On Tue, Jun 16, 2015 at 4:06 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Larry, > > On 6/16/15 3:34 PM, Cohen, Laurence wrote: > > On Tue, Jun 16, 2015 at 3:13 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Larry, > > > > BTW, you're doing great. Thanks for battling-through. See below. > > > > On 6/16/15 2:29 PM, Cohen, Laurence wrote: > >>>> ******* nss.conf.testweb01 ******* > >>>> > >>>> Listen 443 > >>>> > >>>> AddType application/x-x509-ca-cert .crt AddType > >>>> application/x-pkcs7-crl .crl > >>>> > >>>> NSSPassPhraseDialog file:/etc/httpd/.password.conf > >>>> #NSSPassPhraseDialog builtin > >>>> > >>>> NSSPassPhraseHelper /usr/sbin/nss_pcache > >>>> > >>>> NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 > >>>> NSSSession3CacheTimeout 86400 > >>>> > >>>> > >>>> NSSRandomSeed startup builtin > >>>> > >>>> > >>>> <VirtualHost _default_:443> > >>>> > >>>> DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off > >>>> NSSEngine on NSSProxyEngine on NSSEnforceValidCerts off > >>>> NSSRenegotiation on NSSRequireSafeNegotiation on > >>>> > >>>> NSSCipherSuite > >>>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_nul > l_m > > > >>>> > d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 > > 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha, > +r > > > > > sa_aes_256_sha > >>>> > >>>> NSSProxyCipherSuite > >>>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_nul > l_m > > > >>>> > d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 > > 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha, > +r > > > > > sa_aes_256_sha > >>>> > >>>> NSSProtocol TLSv1 NSSNickname Server-Cert > >>>> NSSCertificateDatabase /etc/httpd/alias NSSFIPS on NSSOCSP > >>>> off > >>>> > >>>> ProxyPreserveHost On > >>>> > >>>> > >>>> <Location /dse-help> #SSLRenegBufferSize 10486000 > >>>> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass > >>>> https://testapp01:8007/dse-help > >>>> <https://testapp01.novetta.com:8007/dse-help> > >>>> ProxyPassReverse https://testapp01:8007/dse-help > >>>> <https://testapp01.novetta.com:8007/dse-help> </Location> > > > > Okay, good: here's the real meat of the file (repeated over and > > over, of course). The "Location" matches an incoming URL and then > > the stuff between the <Location> and </Location> will be effective > > for requests whose URLs match that pattern. > > > > So, for a request for /dse-help, the request is forwarded-over to > > Tomcat on port 8007 using the https:// protocol. The > > ProxyPassReverse will re-write response headers like Location and > > Set-Cookie to make sure they point to the reverse proxy (httpd) > > server instead of Tomcat (testapp01:8007). > > > > This is all you need to get things working. Since the above is > > from the :443 VirtualHost, you just need to make sure that similar > > configuration exists in the :80 VirtualHost configuration files. > > > >>>> # initialize the SSL headers to a blank value to avoid http > >>>> header forgeries RequestHeader set SSL_CLIENT_CERT "" > >>>> RequestHeader set SSL_CIPHER "" RequestHeader set > >>>> SSL_SESSION_ID "" RequestHeader set SSL_CIPHER_USEKEYSIZE "" > > > > I'm not entirely sure: > > > > a) How mod_nss expects to send the original HTTPS information to > > Tomcat b) Whether or not Tomcat is configured to detect this > > information and make sure it's available to the container/web > > application c) In what order the "StdEnvVars" and "RequestHeader > > set" operations take place. > > > > I would want to make sure you've got all that right so tht the > > following takes place: > > > > 1. Request comes in 2. Request has HTTPS-related headers stripped > > 3. Request has HTTPS-related headers added during proxying > > > > You might consider using "RequestHeader unset" instead of > > "RequestHeader set ''". There's no reason to send-over a blank > > string. > > > >>>> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > >>>> RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader > >>>> set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set > >>>> SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" > > > > If you are going to be "setting" each of these with new values, > > you may as well not bother to "unset" (or "set" them to "") > > beforehand. I think it's just extra processing that wastes time and > > doesn't accomplish. Of course, you'll want to verify that I'm > > correct in that it doesn't matter if you remove the "unsets" before > > the "sets", but I think you'll be okay. > >>>> ******* rewwrite.conf.testweb01 ******* > >>>> > >>>> # # rewrite.conf: # These rules handle all http:// protocol > >>>> requests. # RewriteEngine on > >>>> > >>>> # General: # Disable HTTP TRACE on all requests. RewriteCond > >>>> %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] > >>>> > >>>> # General: # Redirect requests to https, EXCEPT for the > >>>> favicon, User-Defined URLs, System-Defined URLs, DDMS, AOP. # > >>>> https rewrite rules are found in ssl.conf. RewriteCond > >>>> %{SERVER_PROTOCOL} !https RewriteCond %{REQUEST_URI} > >>>> !^/favicon.ico RewriteCond %{REQUEST_URI} !^/mdr/ns > >>>> RewriteCond %{REQUEST_URI} !^/mdr/irs RewriteCond > >>>> %{REQUEST_URI} !^/mdr/documents RewriteCond > >>>> %{REQUEST_URI} !^/dse/uriService RewriteCond > >>>> %{REQUEST_URI} !^/dse/ns RewriteCond %{REQUEST_URI} > >>>> !^/dse/irs RewriteCond %{REQUEST_URI} !^/dse/documents > >>>> RewriteCond %{REQUEST_URI} !^/dse/downloads > >>>> > >>>> # query string containing wsdl (e.g. > >>>> <somepath>/publish?wsdl), let it fetch as http RewriteCond > >>>> %{QUERY_STRING} !wsdl > >>>> > >>>> RewriteRule ^/(.*)$ https://testweb01/$1 > >>>> <https://testweb01.novetta.com/$1> [last,redirect] > > > > Oh, man. This is awful. > > > > I'll bet the SSL-based configuration was re-written using > > ProxyPass/ProxyPassReverse and then the mod_rewrite (that's what > > all this stuff is) stuff was simply removed (or no longer > > referenced from httpd.conf, probably). > > > > But it looks like the RewriteCond/RewriteRule stuff was actually > > enabling your proxying (in the very ugliest way possible, I might > > add), so you lost your :80 proxying. > > > > For the most part, you should be able to copy the <Location> > > sections from your nss.conf into whatever file you would like to > > include to set up your :80 VirtualHost, and that should be about > > it. (Of course, you'll want to remove the NSSOptions and > > NSSVerifyClient sections as well.) > > > > If you'd prefer to have a slightly cleaner configuration, you can > > change this: > > > >>>> <Location /dse-help> #SSLRenegBufferSize 10486000 > >>>> NSSVerifyClient none NSSOptions +StdEnvVars ProxyPass > >>>> https://testapp01:8007/dse-help > >>>> <https://testapp01.novetta.com:8007/dse-help> > >>>> ProxyPassReverse https://testapp01:8007/dse-help > >>>> <https://testapp01.novetta.com:8007/dse-help> </Location> > > > > to this: > > > > ProxyPass /dse-help https://testapp01:8007/dse-help > > ProxyPassReverse /dse-help https://testapp01:8007/dse-help > > > > , since you don't need additional configuration. > > > > I would be willing to bet that if you set NSSOptions and > > NSSVerifyClient at the top-level, you wouldn't have to specify it > > separately in all of those <Location> sections, and your > > configuration would get even simpler, but I'm not aware of all of > > the intricacies of your environment, so I wouldn't recommend you > > make that change without someone watching who knows this > > configuration very well. > > > > Hope that helps, -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > Thank you Chris. Unfortunately much of what you are saying is over > > my head. I'm a real newbie. > > Okay. > > > If you are saying I should set up another file for a :80 Virtual > > Host, and include it from httpd.conf, can I just pretty much copy > > what's in the :443 Virtual Host? > > I would first find the existing :80 VirtualHost and make sure that > there is no conflicting configuration in there for what you are about > to do. > > But then, yes, I think you can pretty much copy the <Location> > sections from nss.conf into the :80 VirtualHost. > > Forget what I said about removing the NSSOptions and NSSVerifyClient > directives, because I think you still need to make sure that you are > communicating properly between httpd and Tomcat (over SSL). I wouldn't > want to break that by removing those directives. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVgIG5AAoJEBzwKT+lPKRYBAwQAJitZGirkCLwBoNvodNUeDwZ > KOLaFuIln4OqYf/wKpNBn/Lio9KlT21KPvquy5WpCgJGu829T+z/lSqMMXgYlcZp > JArOHlLQJwKZ6u5rZG+E2BacN5JM/uIWgbX8FUw7DIHkIUxmGyRcXXIzpG+v/Bcb > ne+7aO0IbUlvVRxLoSQ8zUE0u2Xbvu7BLuzk0/RtRblUPwSJU3aHxS6DdZkVuyut > qbARbmSw7bsbrd1mFBPpSTpTQ6mxOsUkeW0CS4P/yvMqvAcZHh2+uymfWyUhCyUp > 5k2Qlf/Um8NYimlun8SO6ByA4bfcvBGDAgBB1L2eWajiImjOBI+neZNmQv4t1r90 > 5OeL2FvkfhPviukU56vRdKUmy9RzSRtHQkYKy9YZcPPWIZmKRkZSufGbCNNojXii > 1LiV76W83tfPVhY5cEbO/dFU3M4ACmoynDEfodMeXkFNWNs+UEBNKNrjXZ1o38vH > Xl42abh7JlVlyJmIeq9Sh/L0GaibvcOaJ/Ovus2FpghuLDunzd6Kxs2LH3+Z5HVu > qV2nzSB2gKe48MFVwzh6kTqHxrpOuQocb6aBps3RpjSM2dD2FS/L5hOLf2AtWiwm > cd/QeC3Be5SjgxJOmjxT8la6MuGJZ4AO05oODLqBu3EjspCWCzKefpLTrWV7MXnC > 4IXbGlRviOsg7cuWXL+u > =a8pl > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thank you Chris. I'm playing with it but it's still not working, and I have to move on to something else now. Thanks for the help though. Larry Cohen
