Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 59675 invoked from network); 19 Mar 2007 17:00:49 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 19 Mar 2007 17:00:49 -0000 Received: (qmail 81591 invoked by uid 500); 19 Mar 2007 17:00:45 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 81577 invoked by uid 500); 19 Mar 2007 17:00:45 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 81566 invoked by uid 99); 19 Mar 2007 17:00:44 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Mar 2007 10:00:44 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [24.93.1.21] (HELO hosting2.twrochester.com) (24.93.1.21) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Mar 2007 10:00:33 -0700 Received: from PCALAP14.paramountcomputing.com (cpe-24-169-117-236.rochester.res.rr.com [24.169.117.236]) (authenticated bits=0) by hosting2.twrochester.com (8.12.10/8.12.10) with ESMTP id l2JGmDqV004592 for ; Mon, 19 Mar 2007 12:48:17 -0400 Message-Id: <200703191648.l2JGmDqV004592@hosting2.twrochester.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 19 Mar 2007 13:00:06 -0400 To: users@httpd.apache.org From: Jon Brule In-Reply-To: <7.1.0.9.0.20070319104653.018d98e0@paramountcomputing.com> References: <7.1.0.9.0.20070319104653.018d98e0@paramountcomputing.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_227430625==.ALT" X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Re: Reverse Proxy - How to disable HTTP access? --=====================_227430625==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Sigh... Relief... After some digging and playing, I figured out that I needed to do the proxy change in the mod_ssl configuration file (/etc/httpd/conf.d/ssl.conf) and not in the main configuration file (/etc/httpd/conf/httpd.conf). As a result, I am configuring the reverse proxy under the default SSL virtual host using the following syntax: SSLEngine on . . . SSLProxyEngine on ProxyPass /timesheet http://localhost:8080/system ProxyPassReverse /timesheet http://localhost:8080/system Doing this enables the proxy only for the SSL virtual host, which is exactly what I wanted to do!!! Also, it seems that I may use genkey(1) to update the server certificate... Hope this info helps someone else too... Thanks, Jon Brule At 11:04 AM 3/19/2007, Jon Brule wrote: >Good Morning, > >First, I must apologize and confess to being a reverted newbie... >Years ago (pre 2000), I worked with the Apache web server, but I >find myself suffering from C.R.S. syndrome... > >I have setup a reverse proxy for an internal HTTP Tomcat web service >on a default configuration for Apache 2.2 web server. My additional >configuration is as follows (system / host names changed to protect >the guilty): > > # > # Reverse Proxy Server: Backend system on Tomcat server > # > > ProxyRequests Off > > > Order deny,allow > Deny from all > > > ProxyPass /timesheet http://localhost:8080/system > ProxyPassReverse /timesheet http://localhost:8080/system > > >The reverse proxy works fine when I attempt to go to the >http://internet.com/system URL. I also discovered that SSL is >available by default on my installation (Apache was installed via >RedHat Fedora Core 6) using a default SSL localhost self-signed >certificate. This means that the application is also available >through the https://internet.com/system URL. > >My chief question (one for which I am still coming the archives) is >how do I disable the proxy configuration for the HTTP URL? I want >only to proxy the system's access when the HTTPS protocol is used to >connect to Apache. Can I do it with this type of configuration, or >do I need to think about a virtual host? > >Also, I assume the following to be an FAQ: How does one change the >default localhost self-signed certificate to a custom one >(self-signed or official)? Is this strictly done with OpenSSL work, >or does it require some Apache configuration as well? Again, looking >through the archives for this one too... > >Any info would be greatly appreciated... > >Thanks, >Jon Brule Regards, Jon _________________ Jon R. Brule Paramount Computing Associates 585-231-2037 / 8*221-2037 (Xerox Office) 585-345-9622 (PCA Main Number) 585-721-3554 (Mobile) --=====================_227430625==.ALT Content-Type: text/html; charset="us-ascii" Sigh... Relief...

After some digging and playing, I figured out that I needed to do the proxy change in the mod_ssl configuration file (/etc/httpd/conf.d/ssl.conf) and not in the main configuration file (/etc/httpd/conf/httpd.conf). As a result, I am configuring the reverse proxy under the default SSL virtual host using the following syntax:

         <VirtualHost _default_:443>
             SSLEngine on
             .
             .
             .
             SSLProxyEngine on
             ProxyPass /timesheet http://localhost:8080/system
             ProxyPassReverse /timesheet http://localhost:8080/system
         </VirtualHost>

Doing this enables the proxy only for the SSL virtual host, which is exactly what I wanted to do!!!

Also, it seems that I may use genkey(1) to update the server certificate...

Hope this info helps someone else too...

Thanks,
Jon Brule

At 11:04 AM 3/19/2007, Jon Brule wrote:
Good Morning,

First, I must apologize and confess to being a reverted newbie... Years ago (pre 2000), I worked with the Apache web server, but I find myself suffering from C.R.S. syndrome...

I have setup a reverse proxy for an internal HTTP Tomcat web service on a default configuration for Apache 2.2 web server. My additional configuration is as follows (system / host names changed to protect the guilty):

        #
        # Reverse Proxy Server: Backend system on Tomcat server
        #
         <IfModule mod_proxy.c>
         ProxyRequests Off

        <Proxy http://internet.com/system/*>
             Order deny,allow
             Deny from all
         </Proxy>

        ProxyPass /timesheet http://localhost:8080/system
         ProxyPassReverse /timesheet http://localhost:8080/system
         </IfModule>

The reverse proxy works fine when I attempt to go to the http://internet.com/system URL. I also discovered that SSL is available by default on my installation (Apache was installed via RedHat Fedora Core 6) using a default SSL localhost self-signed certificate. This means that the application is also available through the https://internet.com/system URL.

My chief question (one for which I am still coming the archives) is how do I disable the proxy configuration for the HTTP URL? I want only to proxy the system's access when the HTTPS protocol is used to connect to Apache. Can I do it with this type of configuration, or do I need to think about a virtual host?

Also, I assume the following to be an FAQ: How does one change the default localhost self-signed certificate to a custom one (self-signed or official)? Is this strictly done with OpenSSL work, or does it require some Apache configuration as well? Again, looking through the archives for this one too...

Any info would be greatly appreciated...

Thanks,
Jon Brule

Regards,
Jon
_________________
Jon R. Brule
Paramount Computing Associates
585-231-2037 / 8*221-2037 (Xerox Office)
585-345-9622 (PCA Main Number)
585-721-3554 (Mobile)
--=====================_227430625==.ALT--