How to switch to/from HTTPS using Apache as a proxy to Tomcat

Posted on by

I’m writing this down because it too me an age to figure out a way of doing this. I have a website which Tomcat is happily serving. Areas of the site require a secure connection so I’m using Spring security to require particular URLs to be accessed over HTTPS. It means that when I access http://example.org:8080/webapp/login, it’ll bump me to https://example.org:8443/webapp/login. Note: Tomcat is setup with the SSL connector and a self signed .keystore see (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html).

I have two vhosts setup in Apache, one for the http://example.org and one for https://example.org. They are both using mod_proxy to ProxyPass and ProxyPassReverse requests to the appropriate Tomcat URL’s. The problem comes when switching to HTTPS from HTTP and vice versa. Ideally I wanted some sort of ProxyPassReverse declaration in my config for http://example.org what would change HTTP headers (that Spring sets) for https://example.org:8443/webapp into https://example.org. Except ProxyPassReverse doesn’t work like that.

Now, I realise I could simply not use Spring to manage which parts of the site should be accessed over HTTPS and which should not…and just setup Apache to redirect as appropriate. I don’t want to do that though, because that makes the task of adding these restrictions a deploy time task, rather than a development time task. I don’t want to risk someone forgetting to add new restrictions when deploying the webapp and I’d much rather the developer added these restrictions when they were working on the task and really thinking about where and when they are needed.

So, how do I solve the problem so that the app can manage its secure-ness and I can setup Apache once and forget about it? The answer is to ProxyPassReverse onto a “special” URL, which when accessed will redirect to the HTTPS (or HTTP) site. For example, if the HTTP site needed to redirect to the HTTPS site, I’d add rules like so to perform the redirect:

    # Proxy a request (from the server) to switch to https onto a special URL "/2https/"
    ProxyPassReverse /2https/ https://example.org:8443/webapp/

    # When a client requests a URL prefixed with "/2https" map it onto the secure site
    RewriteRule ^/2https/(.*)$ https://example.org/$1 [R,L]

…and you’d add something similar to the secure site Apache config. As long as I don’t mount any pages at /2http or /2https I should be ok. Note a couple of things:

  • You’ll need “SSLProxyEngine on” and “RewriteEngine on” and obviously the appropriate Apache modules loaded for these commands.
  • Because of the redirect between HTTP <-> HTTPS you won’t be able to POST data between them directly (I’m not sure why you’d NEED to though)
  • Obviously you’ll need to setup Apache with an SSL certificate…but that is a different story

I should say a special thanks to this random site – from whence the idea actually came from. If anyone has any better ideas on how to do it I’d love to hear them. Please comment below.

12,023 thoughts on “How to switch to/from HTTPS using Apache as a proxy to Tomcat

  11. Хочу выделить раздел про Новости урбанистики и развития общественных пространств.

    Вот, делюсь ссылкой:

    https://urbannew.ru

  12. Hello everyone We believe that every player should have access to affordable in game currency options. We offer slot buying options where you can participate or simply watch the run live. More detailed information on the website – https://www.wow-power-leveling.org/WowArmory/wow-armory-character-lookup power leveling wow wow gold instant delivery wow boost service cheap cheap wow power leveling cheapest wow gold best boosting service wow Good luck and good gameplay

  15. 저는 당신의 사이트 디자인과 레이아웃을
    진심으로 즐기고 있습니다. 눈에 매우 편안해서 여기 와서 더 자주 방문하는
    것이 훨씬 더 즐겁습니다. 테마를 만들기 위해 디자이너를 고용했나요?
    뛰어난 작업입니다!

    I have been exploring for a little bit for any
    high quality articles or weblog posts on this sort of space
    . Exploring in Yahoo I finally stumbled upon this web
    site. Studying this info So i am satisfied to express that I have a very
    just right uncanny feeling I discovered exactly what I
    needed. I such a lot certainly will make certain to don?t forget this web site
    and give it a glance regularly.

  18. We measure a casino’s Safety Index by employing a multifaceted formula that takes into the account an abundance of information collected and evaluated in our complex
    review.

  20. Поставка и монтаж — одна компания одна ответственность. Не нужно разбираться кто виноват если что-то пойдёт не так. Это принципиально важно при кровельных работах. металлочерепица профиль 45 мм Красноярск

  23. Взял новый дом в строящемся посёлке под Красноярском. Посоветовали металлочерепицу 0.5 мм с высоким профилем под нашу стропильную систему. Через год всё в порядке. монтаж металлочерепицы Красноярск

  30. It is perfect time to make some plans for the future and it’s time to
    be happy. I’ve read this post and if I could I wish to suggest you few interesting things or suggestions.
    Maybe you can write next articles referring to this article.
    I want to read more things about it!

  31. Для тех, кто ищет информацию по теме “Свежие новости и прогнозы клуба Авангард”, нашел много полезного.

    Смотрите сами:

    https://avangard-365.ru

  32. Ставка на любовь – 2 сезон. Любовь страсть и неожиданные повороты возвращаются Новые герои жаркие свидания и судьбоносные решения – кто рискнёт всем ради чувств? Драматичные признания сложный выбор и финал от которого захватывает дух. Не пропусти ни одной серии – включай прямо сейчас: Ставка на любовь 2

  37. You’re so cool! I don’t suppose I’ve read a single thing like this before.
    So nice to find somebody with genuine thoughts on this subject.
    Really.. thanks for starting this up. This website is something
    that’s needed on the internet, someone with some originality!

  49. Для тех, кто ищет информацию по теме “Актуальные новости и события Рязанской области”, нашел много полезного.

    Вот, можете почитать:

    https://62media.ru

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>