Hi Just,
Thank you for this nice workaround. Will give it a try. TNX ! -----Original Message----- From: Hannes Just [mailto:hannes.j...@auconet.com] Sent: woensdag 10 maart 2010 17:11 To: spectrum Subject: RE: [spectrum] JAVA, JNPL & JNLP descriptors - OC via SSL offloader / reverse proxy Hi Erwin, I use Apache 2.2.14 for that purpose, as it nicely handles HTTP/1.1, DEFLATE compression, in-memory caching and SSL/TLS encryption. That way, the Tomcat application server still serves plain-text HTTP, whereas Apache does the encryption, compression and caching. As I haven't found an elegant way to configure JnlpDownloadServlet (this is the module that evaluates and replaces the dreaded $$codebase stuff), and documentation on that subject is rather rare, I configured Apache's mod_substitute to rewrite the protocol part in the JNLP file. Be aware that mod_substitute may not be included or activated in a default installation. If you set up Apache's mod_proxy_http reverse handling correctly, the proper hostname of the reverse proxy will be included in the HTTP Request Headers to the Tomcat backend, so JnlpDownloadServlet at least inserts the correct hostname. This is my proxy.conf file which gets loaded from the base httpd.conf. It enables proxying, compression and caching: --- snip --- # compress traffic to client, nice speed-up on slow links <IfModule mod_deflate.c> DeflateCompressionLevel 9 SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary </IfModule> <IfModule mod_proxy.c> ProxyRequests Off # this setting enables JnlpDownloadServlet to insert the correct hostname in $$codebase ProxyPreserveHost On ProxyVia Off <Proxy *> Order deny,allow Allow from all </Proxy> # work-around for the stupid http-equiv="refresh" in /index.html RedirectPermanent / /spectrum/ <Location /spectrum/> # yes, talk IPv6 to the local tomcat backend, somewhat lighter on resources ProxyPass http://[::1]:8080/spectrum/ ProxyPassReverse http://[::1]:8080/spectrum/ </Location> # cache static resources, so Tomcat only needs to serve them once <IfModule mod_cache.c> <IfModule mod_mem_cache.c> CacheEnable mem / # total in-memory cache in KiB MCacheSize 262144 MCacheMaxObjectCount 1024 MCacheMinObjectSize 1 # max object size in Bytes MCacheMaxObjectSize 134217728 </IfModule> </IfModule> </IfModule> --- snap --- Here are the most important parts from my ssl.conf, which is also read by my httpd.conf: --- snip --- LoadModule ssl_module modules/mod_ssl.so LoadModule substitute_module modules/mod_substitute.so Listen 443 RequestHeader set X-Forwarded-SSL on RequestHeader set X-Forwarded-Proto https # when serving a oneclick.jnlp file, replace codebase="http: with codebase="https: in its body <ProxyMatch "oneclick\.jnlp$"> SetOutputFilter SUBSTITUTE;DEFLATE Substitute s/codebase="http:/codebase="https:/i </ProxyMatch> --- snap --- Don't forget to supply the CA certificate(s) and server certificate and private keyfile via the SSLCertificate* options to Apache. Furthermore, depending on your Apache installation, you may need to set up some things in httpd.conf. Especially take a look at: --- snip --- # Enable HTTP connection re-use KeepAlive On # Optionally, disable plain-text HTTP for clients #Listen 80 UseCanonicalName On --- snap --- Don't forget to import the CA certificate(s) to the client keystore, otherwise you get "connection refused" errors. Maybe take a look at tools like http://sourceforge.net/projects/ssltools/ or http://yellowcat1.free.fr/keytool_iui.html. I hope that helps. Cheers, Hannes -----Original Message----- From: De Munter, Erwin [mailto:erwin.de_mun...@siemens.com] Sent: Friday, March 05, 2010 3:13 PM To: spectrum Subject: RE:[spectrum] JAVA, JNPL & JNLP descriptors - OC via SSL offloader / reverse proxy Hello List, For a certain case I am trying to make OC available via SSL off loader / Reverse Proxy Spectrum OC Server 80 INTERNAL - Reverse Proxy, URL rewrite - EXTERNAL Client 443 Opening of the default Spectrum web page is ok, as well as installation of the Java client. Rewriting of the URL ok. But opening One Click will fail, because the internal URL is used in the oneclick.jnpl file When changing the URL in the jnpl file manually, it goes a bit deeper, but when looking in the Java console, the JNPL Application, and Library all have the internal URL used. Does anyone have experience to modify something at level of the OC tomcatserver ? Or can point me in a direction ? Best regards, De Munter Erwin --- To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum hannes.j...@auconet.com --- To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum erwin.de_mun...@siemens.com --- To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum arch...@mail-archive.com
