I am trying to set up a server with multiple web applications which will all be served through apache VirtualHost (apache running on the same server). My main constraint is that each web application must use SSL encryption. After googling for a while and looking at other questions on stackoverflow, I wrote the following configuration for the VirtualHost:
<VirtualHost 1.2.3.4:443>
ServerName host.example.org
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
</VirtualHost>
Even though https://host.example.org:8443 is accessible, https://host.example.org is not, which defeats the purpose of my virtual host configuration. Firefox complains that, even though it successfully connected to the server, the connection was interrupted. I also get the following warning in apache's error.log:
proxy: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be host.example.org for uri
On the web application (a Tomcat server) the access log shows a strange access request:
"?O^A^C / HTTP/1.1" 302
Following is the correct access resquest I get when I connect directly to https://host.example.org:8443:
"GET / HTTP/1.1" 302
Finally I should also mention that the virtual host works perfectly fine when I do not use SSL.
How can I make this work?
At last I found a way to make it work. First I tried Dave Cheney suggestion, so I installed an other certificate for the apache server redirected to Tomcat non SSL port (so the proxy was redirecting to http://localhost:8080/). Unfortunately it did not fully work as in the web browser the https was transformed to http immediately upon connection. So I reverted to using https://localhost:8443/ and the final touch to make it work was to add again SSLProxyEngine.
Here is the resulting VirtualHost configuration:
Try this config
If your application needs to have access to the SSL information from the proxied connection, you should consider using mod_proxy_ajp, and the tomcat ajp1.3 connector.
But if you goal is to run multiple ssl enabled web applications on the same server. adding apache in front isnt going to balance them using your above config, you would still need a load balancer or you could use apache's proxy balancer module with something like the following:
Well, what I don't understand here is why you need to have an SSL connection from your apache to your application which seems to be on the same machine (http://localhost:8443/).
I guess the usual way to set up things like this is to have apache providing SSL encryption to the "customer"-side, e.g. internet, and have an unencrypted connection to the application. This also gives you more freedom to debug your application responses.
The other thing Dave Cheney mentioned is to use the native tomcat connector in order to have load balancing and other features.
Do you really need to proxy to a HTTPS service? You might want to proxy to the non-ssl service in localhost, e.g.
First i would look at if you can do a request from localhost to localhost:8443 and see if thats successful (IE do a GET or wget http://localhost:8443)
Im not quite sure why your havin g a virtual host listening on port 443 then proxying it to another ssl host
why cant the application just use 443 natively? if you cant change it you could just use iptables to redirect the port
Check your SSL error log and make sure you have no errors about being unable to verify the CA certificate chain.