logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Apache24 https reverse proxy to Domino5 not entirely working

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
pmailhot1



Joined: 26 Sep 2018
Posts: 2
Location: US, New York

PostPosted: Wed 26 Sep '18 19:22    Post subject: Apache24 https reverse proxy to Domino5 not entirely working Reply with quote

I have Apache24 https reverse proxy to Lotus Domino http. It works fine up to the login page for Domino. Once clients login they are getting an http page instead of an https page. Once I type in "https://" in front of the URL everything works fine through all other requests. Any ideas why the login page does not reverse proxy back to an https page?

Paul

My httpd.conf file is below:

<VirtualHost *:443>

ServerName www.myserver.com:443

<Proxy *>

Order deny,allow
Allow from All

</Proxy>

ProxyRequests Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://l27.0.0.1/

RedirectMatch ^/$ https://www.myserver.com

SSLEngine on
SSLProxyEngine On
SSLCertificateFile c:\apache24\certs\wf03.cer
SSLCertificateKeyFile c:\apache24\certs\wf03.key

</VirtualHost>
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 84
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 26 Sep '18 23:56    Post subject: Reply with quote

Hello Paul,

let me summarize in my words:
* you have a http-server (in this case Lotus Notes Domino) running on a server
* on the SAME server you have an apache listening to only port 443 proxying these requests to localhost:80
* I guess you are doing this to add more security (encryption) and it is hard (impossible?) to add https directly to Lotus Notes Domino?

One thing I noticed from your config-snippet is the "l" (lowercase L) instead of the "1" in the ProxyPassReverse IP-address 127.0.0.1.
Another thing is the RedirectMatch. Within the virtual host listening on port 443 you add an redirect from / to the same host (see ServerName) to https which is this VirtualHost itself. This will result in a redirect-loop if a browser tries to access https://www.myserver.com/

Assuming my guesses above are (more or less) correct I would prefer a slightly different setup than you did:
* have Lotus Notes Domino listening on some other port different than 80 (maybe 8080?)
* remove the RedirectMatch from the *:443-VirtualHost
* reconfigure the ProxyPass and ProxyPassReverse to the Lotus Notes Domino listening on port 8080
* configure Apache to listen to port 80 and redirect these requests to https - so even users entering http://www.myserver.com are redirected to https
* establish firewall-rules to prevent port 8080 be accessed from outside your server

With this configuration you have the apache in front of your Lotus Notes Domino and might do some blocking for unallowed paths/files/parameters/whatsoever without the need to do this within Lotus Notes Domino's webserver-config.
Additional you redirect users to https if they try to access the host unencrypted.

(googled a little for Lotus Notes Domino - see https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_9.0.1/admin/conf_settingupadominoserverasawebserver_t.html) it seems to be possible to configure Lotus Notes Domino to listen to https itself. So why not go this way? It might avoid some trouble that may arise using the ProxyPass-configuration within your apache?

Hope it helps? Very Happy

Best regards
Matthias
Back to top
pmailhot1



Joined: 26 Sep 2018
Posts: 2
Location: US, New York

PostPosted: Fri 28 Sep '18 3:57    Post subject: A solution Reply with quote

Dear Matthias,

Thank you for your help and explanations. The R5 Domino application server I am running does not allow encryption later than SSLv3, so it is pretty much useless with any up-to-date browser.

I got things working today making some adjustments to my httpd.conf file, I believe, along the lines you suggested. I had not implemented the port 8080 suggestion you made. Can you explain the reasons that would be better than the configuration I am running? Thanks for your help. Conf file is below.

Regards,
Paul

Listen 80
Listen 443

<VirtualHost *:80>
ServerName www.myserver.com
Redirect / https://www.myserver.com/
</VirtualHost>

<VirtualHost *:443>
ServerName www.myserver.com:443

<Proxy *>
Order deny,allow
Allow from All
</Proxy>

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://l27.0.0.1/

SSLEngine on
SSLProxyEngine On
SSLCertificateFile c:\apache24\certs\wf03.cer
SSLCertificateKeyFile c:\apache24\certs\wf03.key

</VirtualHost>
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 84
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 29 Sep '18 20:40    Post subject: Reply with quote

Hello,

only SSL3? Shocked That IS a reason for not using the Domino's https-encryption.

The simple reason for not using Domino's own http-server for listening to port 80 is that you have more possibilities with apache to work on unencrypted port 80 and redirect requests to encrypted port 443.
Another effect is that now you can easy split the apache-part and the Domino-part and put them on two different servers.

Within the config you have posted there is still the lowercase L within the ProxyPassReverse instead of the number 1 Smile

If you want to increase security on port 443 you can deny SSL3, TLS1.0 and maybe TLS1.1, too. (if your clients can speak TLS1.2)

Best regards
Matthias
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1