-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Larry,
BTW, you're doing great. Thanks for battling-through. See below. On 6/16/15 2:29 PM, Cohen, Laurence wrote: > ******* nss.conf.testweb01 ******* > > Listen 443 > > AddType application/x-x509-ca-cert .crt AddType > application/x-pkcs7-crl .crl > > NSSPassPhraseDialog file:/etc/httpd/.password.conf > #NSSPassPhraseDialog builtin > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 > NSSSession3CacheTimeout 86400 > > > NSSRandomSeed startup builtin > > > <VirtualHost _default_:443> > > DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off NSSEngine > on NSSProxyEngine on NSSEnforceValidCerts off NSSRenegotiation on > NSSRequireSafeNegotiation on > > NSSCipherSuite > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_m d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+r sa_aes_256_sha > > NSSProxyCipherSuite > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_m d5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_12 8_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+r sa_aes_256_sha > > NSSProtocol TLSv1 NSSNickname Server-Cert NSSCertificateDatabase > /etc/httpd/alias NSSFIPS on NSSOCSP off > > ProxyPreserveHost On > > > <Location /dse-help> #SSLRenegBufferSize 10486000 NSSVerifyClient > none NSSOptions +StdEnvVars ProxyPass > https://testapp01:8007/dse-help > <https://testapp01.novetta.com:8007/dse-help> ProxyPassReverse > https://testapp01:8007/dse-help > <https://testapp01.novetta.com:8007/dse-help> </Location> Okay, good: here's the real meat of the file (repeated over and over, of course). The "Location" matches an incoming URL and then the stuff between the <Location> and </Location> will be effective for requests whose URLs match that pattern. So, for a request for /dse-help, the request is forwarded-over to Tomcat on port 8007 using the https:// protocol. The ProxyPassReverse will re-write response headers like Location and Set-Cookie to make sure they point to the reverse proxy (httpd) server instead of Tomcat (testapp01:8007). This is all you need to get things working. Since the above is from the :443 VirtualHost, you just need to make sure that similar configuration exists in the :80 VirtualHost configuration files. > # initialize the SSL headers to a blank value to avoid http header > forgeries RequestHeader set SSL_CLIENT_CERT "" RequestHeader set > SSL_CIPHER "" RequestHeader set SSL_SESSION_ID "" RequestHeader set > SSL_CIPHER_USEKEYSIZE "" I'm not entirely sure: a) How mod_nss expects to send the original HTTPS information to Tomcat b) Whether or not Tomcat is configured to detect this information and make sure it's available to the container/web application c) In what order the "StdEnvVars" and "RequestHeader set" operations take place. I would want to make sure you've got all that right so tht the following takes place: 1. Request comes in 2. Request has HTTPS-related headers stripped 3. Request has HTTPS-related headers added during proxying You might consider using "RequestHeader unset" instead of "RequestHeader set ''". There's no reason to send-over a blank string. > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set > SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set > SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" If you are going to be "setting" each of these with new values, you may as well not bother to "unset" (or "set" them to "") beforehand. I think it's just extra processing that wastes time and doesn't accomplish. Of course, you'll want to verify that I'm correct in that it doesn't matter if you remove the "unsets" before the "sets", but I think you'll be okay. > ******* rewwrite.conf.testweb01 ******* > > # # rewrite.conf: # These rules handle all http:// protocol > requests. # RewriteEngine on > > # General: # Disable HTTP TRACE on all requests. RewriteCond > %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] > > # General: # Redirect requests to https, EXCEPT for the favicon, > User-Defined URLs, System-Defined URLs, DDMS, AOP. # https rewrite > rules are found in ssl.conf. RewriteCond %{SERVER_PROTOCOL} > !https RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond > %{REQUEST_URI} !^/mdr/ns RewriteCond %{REQUEST_URI} > !^/mdr/irs RewriteCond %{REQUEST_URI} !^/mdr/documents > RewriteCond %{REQUEST_URI} !^/dse/uriService RewriteCond > %{REQUEST_URI} !^/dse/ns RewriteCond %{REQUEST_URI} > !^/dse/irs RewriteCond %{REQUEST_URI} !^/dse/documents > RewriteCond %{REQUEST_URI} !^/dse/downloads > > # query string containing wsdl (e.g. <somepath>/publish?wsdl), let > it fetch as http RewriteCond %{QUERY_STRING} !wsdl > > RewriteRule ^/(.*)$ https://testweb01/$1 > <https://testweb01.novetta.com/$1> [last,redirect] Oh, man. This is awful. I'll bet the SSL-based configuration was re-written using ProxyPass/ProxyPassReverse and then the mod_rewrite (that's what all this stuff is) stuff was simply removed (or no longer referenced from httpd.conf, probably). But it looks like the RewriteCond/RewriteRule stuff was actually enabling your proxying (in the very ugliest way possible, I might add), so you lost your :80 proxying. For the most part, you should be able to copy the <Location> sections from your nss.conf into whatever file you would like to include to set up your :80 VirtualHost, and that should be about it. (Of course, you'll want to remove the NSSOptions and NSSVerifyClient sections as well.) If you'd prefer to have a slightly cleaner configuration, you can change this: > <Location /dse-help> #SSLRenegBufferSize 10486000 NSSVerifyClient > none NSSOptions +StdEnvVars ProxyPass > https://testapp01:8007/dse-help > <https://testapp01.novetta.com:8007/dse-help> ProxyPassReverse > https://testapp01:8007/dse-help > <https://testapp01.novetta.com:8007/dse-help> </Location> to this: ProxyPass /dse-help https://testapp01:8007/dse-help ProxyPassReverse /dse-help https://testapp01:8007/dse-help , since you don't need additional configuration. I would be willing to bet that if you set NSSOptions and NSSVerifyClient at the top-level, you wouldn't have to specify it separately in all of those <Location> sections, and your configuration would get even simpler, but I'm not aware of all of the intricacies of your environment, so I wouldn't recommend you make that change without someone watching who knows this configuration very well. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVgHVRAAoJEBzwKT+lPKRYiGgP+gK5y4zid+1X4v3rKN2Se/Tv seEbzhqW8IDigzysqUQAsqklmrNngyb4wbB6BltcPTVzwGiP3wHf1jKRfpXIdat8 KoXppXFgfL1FMP5HwfNBZhu8qQbv4bnbVPYRdvy5LsYtHIlZjD/BNMQRZKmiHQYk cWYLMmqDs/oginqA1E9fDIrx1XZxSJBFL646S7dT3IQOUWxhgOtN3b5WDyZcY6bk ZQMkgtALX1lyKDqWB8zVeqppQ9zljuF3dJno5q8E5bERYD98gTTEsnItuI7OeFSI jkOtXG7IqmlOTd379q+A024oGubnwNmSeX2xMXwok03pd78okiCfTa46IyI407Se eTyzProuCgks8EsDf5oUJflP9c8CVubyCkaI2cKR5APEiQNEqROdKy9IAlS1V2R0 Zo3mPQ5cq9S84DXPW5DtGdFTNvq7izZaOhRSg+oeUejpelWreVqS3BzkxGf2Kn9i uutCCFF7k/OkrzCnUN8ASEEdXOibMJhhGlTjYaChZHmQLFAvocYNcUhUThtahCM+ LTGIm6thalOKzWEjv3L8OI0NV3F4pD6x6O1/TAMZU3Jq8zJjdiIBNEnOdeAWs/2M uzFZA7f4BbpgiDMyM6+GnmHKeXIZwRFE6f94ucEAnwRSGjd/H03URHrig4cUvIK0 2IRJtDdgFtrOCIoX8OSD =EQaf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
