On Tue, Jun 16, 2015 at 3:13 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Larry, > > BTW, you're doing great. Thanks for battling-through. See below. > > On 6/16/15 2:29 PM, Cohen, Laurence wrote: > > ******* nss.conf.testweb01 ******* > > > > Listen 443 > > > > AddType application/x-x509-ca-cert .crt AddType > > application/x-pkcs7-crl .crl > > > > NSSPassPhraseDialog file:/etc/httpd/.password.conf > > #NSSPassPhraseDialog builtin > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > > > NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 > > NSSSession3CacheTimeout 86400 > > > > > > NSSRandomSeed startup builtin > > > > > > <VirtualHost _default_:443> > > > > DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off NSSEngine > > on NSSProxyEngine on NSSEnforceValidCerts off NSSRenegotiation on > > NSSRequireSafeNegotiation on > > > > NSSCipherSuite > > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_m > d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 > 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+r > sa_aes_256_sha > > > > NSSProxyCipherSuite > > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_m > d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 > 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+r > sa_aes_256_sha > > > > NSSProtocol TLSv1 NSSNickname Server-Cert NSSCertificateDatabase > > /etc/httpd/alias NSSFIPS on NSSOCSP off > > > > ProxyPreserveHost On > > > > > > <Location /dse-help> #SSLRenegBufferSize 10486000 NSSVerifyClient > > none NSSOptions +StdEnvVars ProxyPass > > https://testapp01:8007/dse-help > > <https://testapp01.novetta.com:8007/dse-help> ProxyPassReverse > > https://testapp01:8007/dse-help > > <https://testapp01.novetta.com:8007/dse-help> </Location> > > Okay, good: here's the real meat of the file (repeated over and over, > of course). The "Location" matches an incoming URL and then the stuff > between the <Location> and </Location> will be effective for requests > whose URLs match that pattern. > > So, for a request for /dse-help, the request is forwarded-over to > Tomcat on port 8007 using the https:// protocol. The ProxyPassReverse > will re-write response headers like Location and Set-Cookie to make > sure they point to the reverse proxy (httpd) server instead of Tomcat > (testapp01:8007). > > This is all you need to get things working. Since the above is from > the :443 VirtualHost, you just need to make sure that similar > configuration exists in the :80 VirtualHost configuration files. > > > # initialize the SSL headers to a blank value to avoid http header > > forgeries RequestHeader set SSL_CLIENT_CERT "" RequestHeader set > > SSL_CIPHER "" RequestHeader set SSL_SESSION_ID "" RequestHeader set > > SSL_CIPHER_USEKEYSIZE "" > > I'm not entirely sure: > > a) How mod_nss expects to send the original HTTPS information to Tomcat > b) Whether or not Tomcat is configured to detect this information and > make sure it's available to the container/web application > c) In what order the "StdEnvVars" and "RequestHeader set" operations > take place. > > I would want to make sure you've got all that right so tht the > following takes place: > > 1. Request comes in > 2. Request has HTTPS-related headers stripped > 3. Request has HTTPS-related headers added during proxying > > You might consider using "RequestHeader unset" instead of > "RequestHeader set ''". There's no reason to send-over a blank string. > > > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set > > SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set > > SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" > > If you are going to be "setting" each of these with new values, you > may as well not bother to "unset" (or "set" them to "") beforehand. I > think it's just extra processing that wastes time and doesn't > accomplish. Of course, you'll want to verify that I'm correct in that > it doesn't matter if you remove the "unsets" before the "sets", but I > think you'll be okay. > > ******* rewwrite.conf.testweb01 ******* > > > > # # rewrite.conf: # These rules handle all http:// protocol > > requests. # RewriteEngine on > > > > # General: # Disable HTTP TRACE on all requests. RewriteCond > > %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] > > > > # General: # Redirect requests to https, EXCEPT for the favicon, > > User-Defined URLs, System-Defined URLs, DDMS, AOP. # https rewrite > > rules are found in ssl.conf. RewriteCond %{SERVER_PROTOCOL} > > !https RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond > > %{REQUEST_URI} !^/mdr/ns RewriteCond %{REQUEST_URI} > > !^/mdr/irs RewriteCond %{REQUEST_URI} !^/mdr/documents > > RewriteCond %{REQUEST_URI} !^/dse/uriService RewriteCond > > %{REQUEST_URI} !^/dse/ns RewriteCond %{REQUEST_URI} > > !^/dse/irs RewriteCond %{REQUEST_URI} !^/dse/documents > > RewriteCond %{REQUEST_URI} !^/dse/downloads > > > > # query string containing wsdl (e.g. <somepath>/publish?wsdl), let > > it fetch as http RewriteCond %{QUERY_STRING} !wsdl > > > > RewriteRule ^/(.*)$ https://testweb01/$1 > > <https://testweb01.novetta.com/$1> [last,redirect] > > Oh, man. This is awful. > > I'll bet the SSL-based configuration was re-written using > ProxyPass/ProxyPassReverse and then the mod_rewrite (that's what all > this stuff is) stuff was simply removed (or no longer referenced from > httpd.conf, probably). > > But it looks like the RewriteCond/RewriteRule stuff was actually > enabling your proxying (in the very ugliest way possible, I might > add), so you lost your :80 proxying. > > For the most part, you should be able to copy the <Location> sections > from your nss.conf into whatever file you would like to include to set > up your :80 VirtualHost, and that should be about it. (Of course, > you'll want to remove the NSSOptions and NSSVerifyClient sections as > well.) > > If you'd prefer to have a slightly cleaner configuration, you can > change this: > > > <Location /dse-help> #SSLRenegBufferSize 10486000 NSSVerifyClient > > none NSSOptions +StdEnvVars ProxyPass > > https://testapp01:8007/dse-help > > <https://testapp01.novetta.com:8007/dse-help> ProxyPassReverse > > https://testapp01:8007/dse-help > > <https://testapp01.novetta.com:8007/dse-help> </Location> > > to this: > > ProxyPass /dse-help https://testapp01:8007/dse-help > ProxyPassReverse /dse-help https://testapp01:8007/dse-help > > , since you don't need additional configuration. > > I would be willing to bet that if you set NSSOptions and > NSSVerifyClient at the top-level, you wouldn't have to specify it > separately in all of those <Location> sections, and your configuration > would get even simpler, but I'm not aware of all of the intricacies of > your environment, so I wouldn't recommend you make that change without > someone watching who knows this configuration very well. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVgHVRAAoJEBzwKT+lPKRYiGgP+gK5y4zid+1X4v3rKN2Se/Tv > seEbzhqW8IDigzysqUQAsqklmrNngyb4wbB6BltcPTVzwGiP3wHf1jKRfpXIdat8 > KoXppXFgfL1FMP5HwfNBZhu8qQbv4bnbVPYRdvy5LsYtHIlZjD/BNMQRZKmiHQYk > cWYLMmqDs/oginqA1E9fDIrx1XZxSJBFL646S7dT3IQOUWxhgOtN3b5WDyZcY6bk > ZQMkgtALX1lyKDqWB8zVeqppQ9zljuF3dJno5q8E5bERYD98gTTEsnItuI7OeFSI > jkOtXG7IqmlOTd379q+A024oGubnwNmSeX2xMXwok03pd78okiCfTa46IyI407Se > eTyzProuCgks8EsDf5oUJflP9c8CVubyCkaI2cKR5APEiQNEqROdKy9IAlS1V2R0 > Zo3mPQ5cq9S84DXPW5DtGdFTNvq7izZaOhRSg+oeUejpelWreVqS3BzkxGf2Kn9i > uutCCFF7k/OkrzCnUN8ASEEdXOibMJhhGlTjYaChZHmQLFAvocYNcUhUThtahCM+ > LTGIm6thalOKzWEjv3L8OI0NV3F4pD6x6O1/TAMZU3Jq8zJjdiIBNEnOdeAWs/2M > uzFZA7f4BbpgiDMyM6+GnmHKeXIZwRFE6f94ucEAnwRSGjd/H03URHrig4cUvIK0 > 2IRJtDdgFtrOCIoX8OSD > =EQaf > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thank you Chris. Unfortunately much of what you are saying is over my head. I'm a real newbie. If you are saying I should set up another file for a :80 Virtual Host, and include it from httpd.conf, can I just pretty much copy what's in the :443 Virtual Host? Thanks, Larry Cohen