On 7/25/2016 3:45 PM, Mark Eggers wrote:
> On 7/25/2016 12:42 PM, Mark Eggers wrote:
>> I'm going to do a bit of trimming here:
>>
>> On 7/25/2016 7:34 AM, Paul Roubekas wrote:
>>
>>>>>> # # Add this before your first ProxyPass # However, after your
>>>>>> aliases #
>>>>>>
>>>>>> ProxyPass "/bb" ! ProxyPass "/tt" !
>>>>> This works now. Thanks
>>>>>> # # Also this would be a good idea to prevent TomEE manager
>>>>>> access # ProxyPass "/manager" !
>>>>> I protect this page via IP address. <Valve
>>>>> className="org.apache.catalina.valves.RemoteAddrValve"
>>>>> allow="[redacted]" />
>>>>>> # # Finally, to protect your one servlet # ProxyPass
>>>>>> "/path-to-servlet" !
>>>>> I have done something wrong here. It is not working. See more
>>>>> details below.
>>>> Well this should block access to the servlet that you don't want to
>>>> be visible via HTTP (only HTTPS).
>>>>
>>>>>> # # Now add the proxypass # ProxyPass "/"
>>>>>> "ajp://TomEE-host:8009/"
>>>>> ok
>>>>>> In your ssl.conf, you'll need to proxy the HTTPS-protected
>>>>>> servlet
>>>>>>
>>>>>> # # Protected servlet # ProxyPass "/path-to-servlet"
>>>>>> "ajp://TomEE-host:8009/path-to-servlet"
>>>>> I did a find on my whole Fedora 23 server looking for ssl.conf.
>>>>> The file did not exist. I created one(ssl.conf) and put it in
>>>>> the same directory as httpd.conf. Now the https servlet returns
>>>>> a "Not Found The requested URL /DonateServlet was not found on
>>>>> this server." 1) Did I put the ssl.conf in the correct
>>>>> directory? 2) What else can I check?
>>>> If you want Apache HTTPD to serve HTTPS content (in addition to
>>>> HTTP content), you'll need to install the mod_ssl RPM.
>>>>
>>>> 2.4.23-3.fc23.x86_64.rpm
>>>>
>>>> is the latest release I believe. I'm not sure - my laptop died and
>>>> with it my Fedora install (time to get a new laptop).
>>>>
>>>> In that rpm, you'll find:
>>>>
>>>> /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.modules.d/00-ssl.conf
>>>> /usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
>>>> /usr/lib64/httpd/modules/mod_ssl.so
>>>> /usr/libexec/httpd-ssl-pass-dialog /var/cache/httpd/ssl
>>>>
>>>> If Fedora and systemd haven't hacked things up too badly, you'll
>>>> put proxypass statements (again, I use mod_jk, so I put in JkMount
>>>> statements) in /etc/httpd/conf.d/ssl.conf.
>>>>
>>>> You'll be terminating SSL on Apache HTTPD, and sending AJP (not
>>>> encrypted) traffic between Apache HTTPD and TomEE.
>>>>
>>>> Prevent the proxypass to your protected servlet (whatever the URL
>>>> is) by using the exclamation point in httpd.conf. Add the required
>>>> proxypass in ssl.conf, which is what Apache HTTPD uses in order to
>>>> configure SSL.
>>> Not working. I am getting
>>>
>>> Not Found
>>>
>>> The requested URL /DonateServlet was not found on this server.
>>>
>>> ==== ssl.conf =====
>>>
>>> # Protected servlet
>>> ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet"
>>> ErrorLog "/var/log/myDomain.com-error_log"
>>> TransferLog "/var/log/myDomain.com-access_log"
>> You're right, the simple solution does not work. :-(
>>
>> At this point, the only way I know how to manage this is with ReWrite rules.
>>
>> These get pretty complicated, and I strongly suggest that you read the
>> rewrite rule documentation before playing around with them.
>>
>> This is also pretty far afield from the Apache Tomcat mailing list. You
>> might want to head on over to the Apache HTTPD mailing list for better
>> answers.
>>
>> That being said, I hacked together something that works.
>>
>> In your httpd.conf file before the ProxyPass "/" statement:
>>
>> # Turn on the rewrite Engine
>> RewriteEngine on
>>
>> # Make sure you're not on HTTPS
>> RewriteCond %{HTTPS} !=on
>>
>> # Send the DonateServlet to HTTPS
>> RewriteRule ^/DonateServlet$ https://%{SERVER_NAME}/DonateServlet [R,L]
>>
>> # Send everything else to TomEE
>> ProxyPass "/" "ajp://localhost:8009/Protect"
>>
>> In your ssl.conf file in the VirtualHost portion:
>>
>> # Make sure the engine is on
>> RewriteEngine on
>>
>> # Make sure you're not on port 80
>> RewriteCond %{SERVER_PORT} !^80$
>>
>> # Rewrite everything except the URL you want in HTTPS
>> RewriteCond %{REQUEST_URI} !^/DonateServlet$
>> RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R,L]
>>
>> # Send the DonateServlet to TomEE
>> ProxyPass "/Protect/Dressed" "ajp://localhost:8009/DonateServlet"
>>
>> I'm sure people can come up with better rewrite rules, but this should work.
>>
>> . . . just my two cents
>> /mde/
>>
> Oops, that should have read:
>
> ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet"
>
> Copy-paste error from my test case . . .
> /mde/
>
Wow that must have taken a lot of time. Thanks. Hope to return the
favor some day. :-)I will have to move to the httpd email list. The changes did get me closer. But there are still issues. Only so you don't think this is a solution for others I am explaining what did and did not work with this change. This is not meant to be a complaint. When going to the /DonateServlet page I get an exception from the browser that the system admin did not set up the site correctly. After accepting the exception the /DonateServlet does come up, but with all the styling from the CSSs missing. Just a white background. This did fix the exposure of the TCP/IP port :8443 on the address line. This did fix the https protocol prefix sticking for the remainder of the browser session. https is only on the page /DonateServlet page.
signature.asc
Description: OpenPGP digital signature
