-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Larry,
On 6/16/15 3:34 PM, Cohen, Laurence wrote: > On Tue, Jun 16, 2015 at 3:13 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Larry, > > BTW, you're doing great. Thanks for battling-through. See below. > > On 6/16/15 2:29 PM, Cohen, Laurence wrote: >>>> ******* nss.conf.testweb01 ******* >>>> >>>> Listen 443 >>>> >>>> AddType application/x-x509-ca-cert .crt AddType >>>> application/x-pkcs7-crl .crl >>>> >>>> NSSPassPhraseDialog file:/etc/httpd/.password.conf >>>> #NSSPassPhraseDialog builtin >>>> >>>> NSSPassPhraseHelper /usr/sbin/nss_pcache >>>> >>>> NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 >>>> NSSSession3CacheTimeout 86400 >>>> >>>> >>>> NSSRandomSeed startup builtin >>>> >>>> >>>> <VirtualHost _default_:443> >>>> >>>> DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off >>>> NSSEngine on NSSProxyEngine on NSSEnforceValidCerts off >>>> NSSRenegotiation on NSSRequireSafeNegotiation on >>>> >>>> NSSCipherSuite >>>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_nul l_m > >>>> d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 > 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha, +r > > sa_aes_256_sha >>>> >>>> NSSProxyCipherSuite >>>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_nul l_m > >>>> d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 > 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha, +r > > sa_aes_256_sha >>>> >>>> NSSProtocol TLSv1 NSSNickname Server-Cert >>>> NSSCertificateDatabase /etc/httpd/alias NSSFIPS on NSSOCSP >>>> off >>>> >>>> ProxyPreserveHost On >>>> >>>> >>>> <Location /dse-help> #SSLRenegBufferSize 10486000 >>>> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass >>>> https://testapp01:8007/dse-help >>>> <https://testapp01.novetta.com:8007/dse-help> >>>> ProxyPassReverse https://testapp01:8007/dse-help >>>> <https://testapp01.novetta.com:8007/dse-help> </Location> > > Okay, good: here's the real meat of the file (repeated over and > over, of course). The "Location" matches an incoming URL and then > the stuff between the <Location> and </Location> will be effective > for requests whose URLs match that pattern. > > So, for a request for /dse-help, the request is forwarded-over to > Tomcat on port 8007 using the https:// protocol. The > ProxyPassReverse will re-write response headers like Location and > Set-Cookie to make sure they point to the reverse proxy (httpd) > server instead of Tomcat (testapp01:8007). > > This is all you need to get things working. Since the above is > from the :443 VirtualHost, you just need to make sure that similar > configuration exists in the :80 VirtualHost configuration files. > >>>> # initialize the SSL headers to a blank value to avoid http >>>> header forgeries RequestHeader set SSL_CLIENT_CERT "" >>>> RequestHeader set SSL_CIPHER "" RequestHeader set >>>> SSL_SESSION_ID "" RequestHeader set SSL_CIPHER_USEKEYSIZE "" > > I'm not entirely sure: > > a) How mod_nss expects to send the original HTTPS information to > Tomcat b) Whether or not Tomcat is configured to detect this > information and make sure it's available to the container/web > application c) In what order the "StdEnvVars" and "RequestHeader > set" operations take place. > > I would want to make sure you've got all that right so tht the > following takes place: > > 1. Request comes in 2. Request has HTTPS-related headers stripped > 3. Request has HTTPS-related headers added during proxying > > You might consider using "RequestHeader unset" instead of > "RequestHeader set ''". There's no reason to send-over a blank > string. > >>>> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" >>>> RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader >>>> set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set >>>> SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" > > If you are going to be "setting" each of these with new values, > you may as well not bother to "unset" (or "set" them to "") > beforehand. I think it's just extra processing that wastes time and > doesn't accomplish. Of course, you'll want to verify that I'm > correct in that it doesn't matter if you remove the "unsets" before > the "sets", but I think you'll be okay. >>>> ******* rewwrite.conf.testweb01 ******* >>>> >>>> # # rewrite.conf: # These rules handle all http:// protocol >>>> requests. # RewriteEngine on >>>> >>>> # General: # Disable HTTP TRACE on all requests. RewriteCond >>>> %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] >>>> >>>> # General: # Redirect requests to https, EXCEPT for the >>>> favicon, User-Defined URLs, System-Defined URLs, DDMS, AOP. # >>>> https rewrite rules are found in ssl.conf. RewriteCond >>>> %{SERVER_PROTOCOL} !https RewriteCond %{REQUEST_URI} >>>> !^/favicon.ico RewriteCond %{REQUEST_URI} !^/mdr/ns >>>> RewriteCond %{REQUEST_URI} !^/mdr/irs RewriteCond >>>> %{REQUEST_URI} !^/mdr/documents RewriteCond >>>> %{REQUEST_URI} !^/dse/uriService RewriteCond >>>> %{REQUEST_URI} !^/dse/ns RewriteCond %{REQUEST_URI} >>>> !^/dse/irs RewriteCond %{REQUEST_URI} !^/dse/documents >>>> RewriteCond %{REQUEST_URI} !^/dse/downloads >>>> >>>> # query string containing wsdl (e.g. >>>> <somepath>/publish?wsdl), let it fetch as http RewriteCond >>>> %{QUERY_STRING} !wsdl >>>> >>>> RewriteRule ^/(.*)$ https://testweb01/$1 >>>> <https://testweb01.novetta.com/$1> [last,redirect] > > Oh, man. This is awful. > > I'll bet the SSL-based configuration was re-written using > ProxyPass/ProxyPassReverse and then the mod_rewrite (that's what > all this stuff is) stuff was simply removed (or no longer > referenced from httpd.conf, probably). > > But it looks like the RewriteCond/RewriteRule stuff was actually > enabling your proxying (in the very ugliest way possible, I might > add), so you lost your :80 proxying. > > For the most part, you should be able to copy the <Location> > sections from your nss.conf into whatever file you would like to > include to set up your :80 VirtualHost, and that should be about > it. (Of course, you'll want to remove the NSSOptions and > NSSVerifyClient sections as well.) > > If you'd prefer to have a slightly cleaner configuration, you can > change this: > >>>> <Location /dse-help> #SSLRenegBufferSize 10486000 >>>> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass >>>> https://testapp01:8007/dse-help >>>> <https://testapp01.novetta.com:8007/dse-help> >>>> ProxyPassReverse https://testapp01:8007/dse-help >>>> <https://testapp01.novetta.com:8007/dse-help> </Location> > > to this: > > ProxyPass /dse-help https://testapp01:8007/dse-help > ProxyPassReverse /dse-help https://testapp01:8007/dse-help > > , since you don't need additional configuration. > > I would be willing to bet that if you set NSSOptions and > NSSVerifyClient at the top-level, you wouldn't have to specify it > separately in all of those <Location> sections, and your > configuration would get even simpler, but I'm not aware of all of > the intricacies of your environment, so I wouldn't recommend you > make that change without someone watching who knows this > configuration very well. > > Hope that helps, -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > Thank you Chris. Unfortunately much of what you are saying is over > my head. I'm a real newbie. Okay. > If you are saying I should set up another file for a :80 Virtual > Host, and include it from httpd.conf, can I just pretty much copy > what's in the :443 Virtual Host? I would first find the existing :80 VirtualHost and make sure that there is no conflicting configuration in there for what you are about to do. But then, yes, I think you can pretty much copy the <Location> sections from nss.conf into the :80 VirtualHost. Forget what I said about removing the NSSOptions and NSSVerifyClient directives, because I think you still need to make sure that you are communicating properly between httpd and Tomcat (over SSL). I wouldn't want to break that by removing those directives. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVgIG5AAoJEBzwKT+lPKRYBAwQAJitZGirkCLwBoNvodNUeDwZ KOLaFuIln4OqYf/wKpNBn/Lio9KlT21KPvquy5WpCgJGu829T+z/lSqMMXgYlcZp JArOHlLQJwKZ6u5rZG+E2BacN5JM/uIWgbX8FUw7DIHkIUxmGyRcXXIzpG+v/Bcb ne+7aO0IbUlvVRxLoSQ8zUE0u2Xbvu7BLuzk0/RtRblUPwSJU3aHxS6DdZkVuyut qbARbmSw7bsbrd1mFBPpSTpTQ6mxOsUkeW0CS4P/yvMqvAcZHh2+uymfWyUhCyUp 5k2Qlf/Um8NYimlun8SO6ByA4bfcvBGDAgBB1L2eWajiImjOBI+neZNmQv4t1r90 5OeL2FvkfhPviukU56vRdKUmy9RzSRtHQkYKy9YZcPPWIZmKRkZSufGbCNNojXii 1LiV76W83tfPVhY5cEbO/dFU3M4ACmoynDEfodMeXkFNWNs+UEBNKNrjXZ1o38vH Xl42abh7JlVlyJmIeq9Sh/L0GaibvcOaJ/Ovus2FpghuLDunzd6Kxs2LH3+Z5HVu qV2nzSB2gKe48MFVwzh6kTqHxrpOuQocb6aBps3RpjSM2dD2FS/L5hOLf2AtWiwm cd/QeC3Be5SjgxJOmjxT8la6MuGJZ4AO05oODLqBu3EjspCWCzKefpLTrWV7MXnC 4IXbGlRviOsg7cuWXL+u =a8pl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org