Author |
|
prabhusc
Joined: 10 Jun 2015 Posts: 4 Location: USA, Boston
|
Posted: Wed 10 Jun '15 13:28 Post subject: How to setup Apache 2.4 ssl offloading with Jboss 7.1 |
|
|
I am using Apache 2.4 and Jboss 7.1 on Windows server 2012 server.
requirement is to have SSL offload in place for communication between Apache to Jboss. Apache will be secured to handle client requests from Apache onwards all servers in trusted zone hence there is offload requirement.
if there is any step by step guidelines or notes would be helpful |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7364 Location: Germany, Next to Hamburg
|
Posted: Wed 10 Jun '15 16:50 Post subject: |
|
|
You need a or b or c?
a)
internet <--SSL-->apache<--SSL-->JBoss
or
b)
internet <--SSL-->apache<--http-->JBoss
or
c)
internet <--SSL-->apache<--ajp-->JBoss |
|
Back to top |
|
prabhusc
Joined: 10 Jun 2015 Posts: 4 Location: USA, Boston
|
Posted: Wed 10 Jun '15 17:27 Post subject: Option B |
|
|
Hi James
i am looking for option B |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7364 Location: Germany, Next to Hamburg
|
|
Back to top |
|
prabhusc
Joined: 10 Jun 2015 Posts: 4 Location: USA, Boston
|
Posted: Wed 10 Jun '15 19:05 Post subject: |
|
|
Hi james,
here is my vhost looks like
<VirtualHost *:443>
ServerName <<server name>>
SSLEngine on
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "${SRVROOT}/conf/ssl/cert.cer"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/mgclmsqa.key"
DocumentRoot "${SRVROOT}/htdocs"
<Location />
ProxyPass http://10.197.128.133:9080/ACS/servlet/ACS
ProxyPassReverse http://10.197.128.133:9080/ACS/servlet/ACS
</Location>
</VirtualHost>
and my Jboss standalone looks as below
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" password="*****" certificate-key-file="C:/Users/userit/jms.keystore" cipher-suite="TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
i see the below error in developer tool
Mixed Content: The page at 'https://lmsqa.massgaming.com/MGC_Licensing/?caseid=VPQ000085#mgc_gks_application/application/mgc_download_forms' was loaded over HTTPS, but requested an insecure resource 'http://10.197.128.133:9080/ACS/servlet/ACS?command=read&version=2.3&docbaseā¦31269&mime_type=application%2Fpdf¶llel_streaming=true&expire_delta=360'. This request has been blocked; the content must be served over HTTPS. |
|
Back to top |
|
prabhusc
Joined: 10 Jun 2015 Posts: 4 Location: USA, Boston
|
Posted: Wed 10 Jun '15 19:13 Post subject: |
|
|
just to make it clear here is how my system architecture is
Apache -- tcserver
same Apache -- Jboss
SSL offloading is setup for tcserver, which seems to be fine and actual application is hosted in tcServer, at one point of time, there is feature where user is directed to Jboss to view content.
if i see error, initial tcServer application itself is loaded in HTTPS, having said that, main application is not offloaded.
and we are trying to access jboss application which http (offloading working fine) i believe
please let me know if my understanding is correct.
to enable Apache SSL offload for tcServer, do i need to make same thing which you suggested for Jboss? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7364 Location: Germany, Next to Hamburg
|
Posted: Thu 11 Jun '15 10:51 Post subject: |
|
|
The first issue with the mixed content is caused by your application. It puts the requested hostname and or protocol into the source / html. Using ajp would avoid that.
So you can fix the application code with relative paths and try to use ajp instead of http.
I've no clue what tcserver is. |
|
Back to top |
|