On 29/06/17 18:40, TED SPRADLEY wrote: > I've worked on this for three days and at this point am not sure where to > begin debugging. > > I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a > Tomcat Connector issue or a Tomcat import of the SSL Cert issue. > > Any feedback is much appreciated.
<snip/> > Configuration files content: > > -- begin virtualhost.conf > <VirtualHost *:80> > ServerName www.example.com > ServerAlias example.com *.example.com > ProxyRequests off > ProxyPreserveHost on > ProxyPass / http://example.com:8081/ > ProxyPassReverse / http://example.com:8081/ > ProxyPass /somecontext http://example.com:8081/somecontext > ProxyPassReverse /somecontext http://example.com:8081/somecontext The above two lines are unnecessary. The previous ProxyPass proxies all content to Tomcat. > </VirtualHost> > > <VirtualHost *:80> > ServerName www.exampledefaultdomain.com > ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com > </VirtualHost> > > <VirtualHost *:443> > ServerName www.example.com > ServerAlias example.com *.example.com > ProxyRequests off > ProxyPreserveHost on > CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b" > ErrorLog "/etc/httpd/logs/examplessl_error.log" > SSLEngine on > SSLProxyEngine on > SSLCertificateFile /path/to/certs/example.com.crt > SSLCertificateKeyFile /path/to/keys/example.key > SSLCertificateChainFile /path/to/certs/ca_bundle.crt > ProxyPass / http://example.com:8443/ > ProxyPassReverse / http://example.com:8443/ > ProxyPass /somecontext http://example.com:8443/somecontext > ProxyPassReverse /somecontext http://example.com:8443/somecontext The above two lines are unnecessary. The previous ProxyPass proxies all content to Tomcat. And here appears to be the problem. If you are proxying to a secure port on Tomcat then the scheme needs to be https, not http. i.e.: ProxyPass / https://example.com:8443/ ProxyPassReverse / https://example.com:8443/ Well done for proxying http and https separately. Many users proxy them to the same Tomcat connector and create a bunch of security issues (which can be avoided with very careful configuration but that often gets overlooked). > </VirtualHost> > -- end virtualhost.conf > > -- begin ssl.conf - > <VirtualHost _default_:443> > ErrorLog logs/ssl_error_log > TransferLog logs/ssl_access_log > LogLevel warn > SSLEngine on > SSLProtocol all -SSLv2 > SSLCertificateFile /path/to/certs/example.com.crt > SSLCertificateKeyFile /path/to/keys/example.key > SSLCACertificateFile /path/to/certs/ca_bundle.crt > </VirtualHost> > -- end ssl.conf - > > -- begin Tomcat server.xml Connector: > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" > SSLEnabled="true" > scheme="https" > secure="true" > proxyName="www.example.com" > proxyPort="443" > keystoreFile="conf/.keystore" > clientAuth="false" > sslProtocol="TLS" > xpoweredBy="false" > server="Apache TomEE" />> -- end Tomcat server.xml Connector: That looks OK on the face of it. It would have been nice to see the config for the 8001 connector but that doesn't appear to be relevant to the problem at this point. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
