******* nss.conf.testweb01 ******* Listen 443
AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog file:/etc/httpd/.password.conf #NSSPassPhraseDialog builtin NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin <VirtualHost _default_:443> DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off NSSEngine on NSSProxyEngine on NSSEnforceValidCerts off NSSRenegotiation on NSSRequireSafeNegotiation on NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProxyCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSFIPS on NSSOCSP off ProxyPreserveHost On <Location /dse-help> #SSLRenegBufferSize 10486000 NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8007/dse-help <https://testapp01.novetta.com:8007/dse-help> ProxyPassReverse https://testapp01:8007/dse-help <https://testapp01.novetta.com:8007/dse-help> </Location> <Location /dse/opensearch> NSSOptions +ExportCertData +StdEnvVars NSSVerifyClient require ProxyPass https://testapp01:8007/dse/opensearch <https://testapp01.novetta.com:8007/dse/opensearch> ProxyPassReverse https://testapp01:8007/dse/opensearch <https://testapp01.novetta.com:8007/dse/opensearch> </Location> <Location /dse/system_announcements/feed> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8007/dse/system_announcements/feed <https://testapp01.novetta.com:8007/dse/system_announcements/feed> ProxyPassReverse https://testapp01:8007/dse/system_announcements/feed <https://testapp01.novetta.com:8007/dse/system_announcements/feed> </Location> <Location /dse/feeds> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8007/dse/feeds <https://testapp01.novetta.com:8007/dse/feeds> ProxyPassReverse https://testapp01:8007/dse/feeds <https://testapp01.novetta.com:8007/dse/feeds> </Location> <Location /dse/web-services/publish?wsdl> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8007/dse/web-services/publish?wsdl <https://testapp01.novetta.com:8007/dse/web-services/publish?wsdl> ProxyPassReverse https://testapp01:8007/dse/web-services/publish?wsdl <https://testapp01.novetta.com:8007/dse/web-services/publish?wsdl> </Location> <Location /dse/web-services/emtopic?wsdl> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8007/dse/web-services/emtopic?wsdl <https://testapp01.novetta.com:8007/dse/web-services/emtopic?wsdl> ProxyPassReverse https://testapp01:8007/dse/web-services/emtopic?wsdl <https://testapp01.novetta.com:8007/dse/web-services/emtopic?wsdl> </Location> <Location /dse/web-services> NSSOptions +ExportCertData +StdEnvVars NSSVerifyClient require ProxyPass https://testapp01:8007/dse/web-services <https://testapp01.novetta.com:8007/dse/web-services> ProxyPassReverse https://testapp01:8007/dse/web-services <https://testapp01.novetta.com:8007/dse/web-services> </Location> <Location /dse> #SSLRenegBufferSize 52430000 NSSVerifyClient optional NSSOptions +ExportCertData +StdEnvVars ProxyPass https://testapp01:8007/dse <https://testapp01.novetta.com:8007/dse> ProxyPassReverse https://testapp01:8007/dse <https://testapp01.novetta.com:8007/dse> </Location> <Location /juddiv3/services/security?wsdl> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8009/juddiv3/services/security?wsdl <https://testapp01.novetta.com:8009/juddiv3/services/security?wsdl> ProxyPassReverse https://testapp01:8007/juddiv3/services/security?wsdl <https://testapp01.novetta.com:8007/juddiv3/services/security?wsdl> </Location> <Location /juddiv3/services/inquiry?wsdl> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8009/juddiv3/services/inquiry?wsdl <https://testapp01.novetta.com:8009/juddiv3/services/inquiry?wsdl> ProxyPassReverse https://testapp01:8009/juddiv3/services/inquiry?wsdl <https://testapp01.novetta.com:8009/juddiv3/services/inquiry?wsdl> </Location> <Location /juddiv3/services/publish?wsdl> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass https://testapp01:8009/juddiv3/services/publish?wsdl <https://testapp01.novetta.com:8009/juddiv3/services/publish?wsdl> ProxyPassReverse https://testapp01:8009/juddiv3/services/publish?wsdl <https://testapp01.novetta.com:8009/juddiv3/services/publish?wsdl> </Location> <Location /juddiv3> #SSLRenegBufferSize 10486000 NSSVerifyClient require NSSOptions +ExportCertData +StdEnvVars ProxyPass https://testapp01:8009/juddiv3 <https://testapp01.novetta.com:8009/juddiv3> ProxyPassReverse https://testapp01:8009/juddiv3 <https://testapp01.novetta.com:8009/juddiv3> </Location> <Location /> #SSLRenegBufferSize 52430000 NSSVerifyClient optional NSSOptions +ExportCertData +StdEnvVars ProxyPass https://testapp01:8007/dse <https://testapp01.novetta.com:8007/dse> ProxyPassReverse https://testapp01:8007/dse <https://testapp01.novetta.com:8007/dse> </Location> <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> NSSOptions +StdEnvVars </Directory> # initialize the SSL headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CIPHER "" RequestHeader set SSL_SESSION_ID "" RequestHeader set SSL_CIPHER_USEKEYSIZE "" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ErrorLog /etc/httpd/logs/error_log TransferLog /etc/httpd/logs/access_log LogLevel info </VirtualHost> ******* rewwrite.conf.testweb01 ******* # # rewrite.conf: # These rules handle all http:// protocol requests. # RewriteEngine on # General: # Disable HTTP TRACE on all requests. RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] # General: # Redirect requests to https, EXCEPT for the favicon, User-Defined URLs, System-Defined URLs, DDMS, AOP. # https rewrite rules are found in ssl.conf. RewriteCond %{SERVER_PROTOCOL} !https RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/mdr/ns RewriteCond %{REQUEST_URI} !^/mdr/irs RewriteCond %{REQUEST_URI} !^/mdr/documents RewriteCond %{REQUEST_URI} !^/dse/uriService RewriteCond %{REQUEST_URI} !^/dse/ns RewriteCond %{REQUEST_URI} !^/dse/irs RewriteCond %{REQUEST_URI} !^/dse/documents RewriteCond %{REQUEST_URI} !^/dse/downloads # query string containing wsdl (e.g. <somepath>/publish?wsdl), let it fetch as http RewriteCond %{QUERY_STRING} !wsdl RewriteRule ^/(.*)$ https://testweb01/$1 <https://testweb01.novetta.com/$1> [last,redirect] # Redirect DSE 1.x URLs to new DSE 2.0 locations RewriteRule ^/mdr/irs/(.*)$ http://testweb01/dse/irs/$1 <http://testweb01.novetta.com/dse/irs/$1> [L,redirect] RewriteRule ^/mdr/ns/(.*)$ http://testweb01/dse/ns/$1 <http://testweb01.novetta.com/dse/ns/$1> [L,redirect] RewriteRule ^/mdr/documents/(.*)$ http://testweb01/dse/documents/$1 <http://testweb01.novetta.com/dse/documents/$1> [L,redirect] # Redirect / to the DSE Homepage. RewriteRule ^/$ https://testweb01/dse <https://testweb01.novetta.com/dse> [L] ******* ssl.conf.prodweb01 ******* # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html> # # For the moment, see <URL:http://www.modssl.org/docs/> for this info. # The documents are still being prepared from material donated by the # modssl project. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # Until documentation is completed, please check http://www.modssl.org/ # for additional config examples and module docmentation. Directives # and features of mod_ssl are largely unchanged from the mod_ssl project # for Apache 1.3. # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # To allow connections to IPv6 addresses add "Listen [::]:443" # Listen 0.0.0.0:443 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache none #SSLSessionCache dbm:/var/cache/mod_ssl/scache(512000) SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/var/log/httpd/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # # Use "SSLCryptoDevice" to enable any supported hardware # accelerators. Use "openssl engine -v" to list supported # engine names. NOTE: If you enable an accelerator and the # server does not start, consult the error logs and ensure # your accelerator is functioning properly. # #httpd 2.0.63 does not like SSLCryptoDevice #SSLCryptoDevice builtin #SSLCryptoDevice ubsec ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> JkMountCopy On # # ssl.conf rewrite rules: # These rules handle all https:// protocol requests. # RewriteEngine on # Redirect DSE 1.x URLs to new DSE 2.0 locations RewriteRule ^/mdr/mdwgDocuments.htm$ https://prodweb01/dse-help/en/Metadata_Working_Group <https://prodweb01.novetta.com/dse-help/en/Metadata_Working_Group> [L,redirect] RewriteRule ^/eads(.*)$ https://prodweb01/dse <https://prodweb01.novetta.com/dse> [L,redirect] RewriteRule ^/mdr/details.htm(.*)$ https://prodweb01/dse/details$1 <https://prodweb01.novetta.com/dse/details$1> [L,redirect] RewriteRule ^/mdr(.*)$ https://prodweb01/dse <https://prodweb01.novetta.com/dse> [L,redirect] RewriteRule ^/ncp(.*)$ https://prodweb01/dse <https://prodweb01.novetta.com/dse> [L,redirect] RewriteRule ^/sd(.*)$ https://prodweb01/dse <https://prodweb01.novetta.com/dse> [L,redirect] RewriteRule ^/dse/homepage.htm$ https://prodweb01/dse <https://prodweb01.novetta.com/dse> [L,redirect] # Redirect requests for OpenSearch RewriteRule ^/opensearchdescription.xml$ https://prodweb01/dse/opensearch/opensearchdescription.xml <https://prodweb01.novetta.com/dse/opensearch/opensearchdescription.xml> [last,redirect] RewriteRule ^/opensearch/$ https://prodweb01/dse/opensearch/$1 <https://prodweb01.novetta.com/dse/opensearch/$1> [last,redirect] # Redirect requests for UDDI RewriteRule ^/security(.*)$ https://prodweb01/juddiv3/services/security$1 <https://prodweb01.novetta.com/juddiv3/services/security$1> [last,redirect] RewriteRule ^/inquiry(.*)$ https://prodweb01/juddiv3/services/inquiry <https://prodweb01.novetta.com/juddiv3/services/inquiry> [L,redirect] RewriteRule ^/publish(.*)$ https://prodweb01/juddiv3/services/publish <https://prodweb01.novetta.com/juddiv3/services/publish> [L,redirect] RewriteRule ^/subscription(.*)$ https://prodweb01/juddiv3/services/subscription <https://prodweb01.novetta.com/juddiv3/services/subscription> [L,redirect] # Redirect / to the DSE Homepage. RewriteRule ^/$ https://prodweb01/dse <https://prodweb01.novetta.com/dse> [last,redirect] # General setup for the virtual host; inherited from global configuration. # DocumentRoot "/var/www/html" # ServerAdmin you@your.address # ServerName new.host.name:443 # Use separate log files: ErrorLog "|/usr/sbin/rotatelogs /var/log/httpd/ssl_error_log.%Y%m%d 86400 -300" LogFormat "%h %{JSESSIONID}C %{SSL_CLIENT_S_DN_CN}e %t \"%r\" %>s %b %D" TransferLog "|/usr/sbin/rotatelogs /var/log/httpd/ssl_access_log.%Y%m%d 86400 -300" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLProtocol TLSv1 SSLCipherSuite AES256-SHA:AES128-SHA:DES-CBC3-SHA # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/httpd/conf/ssl.crt SSLCACertificateFile /etc/httpd/conf/ssl.crt/dse-trusted.crt SSLCADNRequestFile /etc/httpd/conf/ssl.crt/browser-accepting.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/httpd/conf/ssl.crl #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient none SSLInsecureRenegotiation on <Location /juddiv3> SSLVerifyClient require SSLVerifyDepth 5 SSLRenegBufferSize 10486000 </Location> <Location /juddiv3/> SSLVerifyClient require SSLVerifyDepth 5 SSLRenegBufferSize 10486000 </Location> <Location /dse> SSLVerifyClient optional SSLVerifyDepth 5 SSLRenegBufferSize 52430000 </Location> <Location /dse/> SSLVerifyClient optional SSLVerifyDepth 5 SSLRenegBufferSize 52430000 </Location> <Location /dse-help> SSLVerifyClient none SSLVerifyDepth 5 SSLRenegBufferSize 10486000 </Location> <Location /dse-help/> SSLVerifyClient none SSLVerifyDepth 5 SSLRenegBufferSize 10486000 </Location> <Location /dse/opensearch> SSLVerifyClient require SSLVerifyDepth 5 </Location> <Location /dse/opensearch/> SSLVerifyClient require SSLVerifyDepth 5 </Location> <Location /dse/web-services> SSLVerifyClient require SSLVerifyDepth 5 </Location> <Location /dse/web-services/> SSLVerifyClient require SSLVerifyDepth 5 </Location> <Location /dse/system_announcements/feed> SSLVerifyClient none </Location> <Location /dse/feeds> SSLVerifyClient none </Location> <Location /dse/web-services/publish?wsdl> SSLVerifyClient none </Location> <Location /dse/web-services/emtopic?wsdl> SSLVerifyClient none </Location> <Location /dse/web-services/juddiv3/services/security?wsdl> SSLVerifyClient none </Location> <Location /dse/web-services/juddiv3/services/inquiry?wsdl> SSLVerifyClient none </Location> <Location /dse/web-services/juddiv3/services/publish?wsdl> SSLVerifyClient none </Location> # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. SSLOptions +ExportCertData +StdEnvVars <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> ******* rewrite.conf.prodweb01 ******* # # rewrite.conf: # These rules handle all http:// protocol requests. # RewriteEngine on # General: # Disable HTTP TRACE on all requests. RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] # General: # Redirect requests to https, EXCEPT for the favicon, User-Defined URLs, System-Defined URLs, DDMS, AOP. # https rewrite rules are found in ssl.conf. RewriteCond %{SERVER_PROTOCOL} !https RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/mdr/ns RewriteCond %{REQUEST_URI} !^/mdr/irs RewriteCond %{REQUEST_URI} !^/mdr/documents RewriteCond %{REQUEST_URI} !^/dse/ns RewriteCond %{REQUEST_URI} !^/dse/irs RewriteCond %{REQUEST_URI} !^/dse/documents # query string containing wsdl (e.g. <somepath>/publish?wsdl), let it fetch as http RewriteCond %{QUERY_STRING} !wsdl RewriteRule ^/(.*)$ https://prodweb01/$1 [last,redirect] # Redirect DSE 1.x URLs to new DSE 2.0 locations RewriteRule ^/mdr/irs/(.*)$ http://prodweb01/dse/irs/$1 [L,redirect] RewriteRule ^/mdr/ns/(.*)$ http://prodweb01/dse/ns/$1 [L,redirect] RewriteRule ^/mdr/documents/(.*)$ http://prodweb01/dse/documents/$1 [L,redirect] # Redirect / to the DSE Homepage. RewriteRule ^/$ https://prodweb01/dse [L] On Tue, Jun 16, 2015 at 2:10 PM, Cohen, Laurence <lco...@novetta.com> wrote: > Yeah, I'm going to have to figure this out. If I paste the text in the > email it will be very long. > > On Tue, Jun 16, 2015 at 2:00 PM, Felix Schumacher < > felix.schumac...@internetallee.de> wrote: > >> >> >> Am 16. Juni 2015 19:54:40 MESZ, schrieb "Cohen, Laurence" < >> lco...@novetta.com>: >> >On the old instance, represented in these files by prodweb01, ssl.conf >> >and >> >rewrite.conf were included from httpd.conf >> > >> >On the new instance represented by testweb01, nss.conf and rewrite.conf >> >are >> >included from httpd.conf, and ssl.conf is no longer used. You'll see >> >that >> >there was an attempt to move all of the RewriteRules from the ssl.conf >> >in >> >the old instance to ProxyPass statements in nss.conf. I'm assuming you >> >are >> >correct that something is not correct with these rules. >> >> Did you attach files to your mail? The mailing list strips most >> attachments. You might be lucky attaching text files. >> >> Or you could strip out any comments and paste them inline. Our you put >> them somewhere else and send a link to the files. >> >> Regards, >> Felix >> >> > >> >Thanks, >> > >> >Larry Cohen >> > >> >On Tue, Jun 16, 2015 at 1:36 PM, Cohen, Laurence <lco...@novetta.com> >> >wrote: >> > >> >> I am most definitely confused. :-) >> >> >> >> I'm gathering and sanitizing configuration files now. >> >> >> >> Thanks, >> >> >> >> Larry >> >> >> >> On Tue, Jun 16, 2015 at 1:26 PM, Christopher Schultz < >> >> ch...@christopherschultz.net> wrote: >> >> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >> >>> Hash: SHA256 >> >>> >> >>> Laurence, >> >>> >> >>> On 6/16/15 1:02 PM, Cohen, Laurence wrote: >> >>> > Thanks for everyone's response. to Andre' Warnier, yes. There >> >are >> >>> > many ProxyPass statements in nss.conf on the Apache webserver. >> >>> > They appear to have taken the place of redirect statements in >> >>> > ssl.conf, which is no longer in use. >> >>> >> >>> I think you may be confused. mod_nss looks like a replacement for >> >>> mod_ssl, which means it's only being used for connections coming >> >>> *into* the Apache httpd process -- probably from clients. >> >>> >> >>> Yes, mod_ssl is also used to handle HTTPS going *out* through >> >>> mod_proxy, but you say that's working, right? >> >>> >> >>> mod_ssl doesn't have any "redirect" configuration. If you had >> >>> "Redirect [something]" then it was using mod_alias, and that has >> >>> nothing to do with either mod_nss (nee mod_ssl) or whatever module >> >you >> >>> are using to proxy from httpd to Tomcat (probably mod_proxy_http). >> >>> >> >>> > Your configuration assumption is correct, except that the users >> >>> > will connect to the webserver on port 80 and port 443, and it is >> >>> > invisible to them where they are going on the app server. >> >>> >> >>> Assuming that mod_nss can service mod_proxy_http just as mod_ssl was >> >>> able to in the past, then you should have to change nothing in your >> >>> configuration. >> >>> >> >>> My guess is that your ProxyPass directives for the :80 VirtualHost >> >>> were somehow damaged in the switch-over. >> >>> >> >>> Can you show us the :443 configuration versus the :80 configuration >> >in >> >>> terms of ProxyPass and ProxyPassReverse directives? >> >>> >> >>> - -chris >> >>> -----BEGIN PGP SIGNATURE----- >> >>> Comment: GPGTools - http://gpgtools.org >> >>> >> >>> iQIcBAEBCAAGBQJVgFwtAAoJEBzwKT+lPKRYuU8P/Ao9G5qfkl3b/vWgG4rP2ooW >> >>> 4rN+I7L7p3aNGp5GXylfPh04B7R3+Lc0OS82lZvRlDP0UWCEBChA4j+JIBddIqXG >> >>> exiOHS7lZLEpduZuWr0cK3/DpcA1KcF9xQYjji2SdxfyiYiZPY7WepXd/Fm6gs0a >> >>> rp7f8WpGl5onhDRz0KKGmZK0YJbhMr8JwlrdeKolUlpeG8s9pmFiccQgN+QVhmJL >> >>> yv6sGcrxoBBZAnG+1MbUzHAh2SXvjaBVXessf5L/w8ttCXWb3a6KcuZp+RJwTLZ9 >> >>> FYO+DPlfGIP5FM9+8YL8CtF39D0SGM+4Uz93hHJr37eVVRmSxVj7zDgnT3OdGfe1 >> >>> zjanRi4abrrMeXWQG1KsUgqS8u5iq/+FC9s6+i5iSt6cRRQQHwWH5337U85s3SPB >> >>> +XrjXdbLpdTe6pZz2AJ9htXOwO/o0b0sO7vVls9r4F7gSPbnnETyk/jWjcVbRClb >> >>> zPPR2rF4/XNDy3mCmid2dMoIpk2IrTxTt1tP9gPf0ZNl0JFeWSZrpY8EJhd5lyZs >> >>> CGJDKBph3BLgfmHV5yj/lZXwqW63RTuWluVfliVnDo7LEkTMa424yTaF68XBpRWL >> >>> mic2/HKVvrqn9CypeOhrJ9SmDer/xJ8lZWUP5DMijuYJaTbgDcCQEIcj2pVBR5O/ >> >>> RpQ2KXVnBjLHYdoFGpSD >> >>> =YmrV >> >>> -----END PGP SIGNATURE----- >> >>> >> >>> >> >--------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>> >> >>> >> >> >> > >> > >> >------------------------------------------------------------------------ >> > >> > >> >--------------------------------------------------------------------- >> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> >For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >