Hello all,
and sorry for asking something that has been asked in the past, but I don't get to find out what I'm doing wrong. There's a very strong possibility (actually close to '1') that my errors are from Apache setup point of view. However, I'm turning to you since I'm not 100% sure and in order to provide a more recent post on the subject.
Goal: I'm trying to set up an Apache to work as a reverse proxy in front of the Liferay tomcat bundle, in order to be able to allow only a limited set of requests, thus hiding some bugs and accessibility security issues of Liferay 6.0.6 CE. I'll use a self-signed certificate for this purpose. Note that I'm trying these on Windows OS. I would like to achieve this in a single machine (but I have also failed in a two machines attempt)
Speculation: If I have understood correctly, there are (at least) two ways of doing this concerning SSL setup. a) You set up your Apache to be able to listen to https (keypair and self signed certificate and all), you terminate SSL on the Apache and then you setup Apache to speak with Tomcat in http b) You set up apache to listen to https but you relay https requests to Tomcat. You setup tomcat and Liferay to listen to and respond with https
Process:
I haven't managed to perform a successful SSL termination an Apache yet. I haven't even cleared out how you do that. Does this happen explicitly with a setup specifically for this purpose or does this happen implicitly if you proxy your requests to an http address?
In this guide, I assume they're trying to achieve the other way around, i.e., setup both Apache and Tomcat to understand SSL. So based on this guide I tried the following:
1) Tomcat
I've created a keystore file for tomcat using the java keytool. I provided file path and credentials to Tomcat in server.xml where I un-commented the appropriate Connector. I also changed the ROOT/WEB-INF/web.xml <transport-guarantee> attribute to 'confidential'.
2) Liferay
I've set all the properties that were similar to *.require.https to true and tried many combination for # Web Server properties in the portal-ext.properties file. I managed to make Liferay to work just fine over https.
Then I have to setup the features that imply that there's a web server in front of liferay, in order to make Liferay to generate proper URLs to fit your needs. So I declared the https port that my web server (default 443) is using (web.server.https.port) and the name of the web server (web.server.host) (in my case, the IP of the web server - this might be a gotcha I don't know). Note that the corresponding http configuration worked for plain http connection with the Apache (i.e having an Apache listening to port 80 and proxy requests to Liferay at 8080)
3) Apache
Now, here comes the juicy part. I think I'll just give a sample of my httpd.conf . First of all I created a keypair using the openssl tool, I removed the passphrase from it due to windows incompatibility, I created the self signed certificate using the resulting key. Then my configuration:
I surely have some setting up issues I can't really figure out, considering that https://localhost/index.html returns "It works!" (default apache page in web root) but https://10.0.0.101/index.html does not even with all proxy setup commented out (YES COMMENTED OUT, ie NO PROXYING). Note that the machine has more than one defined ips (caution - IPs not actual network cards) but the top most defined is the 10.0.0.101 . Also note that I ve setup Tomcat to listen on port 443 on this particular attempt, thats why my proxy settings have the default port and not 8443 (I have also tried with 8443)
I have a feeling that my best bet is to try the other way around, i.e. terminate SSL on Apache but I don't really know how to do it.
As a bonus here are some errors from the log
Any help would be appreciated
P.S. (I 'm still wiggling between the TLDR and "Give us more info about your problem" fears, so...)
and sorry for asking something that has been asked in the past, but I don't get to find out what I'm doing wrong. There's a very strong possibility (actually close to '1') that my errors are from Apache setup point of view. However, I'm turning to you since I'm not 100% sure and in order to provide a more recent post on the subject.
Goal: I'm trying to set up an Apache to work as a reverse proxy in front of the Liferay tomcat bundle, in order to be able to allow only a limited set of requests, thus hiding some bugs and accessibility security issues of Liferay 6.0.6 CE. I'll use a self-signed certificate for this purpose. Note that I'm trying these on Windows OS. I would like to achieve this in a single machine (but I have also failed in a two machines attempt)
Speculation: If I have understood correctly, there are (at least) two ways of doing this concerning SSL setup. a) You set up your Apache to be able to listen to https (keypair and self signed certificate and all), you terminate SSL on the Apache and then you setup Apache to speak with Tomcat in http b) You set up apache to listen to https but you relay https requests to Tomcat. You setup tomcat and Liferay to listen to and respond with https
Process:
I haven't managed to perform a successful SSL termination an Apache yet. I haven't even cleared out how you do that. Does this happen explicitly with a setup specifically for this purpose or does this happen implicitly if you proxy your requests to an http address?
In this guide, I assume they're trying to achieve the other way around, i.e., setup both Apache and Tomcat to understand SSL. So based on this guide I tried the following:
1) Tomcat
I've created a keystore file for tomcat using the java keytool. I provided file path and credentials to Tomcat in server.xml where I un-commented the appropriate Connector. I also changed the ROOT/WEB-INF/web.xml <transport-guarantee> attribute to 'confidential'.
2) Liferay
I've set all the properties that were similar to *.require.https to true and tried many combination for # Web Server properties in the portal-ext.properties file. I managed to make Liferay to work just fine over https.
Then I have to setup the features that imply that there's a web server in front of liferay, in order to make Liferay to generate proper URLs to fit your needs. So I declared the https port that my web server (default 443) is using (web.server.https.port) and the name of the web server (web.server.host) (in my case, the IP of the web server - this might be a gotcha I don't know). Note that the corresponding http configuration worked for plain http connection with the Apache (i.e having an Apache listening to port 80 and proxy requests to Liferay at 8080)
3) Apache
Now, here comes the juicy part. I think I'll just give a sample of my httpd.conf . First of all I created a keypair using the openssl tool, I removed the passphrase from it due to windows incompatibility, I created the self signed certificate using the resulting key. Then my configuration:
NameVirtualHost *:443
Listen 80
Listen 443
ProxyRequests Off
## didn't touch these -start
DocumentRoot "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs"
<directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
## didnt touch these -end
<virtualhost *:443>
ServerName https://10.0.0.101:443
SSLProxyEngine On
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile C:\keystore\mycert.crt
SSLCertificateKeyFile C:\keystore\key-nopassphrase.key
# RewriteEngine On
# I've commented those to minimize debugging complexity, i.e. I allow any request to be proxied
# RewriteRule ^ - [L,R=404]
ProxyPass / https://10.0.0.100/
ProxyPassReverse / https://10.0.0.100/
</virtualhost>
#The rest of the file is left with defaults. There are some <if> directives concerning mime cgid alias and log, so the only such directive I think might be interesting is
<ifmodule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</ifmodule>
</if>I surely have some setting up issues I can't really figure out, considering that https://localhost/index.html returns "It works!" (default apache page in web root) but https://10.0.0.101/index.html does not even with all proxy setup commented out (YES COMMENTED OUT, ie NO PROXYING). Note that the machine has more than one defined ips (caution - IPs not actual network cards) but the top most defined is the 10.0.0.101 . Also note that I ve setup Tomcat to listen on port 443 on this particular attempt, thats why my proxy settings have the default port and not 8443 (I have also tried with 8443)
I have a feeling that my best bet is to try the other way around, i.e. terminate SSL on Apache but I don't really know how to do it.
As a bonus here are some errors from the log
[Wed Feb 22 10:35:12 2012] [notice] Parent: Received restart signal -- Restarting the server.
[Wed Feb 22 10:35:12 2012] [notice] Child 1144: Exit event signaled. Child process is ending.
[Wed Feb 22 11:16:22 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Feb 22 11:16:22 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed Feb 22 11:16:23 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed Feb 22 11:16:23 2012] [notice] Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t configured -- resuming normal operations
[Wed Feb 22 11:16:23 2012] [notice] Server built: Jan 28 2012 11:16:39
[Wed Feb 22 11:16:23 2012] [notice] Parent: Created child process 3660
[Wed Feb 22 11:16:23 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Feb 22 11:16:23 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed Feb 22 11:16:24 2012] [warn] Init: (10.0.0.101:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Child process is running
[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Acquired the start mutex.
[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Starting 64 worker threads.
[Wed Feb 22 11:16:24 2012] [notice] Child 3660: Starting thread to listen on port 443.
[Wed Feb 22 11:16:28 2012] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01Any help would be appreciated
P.S. (I 'm still wiggling between the TLDR and "Give us more info about your problem" fears, so...)