0

The requirement: We recently upgraded our site(internal to company) to https. However, many teams have asked for us to extend http support, for 30 more days. This is to enable non tech users to update their bookmarks,information to percolate, etc.

The setup: Apache 2.x Webserver reverse proxying request to Apache Tomcat 8 server.

Apache configuration: To support http, the config below was used.

<VirtualHost *:80>
  ServerName localhost:80
  ProxyPass         /appName http://localhost:8080/appName
  ProxyPassReverse  /appName http://localhost:8080/appName
</VirtualHost>

To support https,

<VirtualHost *:443>
  SSLEngine on
  SSLProxyEngine on
  ServerName domainname.com:443
  SSLCertificateFile "${SRVROOT}/conf/ssl/cerSan.pem"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/certSan.key"
  DocumentRoot "${SRVROOT}/htdocs"
# DocumentRoot access handled globally in httpd.conf
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
        Options Indexes Includes FollowSymLinks
        AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
  ProxyPass         /appName http://localhost:8080/appName
  ProxyPassReverse  /appName http://localhost:8080/appName
 </virtualhost>

Tomcat configuration:

 <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000" address="127.0.0.1" 
               redirectPort="8443" />

The problem: Whenever application does a 

((HttpServletResponse) response).sendRedirect("/appName/pages/login.jsp");

during login,etc the application switches back to http. I understand this works as per the spec.

What happens :

http://domainname.com ==> http://domainname.com/appName

https://domainname.com ==> http://domainname.com/appName

https://domainname.com/appName ==> https://domainname.com/appName

I tried an approach given in this answer by adding a additional tomcat connector and reverse proxying to that port. In this case an additional context gets added and a 404 request is returned.

https:domainname.com/appName ==> https:domainname.com/appName/appName.

I then tried removing the context in apache config.

 ProxyPass         / http://localhost:8080/appName
 ProxyPassReverse  / http://localhost:8080/appName

This resulted in

https://domainname.com ==> tomcat default landing page

I also read a few other blog posts and they suggest to rewrite the code.The application team needs a week to fix this in code, due to other priorities.

Is there a way to handle this with server level config in the meantime ? What additional/different config can help us to achieve the requirement

George
  • 1
  • 3
  • Couldn't you use a [`Redirect` statement](https://httpd.apache.org/docs/2.4/mod/mod_alias.html#redirect) to move the old bookmarks to `https` rather than trying to reverse proxy both `http` and `https`? – Richard Smith May 17 '19 at 14:45
  • The app server (Tomcat) is running in HTTP only. So the redirect (from the code) problem will still remain. I was checking, if this can be avoided. – George May 19 '19 at 16:21

0 Answers0