RE: [OT] Apache mod_jk HTTPS problem
Thank you, Chris. Customizing ServerName solved the problem. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 17, 2009 11:27 PM To: Tomcat Users List Subject: Re: [OT] Apache mod_jk HTTPS problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attacus, On 6/16/2009 4:04 PM, attacus wrote: NameVirtualHost *:443 This ain't gonna work: SSL negotiation occurs /before/ the HTTP headers are sent, meaning that the VirtualHost has already been chosen before the Server header can be inspected. This will probably work with a single VirtualHost on port 443, but it's not going to work if you add others. Apache httpd will probably just choose the first one defined or something. VirtualHost *:443 ServerName *:443 This is not correct, either. If you're using name-based VirtualHosts, you need to bind a name to the VirtualHost: something like www.myserver.com. Again, see the note above about NameVirtualHost not working for HTTPS. ErrorLog C:/tools/Apache2.2/logs/secure-channel-error.log This would be a good place to look for startup errors or warnings. JkMountFile conf/uriworkermap.properties Is this the same JkMountFile you use for your (working) non-SSL VirtualHost? SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL Note that this is an overly-complicated Ciphers line... you're using ALL and then customizing it by adding other ciphers. It's the equivalent of: SSLCipherSuite ALL:-ADH or even SSLCIpherSuite ALL:!ADH - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko5Q20ACgkQ9CaO5/Lv0PBLEwCgvKwY0DBJBIa73+nTHeucscHl 7tAAnRA/SXg7OiBxm1bIZ2lcM2yvAQsp =8WSd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Apache mod_jk HTTPS problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attacus, On 6/16/2009 4:04 PM, attacus wrote: NameVirtualHost *:443 This ain't gonna work: SSL negotiation occurs /before/ the HTTP headers are sent, meaning that the VirtualHost has already been chosen before the Server header can be inspected. This will probably work with a single VirtualHost on port 443, but it's not going to work if you add others. Apache httpd will probably just choose the first one defined or something. VirtualHost *:443 ServerName *:443 This is not correct, either. If you're using name-based VirtualHosts, you need to bind a name to the VirtualHost: something like www.myserver.com. Again, see the note above about NameVirtualHost not working for HTTPS. ErrorLog C:/tools/Apache2.2/logs/secure-channel-error.log This would be a good place to look for startup errors or warnings. JkMountFile conf/uriworkermap.properties Is this the same JkMountFile you use for your (working) non-SSL VirtualHost? SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL Note that this is an overly-complicated Ciphers line... you're using ALL and then customizing it by adding other ciphers. It's the equivalent of: SSLCipherSuite ALL:-ADH or even SSLCIpherSuite ALL:!ADH - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko5Q20ACgkQ9CaO5/Lv0PBLEwCgvKwY0DBJBIa73+nTHeucscHl 7tAAnRA/SXg7OiBxm1bIZ2lcM2yvAQsp =8WSd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Apache mod_jk HTTPS problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attacus, On 6/15/2009 4:42 PM, attacus wrote: In case with domain name Apache searches static content instead of my dynamic JBoss-Tomcat-produced page, and finally returns error 404. Please help me if you have any ideas where to dig. Sounds like you don't have your httpd VirtualHost correct for handling SSL. Feel free to post your VirtualHost configuration so we can take a look. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko3tP8ACgkQ9CaO5/Lv0PDrPgCff1FQLdH+kfERBcmMMkNzL0dk lVEAn2msnGQADq6NcmAIJuseQw0rodhL =aytY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Apache mod_jk HTTPS problem
Christopher, you right. I fill like something is wrong here. I am not experienced in Apache configuration. So please do not kick me hard. :) # # Use name-based virtual hosting. # NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any VirtualHost block. # VirtualHost *:443 ServerName *:443 ErrorLog C:/tools/Apache2.2/logs/secure-channel-error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog C:/tools/Apache2.2/logs/secure-channel-access-error.log combined ServerSignature On JkMountFile conf/uriworkermap.properties SSLEngine On SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile C:/tools/Apache2.2/conf/server.crt SSLCertificateKeyFile C:/tools/Apache2.2/conf/server.key SSLCertificateChainFile C:/tools/Apache2.2/conf/server.crt SSLOptions -StdEnvVars +ExportCertData /VirtualHost -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, June 16, 2009 7:07 PM To: Tomcat Users List Subject: Re: [OT] Apache mod_jk HTTPS problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attacus, On 6/15/2009 4:42 PM, attacus wrote: In case with domain name Apache searches static content instead of my dynamic JBoss-Tomcat-produced page, and finally returns error 404. Please help me if you have any ideas where to dig. Sounds like you don't have your httpd VirtualHost correct for handling SSL. Feel free to post your VirtualHost configuration so we can take a look. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko3tP8ACgkQ9CaO5/Lv0PDrPgCff1FQLdH+kfERBcmMMkNzL0dk lVEAn2msnGQADq6NcmAIJuseQw0rodhL =aytY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org