Apache mod_jk HTTPS problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache mod_jk HTTPS problem

attacus
Recently I registered the domain for my application IP. Now I use Apache and
mod_jk as front end for JBoss 4.2.2. I can access my application in three
ways: thorough localhost, IP and domain name. In case of HTTP all works fine
but requests for HTTPS pages are successfully only if I use localhost or IP.
The domain name doesn't work. In case with domain name Apache searches
static content instead of my dynamic JBoss-Tomcat-produced page, and finally
returns error 404. Please help me if you have any ideas where to dig.

 

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Apache mod_jk HTTPS problem

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attacus,

On 6/15/2009 4:42 PM, attacus wrote:
> In case with domain name Apache searches static content instead of my
> dynamic JBoss-Tomcat-produced page, and finally returns error 404.
> Please help me if you have any ideas where to dig.

Sounds like you don't have your httpd VirtualHost correct for handling
SSL. Feel free to post your VirtualHost configuration so we can take a look.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAko3tP8ACgkQ9CaO5/Lv0PDrPgCff1FQLdH+kfERBcmMMkNzL0dk
lVEAn2msnGQADq6NcmAIJuseQw0rodhL
=aytY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [OT] Apache mod_jk HTTPS problem

attacus
Christopher, you right.
I fill like something is wrong here. I am not experienced in Apache
configuration. So please do not kick me hard. :)

#
# Use name-based virtual hosting.
#
NameVirtualHost *:443

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#

<VirtualHost *:443>
        ServerName *:443
        ErrorLog "C:/tools/Apache2.2/logs/secure-channel-error.log"

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog "C:/tools/Apache2.2/logs/secure-channel-access-error.log"
combined
        ServerSignature On

        JkMountFile conf/uriworkermap.properties

        SSLEngine On
        SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile "C:/tools/Apache2.2/conf/server.crt"
        SSLCertificateKeyFile "C:/tools/Apache2.2/conf/server.key"
        SSLCertificateChainFile "C:/tools/Apache2.2/conf/server.crt"

        SSLOptions -StdEnvVars +ExportCertData

</VirtualHost>

-----Original Message-----
From: Christopher Schultz [mailto:[hidden email]]
Sent: Tuesday, June 16, 2009 7:07 PM
To: Tomcat Users List
Subject: Re: [OT] Apache mod_jk HTTPS problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attacus,

On 6/15/2009 4:42 PM, attacus wrote:
> In case with domain name Apache searches static content instead of my
> dynamic JBoss-Tomcat-produced page, and finally returns error 404.
> Please help me if you have any ideas where to dig.

Sounds like you don't have your httpd VirtualHost correct for handling
SSL. Feel free to post your VirtualHost configuration so we can take a look.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAko3tP8ACgkQ9CaO5/Lv0PDrPgCff1FQLdH+kfERBcmMMkNzL0dk
lVEAn2msnGQADq6NcmAIJuseQw0rodhL
=aytY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Apache mod_jk HTTPS problem

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attacus,

On 6/16/2009 4:04 PM, attacus wrote:
> NameVirtualHost *:443

This ain't gonna work: SSL negotiation occurs /before/ the HTTP headers
are sent, meaning that the VirtualHost has already been chosen before
the "Server" header can be inspected. This will probably work with a
single VirtualHost on port 443, but it's not going to work if you add
others. Apache httpd will probably just choose the first one defined or
something.

> <VirtualHost *:443>
>         ServerName *:443

This is not correct, either. If you're using name-based VirtualHosts,
you need to bind a name to the VirtualHost: something like
"www.myserver.com". Again, see the note above about NameVirtualHost not
working for HTTPS.

>         ErrorLog "C:/tools/Apache2.2/logs/secure-channel-error.log"

This would be a good place to look for startup errors or warnings.

>         JkMountFile conf/uriworkermap.properties

Is this the same JkMountFile you use for your (working) non-SSL VirtualHost?

>         SSLCipherSuite
> ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Note that this is an overly-complicated Ciphers line... you're using ALL
and then customizing it by adding other ciphers. It's the equivalent of:

SSLCipherSuite ALL:-ADH
or even
SSLCIpherSuite ALL:!ADH

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAko5Q20ACgkQ9CaO5/Lv0PBLEwCgvKwY0DBJBIa73+nTHeucscHl
7tAAnRA/SXg7OiBxm1bIZ2lcM2yvAQsp
=8WSd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [OT] Apache mod_jk HTTPS problem

attacus
Thank you, Chris.
Customizing ServerName solved the problem.

-----Original Message-----
From: Christopher Schultz [mailto:[hidden email]]
Sent: Wednesday, June 17, 2009 11:27 PM
To: Tomcat Users List
Subject: Re: [OT] Apache mod_jk HTTPS problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attacus,

On 6/16/2009 4:04 PM, attacus wrote:
> NameVirtualHost *:443

This ain't gonna work: SSL negotiation occurs /before/ the HTTP headers
are sent, meaning that the VirtualHost has already been chosen before
the "Server" header can be inspected. This will probably work with a
single VirtualHost on port 443, but it's not going to work if you add
others. Apache httpd will probably just choose the first one defined or
something.

> <VirtualHost *:443>
>         ServerName *:443

This is not correct, either. If you're using name-based VirtualHosts,
you need to bind a name to the VirtualHost: something like
"www.myserver.com". Again, see the note above about NameVirtualHost not
working for HTTPS.

>         ErrorLog "C:/tools/Apache2.2/logs/secure-channel-error.log"

This would be a good place to look for startup errors or warnings.

>         JkMountFile conf/uriworkermap.properties

Is this the same JkMountFile you use for your (working) non-SSL VirtualHost?

>         SSLCipherSuite
> ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Note that this is an overly-complicated Ciphers line... you're using ALL
and then customizing it by adding other ciphers. It's the equivalent of:

SSLCipherSuite ALL:-ADH
or even
SSLCIpherSuite ALL:!ADH

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAko5Q20ACgkQ9CaO5/Lv0PBLEwCgvKwY0DBJBIa73+nTHeucscHl
7tAAnRA/SXg7OiBxm1bIZ2lcM2yvAQsp
=8WSd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]