3 Replies Latest reply on Jul 12, 2006 10:41 AM by bezdomny

    Apache mod_jk / JBoss SSL question

    bezdomny
    bezdomny Jul 11, 2006 4:15 PM

      I've seen this asked many times and I think I have an answer that works for my particular situation.
      Please tell me if I'm right or wrong as I need to get my app deployed by next week.
      I have a site that MUST be SSL enabled for all pages, including login. Instead of enabling SSL in JBoss, I'm using my site's existing cert that is used by Apache. I'm using mod_rewrite like this inside both virtual hosts:

      <VirtualHost blah.mysite.com:443>
      ServerAdmin webmaster@dummy-host.example.com
      DocumentRoot "D:/usr/dev/web/mypath"
      ServerName blah.mysite.com
      DirectoryIndex index.html
      ErrorLog logs/blah-error_log
      CustomLog logs/blah-access_log common
      SSLEngine on
      SSLCertificateFile "C:\Program Files\Apache Group\Apache2\ssl\mycert.cert"
      SSLCertificateKeyFile "C:\Program Files\Apache Group\Apache2\ssl\mykey.key"
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      RewriteEngine on

      RewriteCond %{SERVER_PORT} !^443$
      RewriteRule ^/(.*)$ https://blah.mysite.com/$1 [L,R]




      <VirtualHost blah.mysite.com:80>
      ServerAdmin webmaster@dummy-host.example.com
      DocumentRoot "D:/usr/dev/web/mypath"
      ServerName blah.mysite.com
      DirectoryIndex index.html
      ErrorLog logs/blah-error_log
      CustomLog logs/blah-access_log common
      RewriteEngine on

      RewriteCond %{SERVER_PORT} !^443$
      RewriteRule ^/(.*)$ https://blah.mysite.com/$1 [L,R]


      So this says that any request to any of these virtual hosts that ISN'T on port 443 is then redirected using the https: scheme.

      Is this an exceptable way to require SSL when Jboss is used with Apache and mod_jk?

      Thanks for the help. The reason why I don't want to enable SSL in JBoss directly is complicated. I work in a big corp environment and they don't like making changes from regular certs to java keystores and the like.

      B

      • 3216 Views
      • Tags:
        • 1. Re: Apache mod_jk / JBoss SSL question
          bezdomny
          bezdomny Jul 11, 2006 4:17 PM (in response to bezdomny)

          Also, I don't like the fact that if you use this:
          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>

          in your web.xml, JBoss insists on redirecting the user to port 8443. I can't have that.

          B

            • Actions
          • 2. Re: Apache mod_jk / JBoss SSL question
            j2ee_junkie
            j2ee_junkie Jul 12, 2006 8:31 AM (in response to bezdomny)

            B,

            Isn't the redirect port set in tomcat's server.xml file...

             <!-- A HTTP/1.1 Connector on port 8080 -->
 <Connector port="8080" address="${jboss.bind.address}"
 maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
 emptySessionPath="true"
 enableLookups="false" redirectPort="8443" acceptCount="100"
 connectionTimeout="20000" disableUploadTimeout="true"/>


            cgriffith

              • Actions
            • 3. Re: Apache mod_jk / JBoss SSL question
              bezdomny
              bezdomny Jul 12, 2006 10:41 AM (in response to bezdomny)

              Yeah. I was reading in chapter 9 of the JBOG 4.0 book last night. I can fix the 8443 issue. I was wrong about that yesterday. What about my Apache/mod_rewrite approach?

              Thanks for responding.

              B

                • Actions