Apache is setup on ports 80 & 443. The port 80 config has only the basics defined, then has a mod_rewrite rule to send *ALL* traffic to the same URL but via https. It also has mod_jk2 setup to forward all .jsp & .do requests to tomcat. Tomcat is listening on ports 8080 and 8009.
All seems to work fine, but there's a hole. If I go to http://qa-wap1, I am properly redirected to https://qa-wap1. As I login, follow links, etc., I stay on the secure URL. However, if get into a secure URL... say https://qa-wap1/submitProfile.jsp and change the URL in my browser to http://qa-wap1:80/submitProfile.jsp and refresh the browser, the entire page (content and images, both) reloads and looks perfect. The obvious problem is that I just circumvented the secure URL concept. There's a hole somewhere that I haven't been able to plug. This occurs with multiple browsers.
Interestingly, I have an almost identical setup using Apache 1.3.26 and Resin via mod_caucho. The mod_rewrite rule is the same, but if I try to substitute the URL as mentioned above, it immediately puts me back on the secure URL as it should.
I'm including all the relevant portions of the config files below...
httpd.conf:
<VirtualHost qa-wap1:80>
ServerName qa-wap1
ServerAlias qa-wap1.sd.mydomain.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/qa-wap1_error_log
TransferLog /var/log/httpd/qa-wap1_access_log
CustomLog /var/log/httpd/qa-wap1_referer_log referer
CustomLog /var/log/httpd/qa-wap1_agent_log agent
#
RewriteEngine on
RewriteLogLevel 0
RewriteRule ^(.*) https://qa-wap1$1 [R=301]
</VirtualHost> <VirtualHost qa-wap1:443>
ServerName qa-wap1
ServerAlias qa-wap1.sd.genvault.com
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /usr/tomcat/webapps/Genvault
ErrorLog /var/log/httpd/qa-wap1_ssl_error_log
TransferLog /var/log/httpd/qa-wap1_ssl_access_log
CustomLog /var/log/httpd/qa-wap1_ssl_referer_log referer
CustomLog /var/log/httpd/qa-wap1_ssl_agent_log agent
DirectoryIndex index.htm
# SSL Options
SSLEngine on
SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/certs/qa-wap1.crt
SSLCertificateKeyFile /etc/httpd/certs/qa-wap1.key
# End SSL Options
</VirtualHost> # Load mod_jk2
LoadModule jk2_module modules/mod_jk2.so
AddModule mod_jk2.cworkers2.properties:
#[logger.apache13]
#level=DEBUG [shm]
file=/var/log/httpd/shm.file
size=1048576 [workerEnv:]
info=Global server options
timing=1
debug=0 [channel.socket:localhost:8009]
port=8009
host=127.0.0.1 # define the worker
[ajp13:localhost:8009]
channel=channel.socket.localhost:8009 # Uri mapping
[uri:/*.jsp]
worker=ajp13:localhost:8009 [uri:/*.do]
worker=ajp13:localhost:8009 [uri:/servlet/*]
worker=ajp13:localhost:8009 [uri:/services/*]
worker=ajp13:localhost:8009server.xml (snip - this is what correlates to the workers2.properties file for mapping to tomcat):
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
port="8009"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"
minProcessors="5"
maxProcessors="75"
acceptCount="10"
debug="0"/>jk2.properties:
## THIS FILE MAY BE OVERRIDEN AT RUNTIME. MAKE SURE TOMCAT IS STOPED ## WHEN YOU EDIT THE FILE. ## COMMENTS WILL BE _LOST_ ## DOCUMENTATION OF THE FORMAT IN JkMain javadoc.
# Set the desired handler list
# handler.list=apr,request,channelJni
#
# Override the default port for the socketChannel
# channelSocket.port=8019
# Default:
# channelUnix.file=${jkHome}/work/jk2.socket
# Just to check if the the config is working
# shm.file=${jkHome}/work/jk2.shm # In order to enable jni use any channelJni directive
# channelJni.disabled = 0
# And one of the following directives: # apr.jniModeSo=/opt/apache2/modules/mod_jk2.so
# If set to inprocess the mod_jk2 will Register natives itself
# This will enable the starting of the Tomcat from mod_jk2
# apr.jniModeSo=inprocesshandler.list=request,container,channelSocket
channelSocket.port=8009
channelSocket.address=127.0.0.1
channelSocket.maxPort=port+10Most interestingly, I decided to circumvent the problem by setting a different DocumentRoot for the port 80 vhost, and having only a single index.html in the folder and have it do an immediate refresh to the secure URL (https://qa-wap1), plus I removed the rewrite rules. I would think that in doing this, if I change the URL to http://qa-wap1:80/submitProfile.jsp that I should get a 404 error since the file submitProfile.jsp would not exist in the DocumentRoot for the port 80 config in this test. Unfortunately, I got the same results as above... the page loaded perfectly on the non-secure URL, except for the images.
And since I know someone will ask, when I change the URL (https://qa-wap1/submitProfile.jsp) to http://qa-wap1:80/submitProfile.jsp and refresh the browser, yes, the lock icon goes away. So its not a client caching issue.
-- Andrew Davis, Founder SoCalLinuxSolutions [EMAIL PROTECTED] 760-525-4689
SoCalLinuxSolutions.com Linux Consultation & Integration Services
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
