DNS name.

Ernest Mueller
  • 1,189
  • 2
  • 12
  • 25

1 Answers1

0

I think I came up with something that does what I want, but would like critique. I've tested it and it seems to work for the most apparent use cases, but these can be tricky for fringe cases. Anyway, for any of these apps I want to be "https only" it throws a 403 Forbidden if you hit them via http, but works fine via https.

In httpd-proxyajp.conf:

RewriteEngine On
#
# Auth Service
#
  RewriteCond %{HTTPS} off
  RewriteRule ^/auth-1.0 - [F]
  ProxyPass /auth-1.0 ajp://localhost:8009/auth-1.0
...
#
# An Insecure Service, foo
#
  ProxyPass /foo-1.0 ajp://localhost:8009/foo-1.0
...
#
# Another Secure-only Service, bar
#
  RewriteCond %{HTTPS} off
  RewriteRule ^/bar-1.0 - [F]
  ProxyPass /bar-1.0 ajp://localhost:8009/bar-1.0
...
Ernest Mueller
  • 1,189
  • 2
  • 12
  • 25