Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
MICHAIL MOUDATSOS
Yet another Apache - Tomcat - SSL question
22 febbraio 2012 1.24
Risposta

MICHAIL MOUDATSOS

Punteggio: Regular Member

Messaggi: 110

Data di Iscrizione: 4 ottobre 2011

Messaggi recenti

Hello all,

and sorry for asking something that has been asked in the past, but I don't get to find out what I'm doing wrong. There's a very strong possibility (actually close to '1') that my errors are from Apache setup point of view. However, I'm turning to you since I'm not 100% sure and in order to provide a more recent post on the subject.

Goal: I'm trying to set up an Apache to work as a reverse proxy in front of the Liferay tomcat bundle, in order to be able to allow only a limited set of requests, thus hiding some bugs and accessibility security issues of Liferay 6.0.6 CE. I'll use a self-signed certificate for this purpose. Note that I'm trying these on Windows OS. I would like to achieve this in a single machine (but I have also failed in a two machines attempt)

Speculation: If I have understood correctly, there are (at least) two ways of doing this concerning SSL setup. a) You set up your Apache to be able to listen to https (keypair and self signed certificate and all), you terminate SSL on the Apache and then you setup Apache to speak with Tomcat in http b) You set up apache to listen to https but you relay https requests to Tomcat. You setup tomcat and Liferay to listen to and respond with https

Process:
I haven't managed to perform a successful SSL termination an Apache yet. I haven't even cleared out how you do that. Does this happen explicitly with a setup specifically for this purpose or does this happen implicitly if you proxy your requests to an http address?

In this guide, I assume they're trying to achieve the other way around, i.e., setup both Apache and Tomcat to understand SSL. So based on this guide I tried the following:

1) Tomcat
I've created a keystore file for tomcat using the java keytool. I provided file path and credentials to Tomcat in server.xml where I un-commented the appropriate Connector. I also changed the ROOT/WEB-INF/web.xml <transport-guarantee> attribute to 'confidential'.

2) Liferay
I've set all the properties that were similar to *.require.https to true and tried many combination for # Web Server properties in the portal-ext.properties file. I managed to make Liferay to work just fine over https.
Then I have to setup the features that imply that there's a web server in front of liferay, in order to make Liferay to generate proper URLs to fit your needs. So I declared the https port that my web server (default 443) is using (web.server.https.port) and the name of the web server (web.server.host) (in my case, the IP of the web server - this might be a gotcha I don't know). Note that the corresponding http configuration worked for plain http connection with the Apache (i.e having an Apache listening to port 80 and proxy requests to Liferay at 8080)

3) Apache
Now, here comes the juicy part. I think I'll just give a sample of my httpd.conf . First of all I created a keypair using the openssl tool, I removed the passphrase from it due to windows incompatibility, I created the self signed certificate using the resulting key. Then my configuration:
 1NameVirtualHost *:443
 2Listen 80
 3Listen 443
 4
 5ProxyRequests Off
 6
 7## didn't touch these -start
 8DocumentRoot "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs"
 9<Directory />
10    Options FollowSymLinks
11    AllowOverride None
12    Order deny,allow
13    Deny from all
14</Directory>
15## didnt touch these -end
16
17<VirtualHost *:443>
18    ServerName https://10.0.0.101:443
19
20    SSLProxyEngine On
21    SSLProtocol all -SSLv2
22    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
23    SSLCertificateFile C:\keystore\mycert.crt
24             SSLCertificateKeyFile C:\keystore\key-nopassphrase.key
25
26#    RewriteEngine On
27#  I've commented those to minimize debugging complexity, i.e. I allow any request to be proxied
28#    RewriteRule ^ - [L,R=404]
29
30    ProxyPass / https://10.0.0.100/
31    ProxyPassReverse / https://10.0.0.100/
32
33</VirtualHost>
34
35#The rest of the file is left with defaults. There are some <if> directives concerning mime cgid alias and log, so the only such directive I think might be interesting is
36<IfModule ssl_module>
37SSLRandomSeed startup builtin
38SSLRandomSeed connect builtin
39</IfModule>


I surely have some setting up issues I can't really figure out, considering that https://localhost/index.html returns "It works!" (default apache page in web root) but https://10.0.0.101/index.html does not even with all proxy setup commented out (YES COMMENTED OUT, ie NO PROXYING). Note that the machine has more than one defined ips (caution - IPs not actual network cards) but the top most defined is the 10.0.0.101 . Also note that I ve setup Tomcat to listen on port 443 on this particular attempt, thats why my proxy settings have the default port and not 8443 (I have also tried with 8443)

I have a feeling that my best bet is to try the other way around, i.e. terminate SSL on Apache but I don't really know how to do it.

As a bonus here are some errors from the log emoticon
 1
 2[Wed Feb 22 10:35:12 2012] [notice] Parent: Received restart signal -- Restarting the server.
 3[Wed Feb 22 10:35:12 2012] [notice] Child 1144: Exit event signaled. Child process is ending.
 4[Wed Feb 22 11:16:22 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
 5[Wed Feb 22 11:16:22 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
 6[Wed Feb 22 11:16:23 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
 7[Wed Feb 22 11:16:23 2012] [notice] Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t configured -- resuming normal operations
 8[Wed Feb 22 11:16:23 2012] [notice] Server built: Jan 28 2012 11:16:39
 9[Wed Feb 22 11:16:23 2012] [notice] Parent: Created child process 3660
10[Wed Feb 22 11:16:23 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
11[Wed Feb 22 11:16:23 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
12[Wed Feb 22 11:16:24 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
13[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Child process is running
14[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Acquired the start mutex.
15[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Starting 64 worker threads.
16[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Starting thread to listen on port 443.
17[Wed Feb 22 11:16:28 2012] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01


Any help would be appreciated

P.S. (I 'm still wiggling between the TLDR and "Give us more info about your problem" fears, so...)
MICHAIL MOUDATSOS
RE: Yet another Apache - Tomcat - SSL question
22 febbraio 2012 5.20
Risposta

MICHAIL MOUDATSOS

Punteggio: Regular Member

Messaggi: 110

Data di Iscrizione: 4 ottobre 2011

Messaggi recenti

OK guys,

For an Apache-rookie's tired eyes, it was easy to slip

Error log led me to the solution "Put SSLEngine On in you VirtualHost directive" and I thought I had, however after some hours of searching and re searching and checking default files (such as httpd-ssl.conf) I realized I had mixed up SSLEngine with SSLProxyEngine and everytime I read the first I was checking the second in my file and hence the error!

Now it works just fine, so add SSLEngine On above the SSLProxyEngine On and youre done!

At least this post can work as a summary of how to setup Apache reverse proxy and Liferay with SSL!

If something needs elaboration in order to make this a better installation summary plz feel free to point it out!