Topic: How to setup Apache 2.4 ssl offloading with Jboss 7.1

[prabhusc]

I am using Apache 2.4 and Jboss 7.1 on Windows server 2012 server.
requirement is to have SSL offload in place for communication between Apache to Jboss. Apache will be secured to handle client requests from Apache onwards all servers in trusted zone hence there is offload requirement.
if there is any step by step guidelines or notes would be helpful

[James Blond]

You need a or b or c?

a)
internet <--SSL-->apache<--SSL-->JBoss

or

b)
internet <--SSL-->apache<--http-->JBoss

or
c)
internet <--SSL-->apache<--ajp-->JBoss

[prabhusc]

Hi James
i am looking for option B

[James Blond]

Basicly it is just

[prabhusc]

Hi james,

here is my vhost looks like
<VirtualHost *:443>
ServerName <<server name>>
SSLEngine on
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "${SRVROOT}/conf/ssl/cert.cer"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/mgclmsqa.key"
DocumentRoot "${SRVROOT}/htdocs"
<Location />
ProxyPass http://10.197.128.133:9080/ACS/servlet/ACS
ProxyPassReverse http://10.197.128.133:9080/ACS/servlet/ACS
</Location>
</VirtualHost>

and my Jboss standalone looks as below
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" password="*****" certificate-key-file="C:/Users/userit/jms.keystore" cipher-suite="TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

i see the below error in developer tool
Mixed Content: The page at 'https://lmsqa.massgaming.com/MGC_Licensing/?caseid=VPQ000085#mgc_gks_application/application/mgc_download_forms' was loaded over HTTPS, but requested an insecure resource 'http://10.197.128.133:9080/ACS/servlet/ACS?command=read&version=2.3&docbase…31269&mime_type=application%2Fpdf&parallel_streaming=true&expire_delta=360'. This request has been blocked; the content must be served over HTTPS.

[prabhusc]

just to make it clear here is how my system architecture is
Apache -- tcserver
same Apache -- Jboss

SSL offloading is setup for tcserver, which seems to be fine and actual application is hosted in tcServer, at one point of time, there is feature where user is directed to Jboss to view content.

if i see error, initial tcServer application itself is loaded in HTTPS, having said that, main application is not offloaded.
and we are trying to access jboss application which http (offloading working fine) i believe

please let me know if my understanding is correct.
to enable Apache SSL offload for tcServer, do i need to make same thing which you suggested for Jboss?

[James Blond]

The first issue with the mixed content is caused by your application. It puts the requested hostname and or protocol into the source / html. Using ajp would avoid that.

So you can fix the application code with relative paths and try to use ajp instead of http.

I've no clue what tcserver is.