On 7/25/2016 3:45 PM, Mark Eggers wrote: > On 7/25/2016 12:42 PM, Mark Eggers wrote: >> I'm going to do a bit of trimming here: >> >> On 7/25/2016 7:34 AM, Paul Roubekas wrote: >> >>>>>> # # Add this before your first ProxyPass # However, after your >>>>>> aliases # >>>>>> >>>>>> ProxyPass "/bb" ! ProxyPass "/tt" ! >>>>> This works now. Thanks >>>>>> # # Also this would be a good idea to prevent TomEE manager >>>>>> access # ProxyPass "/manager" ! >>>>> I protect this page via IP address. <Valve >>>>> className="org.apache.catalina.valves.RemoteAddrValve" >>>>> allow="[redacted]" /> >>>>>> # # Finally, to protect your one servlet # ProxyPass >>>>>> "/path-to-servlet" ! >>>>> I have done something wrong here. It is not working. See more >>>>> details below. >>>> Well this should block access to the servlet that you don't want to >>>> be visible via HTTP (only HTTPS). >>>> >>>>>> # # Now add the proxypass # ProxyPass "/" >>>>>> "ajp://TomEE-host:8009/" >>>>> ok >>>>>> In your ssl.conf, you'll need to proxy the HTTPS-protected >>>>>> servlet >>>>>> >>>>>> # # Protected servlet # ProxyPass "/path-to-servlet" >>>>>> "ajp://TomEE-host:8009/path-to-servlet" >>>>> I did a find on my whole Fedora 23 server looking for ssl.conf. >>>>> The file did not exist. I created one(ssl.conf) and put it in >>>>> the same directory as httpd.conf. Now the https servlet returns >>>>> a "Not Found The requested URL /DonateServlet was not found on >>>>> this server." 1) Did I put the ssl.conf in the correct >>>>> directory? 2) What else can I check? >>>> If you want Apache HTTPD to serve HTTPS content (in addition to >>>> HTTP content), you'll need to install the mod_ssl RPM. >>>> >>>> 2.4.23-3.fc23.x86_64.rpm >>>> >>>> is the latest release I believe. I'm not sure - my laptop died and >>>> with it my Fedora install (time to get a new laptop). >>>> >>>> In that rpm, you'll find: >>>> >>>> /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.modules.d/00-ssl.conf >>>> /usr/lib/systemd/system/httpd.socket.d/10-listen443.conf >>>> /usr/lib64/httpd/modules/mod_ssl.so >>>> /usr/libexec/httpd-ssl-pass-dialog /var/cache/httpd/ssl >>>> >>>> If Fedora and systemd haven't hacked things up too badly, you'll >>>> put proxypass statements (again, I use mod_jk, so I put in JkMount >>>> statements) in /etc/httpd/conf.d/ssl.conf. >>>> >>>> You'll be terminating SSL on Apache HTTPD, and sending AJP (not >>>> encrypted) traffic between Apache HTTPD and TomEE. >>>> >>>> Prevent the proxypass to your protected servlet (whatever the URL >>>> is) by using the exclamation point in httpd.conf. Add the required >>>> proxypass in ssl.conf, which is what Apache HTTPD uses in order to >>>> configure SSL. >>> Not working. I am getting >>> >>> Not Found >>> >>> The requested URL /DonateServlet was not found on this server. >>> >>> ==== ssl.conf ===== >>> >>> # Protected servlet >>> ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet" >>> ErrorLog "/var/log/myDomain.com-error_log" >>> TransferLog "/var/log/myDomain.com-access_log" >> You're right, the simple solution does not work. :-( >> >> At this point, the only way I know how to manage this is with ReWrite rules. >> >> These get pretty complicated, and I strongly suggest that you read the >> rewrite rule documentation before playing around with them. >> >> This is also pretty far afield from the Apache Tomcat mailing list. You >> might want to head on over to the Apache HTTPD mailing list for better >> answers. >> >> That being said, I hacked together something that works. >> >> In your httpd.conf file before the ProxyPass "/" statement: >> >> # Turn on the rewrite Engine >> RewriteEngine on >> >> # Make sure you're not on HTTPS >> RewriteCond %{HTTPS} !=on >> >> # Send the DonateServlet to HTTPS >> RewriteRule ^/DonateServlet$ https://%{SERVER_NAME}/DonateServlet [R,L] >> >> # Send everything else to TomEE >> ProxyPass "/" "ajp://localhost:8009/Protect" >> >> In your ssl.conf file in the VirtualHost portion: >> >> # Make sure the engine is on >> RewriteEngine on >> >> # Make sure you're not on port 80 >> RewriteCond %{SERVER_PORT} !^80$ >> >> # Rewrite everything except the URL you want in HTTPS >> RewriteCond %{REQUEST_URI} !^/DonateServlet$ >> RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R,L] >> >> # Send the DonateServlet to TomEE >> ProxyPass "/Protect/Dressed" "ajp://localhost:8009/DonateServlet" >> >> I'm sure people can come up with better rewrite rules, but this should work. >> >> . . . just my two cents >> /mde/ >> > Oops, that should have read: > > ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet" > > Copy-paste error from my test case . . . > /mde/ > Wow that must have taken a lot of time. Thanks. Hope to return the favor some day. :-)
I will have to move to the httpd email list. The changes did get me closer. But there are still issues. Only so you don't think this is a solution for others I am explaining what did and did not work with this change. This is not meant to be a complaint. When going to the /DonateServlet page I get an exception from the browser that the system admin did not set up the site correctly. After accepting the exception the /DonateServlet does come up, but with all the styling from the CSSs missing. Just a white background. This did fix the exposure of the TCP/IP port :8443 on the address line. This did fix the https protocol prefix sticking for the remainder of the browser session. https is only on the page /DonateServlet page.
signature.asc
Description: OpenPGP digital signature