0

I was asked to upgrade a server running Apache and Tomcat-6 on Debian Wheezy from HTTP to HTTPS. I have successfully obtained and install SSL certificates on the Apache part and checked that they work (using two different SSL checkers).

Next, I have added the following block to /etc/apache2/sites-available/default-ssl:

<VirtualHost *:80>
    ServerName server.name
    Redirect permanent / https://server.name/
</VirtualHost>

and this to the end of the <VirtualHost _default_:443> block in the same file:

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

On the Tomcat side, the /etc/tomcat6/server.xml file includes two active connectors:

<Connector port="8080" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           URIEncoding="UTF-8"
           redirectPort="8443" />

<Connector address="127.0.0.1" port="8009" protocol="AJP/1.3" redirectPort="8443" />

Now, when I go to https://server.name/app/main/login.jspx, I get an SSL connection, but it disappears after login.
If I go to https://server.name/app, I am immediately redirected to http://server.name/app/main/login.jspx (no SSL).
(And if I go to just https://server.name/, I end up on a redirect page defined in /var/lib/tomcat6/webapps/ROOT/index.html.)

What am I doing wrong? Do I need to use the AJP proxy instead?

Michal Kaut
  • 103
  • 1
  • 3
  • 1
    Try add `scheme="https" proxyName="server.name" proxyPort="443" secure="true"` in you http connector (8080). – Federico Sierra May 02 '16 at 12:58
  • @FedericoSierra Thanks. This helped for the case where I connect explicitely via https, i.e., it stays as https. But the redirect from http to https still does not work. – Michal Kaut May 02 '16 at 13:50
  • Try add the redirect in `/etc/apache2/sites-available/000-default.conf` – Federico Sierra May 02 '16 at 14:13
  • @FedericoSierra Thanks, that did the trick :-). (I moved the `*.8`-related part (actually, only the `Redirect` line) from `/etc/apache2/sites-available/default-ssl` to `/etc/apache2/sites-available/default` and now it works. If you post it as an answer, I will accept it. – Michal Kaut May 03 '16 at 06:47
  • One more thing: I guess I should now use iptables to drop all connections to 8080 from outside of localhost, correct? And should I drop also outgoing? – Michal Kaut May 03 '16 at 06:50
  • listen on localhost is okay – Federico Sierra May 03 '16 at 12:37

1 Answers1

3

If this Connector is being used in a proxy configuration, configure proxyName, proxyPort.

<Connector port="8080" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           URIEncoding="UTF-8"
           redirectPort="8443"
           scheme="https" 
           proxyName="server.name" 
           proxyPort="443" 
           secure="true" />

You will also need to set the scheme and secure attributes to the values https and true respectively for a https proxy.

For redirect http to https in apache server, try add directives in default config /etc/apache2/sites-available/000-default.conf.

Federico Sierra
  • 3,499
  • 1
  • 18
  • 24