I'm configuring an Apache 2.2 front end to pass through specific apps to Tomcat via mod_proxy_ajp. Some of these apps, like the login/auth service, I want to enforce accepting HTTPS hits only.
My httpd-proxyajp.conf file has stanzas in it like this per app:
ProxyPass /auth-1.0 ajp://localhost:8009/auth-1.0
ProxyPassReverse /auth-1.0 ajp://localhost:8009/auth-1.0
<Proxy /auth-1.0>
Order Deny,Allow
Allow from All
</Proxy>
<Proxy /auth-1.0/WEB-INF>
Order Deny,Allow
Deny from All
</Proxy>
And I don't want to redirect http hits to them - it kinda defeats the purpose if someone writes a client that blindly passes their login credentials all the way to me in the clear and I just make them pass them encrypted a second time via a redirect. So I don't want to do the common solution,
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/auth-1.0 https://%{HTTP_HOST}%{REQUEST_URI}
I really want to throw an error instead.
Complication: Doing this on Amazon EC2 so can't use IP-based virtual hosts and can't use name-based because I'm using SSL. I'd prefer to do this without vhosting anyway; I need the apps to be served off the same DNS name.