How to switch to/from HTTPS using Apache as a proxy to Tomcat

Posted on by

I’m writing this down because it too me an age to figure out a way of doing this. I have a website which Tomcat is happily serving. Areas of the site require a secure connection so I’m using Spring security to require particular URLs to be accessed over HTTPS. It means that when I access http://example.org:8080/webapp/login, it’ll bump me to https://example.org:8443/webapp/login. Note: Tomcat is setup with the SSL connector and a self signed .keystore see (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html).

I have two vhosts setup in Apache, one for the http://example.org and one for https://example.org. They are both using mod_proxy to ProxyPass and ProxyPassReverse requests to the appropriate Tomcat URL’s. The problem comes when switching to HTTPS from HTTP and vice versa. Ideally I wanted some sort of ProxyPassReverse declaration in my config for http://example.org what would change HTTP headers (that Spring sets) for https://example.org:8443/webapp into https://example.org. Except ProxyPassReverse doesn’t work like that.

Now, I realise I could simply not use Spring to manage which parts of the site should be accessed over HTTPS and which should not…and just setup Apache to redirect as appropriate. I don’t want to do that though, because that makes the task of adding these restrictions a deploy time task, rather than a development time task. I don’t want to risk someone forgetting to add new restrictions when deploying the webapp and I’d much rather the developer added these restrictions when they were working on the task and really thinking about where and when they are needed.

So, how do I solve the problem so that the app can manage its secure-ness and I can setup Apache once and forget about it? The answer is to ProxyPassReverse onto a “special” URL, which when accessed will redirect to the HTTPS (or HTTP) site. For example, if the HTTP site needed to redirect to the HTTPS site, I’d add rules like so to perform the redirect:

    # Proxy a request (from the server) to switch to https onto a special URL "/2https/"
    ProxyPassReverse /2https/ https://example.org:8443/webapp/

    # When a client requests a URL prefixed with "/2https" map it onto the secure site
    RewriteRule ^/2https/(.*)$ https://example.org/$1 [R,L]

…and you’d add something similar to the secure site Apache config. As long as I don’t mount any pages at /2http or /2https I should be ok. Note a couple of things:

  • You’ll need “SSLProxyEngine on” and “RewriteEngine on” and obviously the appropriate Apache modules loaded for these commands.
  • Because of the redirect between HTTP <-> HTTPS you won’t be able to POST data between them directly (I’m not sure why you’d NEED to though)
  • Obviously you’ll need to setup Apache with an SSL certificate…but that is a different story

I should say a special thanks to this random site – from whence the idea actually came from. If anyone has any better ideas on how to do it I’d love to hear them. Please comment below.

9 thoughts on “How to switch to/from HTTPS using Apache as a proxy to Tomcat

  1. Just experienced the very same problem – the Apache reverse proxy (v2.2.3) received 301 Redirect message from the application server with http://internal.local/… URL in the Location field, but replaced it with http://external.com/… instead of https://external.com/… which I wanted.

    At last, the solution was extremely simple: you should just define _explicitly_ that your is using SSL:

    ServerName external.com
    ProxyPass / http://internal.local/
    ProxyPassReverse / http://internal.local/

    AuthType Basic
    # authentication details here…
    Require valid-user

    SSLEngine on
    SSLCertificateFile /path/to/public/cert
    SSLCertificateKeyFile /path/to/private/key

    SSLCertificateFile and SSLCertificateKeyFile have to be defined- if SSLEngine is added without them, the httpd process fails.

    Right after this ProxyPassReverse starts prepending https:// to the redirection URLs like a charm.

  3. priligy and cialis together Taylor has gained something too a fury that s uncomfortable to express when other women are dying from breast cancer and her doctors tell her she s lucky

  4. Intensive Care Med 2008 34 101 108 priligy dapoxetine Clomid can encourage ovarian stimulation in patients who suffer from ovulatory dysfunction

  5. priligy tablets online People with diabetes may see a change in blood glucose control with Diamox which may cause blood glucose levels to become either lower or higher

  6. Interestingly for those without WNT mutations we observed that patients bearing ZNRF3 tumours had a significantly poorer prognosis than patients with WT tumours p 0 priligy review youtube One woman discusses how trusting your gut can save your life

  8. Patients and methods Retrospective study of female patients from 16 to 50 y priligy for pe This is similar to what is seen in people with ER positive breast cancer

  9. Discordance between metastatic tumor and circulating tumor cells occurs simultaneously and frequently and it occurs both early in the treatment course and after treatment buy priligy 30 mg x 10 pill cymbalta dosis adecuada de levitra Philip Gounev a former deputy minister of the interior and an analyst at the Sofia based Center for the Study of Democracy blamed paid provocateurs for the violence but also criticized the police response

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>