Apache + MOD_JK: Rewriting URLs + ProxyPassing thorugh AJP

Question

I've a frontal server with Apache 2.4.23 deployed + OpenSSL 1.0.2j.

Then I've another server with Tomcat 7 installed.

The idea is that Apache has a VHOST on *:443, which uses ProxyPass to send the request via AJP to Tomcat server according to specifyc URLs.

That's my vhosts.conf file (it has SSL configuration as I don't want to use the httpd-ssl.conf file, cause I've to change many things on it), according to this site:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

##################################################################################################################
# VHOSTS HTTP

# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>

    ServerAlias *
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</VirtualHost>

##################################################################################################################
# VHOSTS HTTPS

Listen 443

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol        all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite     ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

SSLPassPhraseDialog     builtin

SSLSessionCache        "shmcb:c:/ap24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling                      on
SSLStaplingResponderTimeout         5
SSLStaplingReturnResponderErrors    off
SSLStaplingCache                    "shmcb:c:/ap24/logs/ocsp(128000)"

<VirtualHost *:443>

    SSLEngine on
    SSLCertificateFile "conf/xin.foo.com/xin.crt"
    SSLCertificateChainFile "conf/xin.foo.com/bundle.crt"
    SSLCertificateKeyFile "conf/xin.foo.com/xin.key"

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass /bar ajp://X.X.X.X:XXXX/bar/
    ProxyPass /bar/ ajp://X.X.X.X:XXXX/bar/bar.html

</VirtualHost>

Now as you can see, I've 2 proxypasses according to how URL is. That's because I've and "admin"/backend zone, and a user zone. First proxypass is per Admin Zone, and second one to User zone.

Now, for those sites I need those URLS:

ADMIN: https://xin.foo.com/bar/bar

USER: https://xin.foo.com/bar/bar?app=personal

I'm using Apache server on a "local" context right now, which means I have not a TLD subdomain already with the Apache server public IP on it. So, on my local machine in the office, I've edited my "hosts" file on "windows/system32/drivers/etc" and added the line:

xin.foo.com Y.Y.Y.Y (which is the IP address of the Apache frontal server). This way I can emulate from my machine, what a public acces from inet will be.

Said all that, now comes the thing:

Inet people, will access thorugh https://xin.foo.com. That's it.

I want "https://xin.foo.com" to access directly to USER zone.

And something like https://xin.foo.com/admin, to access to ADMIN backend zone.

Then, here I guess are 2 things to take in account:

• AJP proxypasses
• Possibility of mod-rewrite'ing first with parametters or something, to force the already configured proxypasses to work? As tha aplication mounted on Tomcat server, expects some parameters (?app=personal) to show user zone. And no params = admin zone.

Maybe I've to delete the Proxypasses and do some mod_proxy_ajp to it?

What will be the right way to do it and how? I would appreciate the final recipe, as mod_rewrite and Porxypass is not my speciality... And I'm convinced that even those 2 proxypasses are wrong, but that's what they got me.

EDIT ACCORDING TO COMMENTS:

To sumarize, all is working porperly right now, but I need to write the URLs as explained before, to acces the proper zones. What I want is to change the behaviour of the server, according to what is logic, and let the simple TLD url go to user zone, and "/admin" to backend zone. I've added a rewirte from http to https which works OK. Now I've thought that I can add a rewrite which says:

"IF https://xin.foo.com THEN https://xin.foo.com/bar/bar?app=personal"

and

"IF https://xin.foo.com/admin THEN https://xin.foo.com/bar/bar"

With that, I guess the AJP proypasses should still working normally. And what would be of an A+ grade, would be to not to modify the URL on the browser, so people keep reading "https://xin.foo.com" for the real and "hidden" "https://xin.foo.com/bar/bar?app=personal".

Thanks you all so much, and kind regards.