logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: How to setup Apache 2.4 ssl offloading with Jboss 7.1
Author
prabhusc



Joined: 10 Jun 2015
Posts: 4
Location: USA, Boston

PostPosted: Wed 10 Jun '15 13:28    Post subject: How to setup Apache 2.4 ssl offloading with Jboss 7.1 Reply with quote

I am using Apache 2.4 and Jboss 7.1 on Windows server 2012 server.
requirement is to have SSL offload in place for communication between Apache to Jboss. Apache will be secured to handle client requests from Apache onwards all servers in trusted zone hence there is offload requirement.
if there is any step by step guidelines or notes would be helpful
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7364
Location: Germany, Next to Hamburg

PostPosted: Wed 10 Jun '15 16:50    Post subject: Reply with quote

You need a or b or c?

a)
internet <--SSL-->apache<--SSL-->JBoss

or

b)
internet <--SSL-->apache<--http-->JBoss

or
c)
internet <--SSL-->apache<--ajp-->JBoss
Back to top
prabhusc



Joined: 10 Jun 2015
Posts: 4
Location: USA, Boston

PostPosted: Wed 10 Jun '15 17:27    Post subject: Option B Reply with quote

Hi James
i am looking for option B
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7364
Location: Germany, Next to Hamburg

PostPosted: Wed 10 Jun '15 18:32    Post subject: Reply with quote

Basicly it is just

Code:

    <Location />
        ProxyPass http://JBoss:8080/
        ProxyPassReverse http://JBoss:8080/
    </Location>



A full vhost config https://gist.github.com/JBlond/550b1e5a9275eefe95ca

-- edit --

using ajp would be faster for the app

then it would be

<Location />
ProxyPass ajp://JBoss:8009/
ProxyPassReverse ajp://JBoss:8009/
</Location>
Back to top
prabhusc



Joined: 10 Jun 2015
Posts: 4
Location: USA, Boston

PostPosted: Wed 10 Jun '15 19:05    Post subject: Reply with quote

Hi james,

here is my vhost looks like
<VirtualHost *:443>
ServerName <<server name>>
SSLEngine on
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "${SRVROOT}/conf/ssl/cert.cer"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/mgclmsqa.key"
DocumentRoot "${SRVROOT}/htdocs"
<Location />
ProxyPass http://10.197.128.133:9080/ACS/servlet/ACS
ProxyPassReverse http://10.197.128.133:9080/ACS/servlet/ACS
</Location>
</VirtualHost>

and my Jboss standalone looks as below
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" password="*****" certificate-key-file="C:/Users/userit/jms.keystore" cipher-suite="TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

i see the below error in developer tool
Mixed Content: The page at 'https://lmsqa.massgaming.com/MGC_Licensing/?caseid=VPQ000085#mgc_gks_application/application/mgc_download_forms' was loaded over HTTPS, but requested an insecure resource 'http://10.197.128.133:9080/ACS/servlet/ACS?command=read&version=2.3&docbaseā€¦31269&mime_type=application%2Fpdf&parallel_streaming=true&expire_delta=360'. This request has been blocked; the content must be served over HTTPS.
Back to top
prabhusc



Joined: 10 Jun 2015
Posts: 4
Location: USA, Boston

PostPosted: Wed 10 Jun '15 19:13    Post subject: Reply with quote

just to make it clear here is how my system architecture is
Apache -- tcserver
same Apache -- Jboss

SSL offloading is setup for tcserver, which seems to be fine and actual application is hosted in tcServer, at one point of time, there is feature where user is directed to Jboss to view content.

if i see error, initial tcServer application itself is loaded in HTTPS, having said that, main application is not offloaded.
and we are trying to access jboss application which http (offloading working fine) i believe

please let me know if my understanding is correct.
to enable Apache SSL offload for tcServer, do i need to make same thing which you suggested for Jboss?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7364
Location: Germany, Next to Hamburg

PostPosted: Thu 11 Jun '15 10:51    Post subject: Reply with quote

The first issue with the mixed content is caused by your application. It puts the requested hostname and or protocol into the source / html. Using ajp would avoid that.

So you can fix the application code with relative paths and try to use ajp instead of http.

I've no clue what tcserver is.
Back to top


Reply to topic   Topic: How to setup Apache 2.4 ssl offloading with Jboss 7.1 View previous topic :: View next topic
Post new topic   Forum Index -> Apache