cancel
Showing results for 
Search instead for 
Did you mean: 

SSL via Apache2 Proxy and Tomcat6/Alfresco

oblivian
Champ in-the-making
Champ in-the-making
Hello,

I am trying to use Apache2 to set up an SSL-connection with Alfresco. I have a reversed proxied Alfresco with Apache2 and SSL, but I get warnings that the connection isn't entirely encrypted.  (Warning: Connection Partially Encrypted) Is there something I have to do on the Alfresco/Tomcat6 side?

Excerpt from http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.

So according to the Apache2 documentation it should be sufficiant to encrypt the traffic from/to the Apache2 proxy and not Tomcat6 itself.
So why is the encrypted connection failing? This is in all browsers I've tried, Firefox, IE8, Safari, etc…

Please advice,

Oblivian
13 REPLIES 13

gronfelt
Champ in-the-making
Champ in-the-making
What does the configuration look like?

Personally I prefer to use mod_jk when proxying Tomcat with Apache, it's very simple to setup and seems to be pretty failsafe:

http://tomcat.apache.org/connectors-doc/generic_howto/quick.html

oblivian
Champ in-the-making
Champ in-the-making
Hi gronfelt,

This is the current Apache2 SSL config running the reversed proxy.
<IfModule mod_ssl.c>
NameVirtualHost *:443

####
####       DOCS.DOMAIN.TLD         ####
####


<virtualhost *:443>
      ServerName docs.domain.tld
      ServerAlias alfresco.domain.tld
      ServerAdmin webmaster@domain.tld

### ### ### ### ### ###

      ### Start SSL
       SSLEngine On

   ### Certificates
      SSLCertificateFile /etc/apache2/ssl/star_domain_tld.crt
      SSLCertificateKeyFile /etc/apache2/ssl/star_domain_tld.key
      SSLCertificateChainFile /etc/apache2/ssl/DigiCertCA.crt

   ### Only allow SSLv3 and TLSv1 and HIGH/MED encryption.
      SSLCipherSuite -ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+TLSv1:+SSLv3:-EXP:-eNULL
      SSLProtocol -all +SSLv3 +TLSv1

### ### ### ### ### ###

   #Dummy folder for virtual host   
       DocumentRoot /var/www/htdocs/docs.domain.tld/
   

   <directory /var/www/htdocs/docs.domain.tld/>
            Options -Indexes -FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
   </directory>

       ErrorLog /var/log/apache2/docs.domain.tld_error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/docs.domain.tld_access.log combined

### Log to Syslog
LogLevel notice
ErrorLog syslog:local6
#CustomLog "|/usr/bin/logger -t apache -i -p local6.notice" combined

ServerSignature Off

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /share http://localhost:8080/share
ProxyPassReverse /share http://localhost:8080/share
ProxyPass /alfresco http://localhost:8080/alfresco
ProxyPassReverse /alfresco http://localhost:8080/alfresco

</virtualhost>
</IfModule>

oblivian
Champ in-the-making
Champ in-the-making
What does the configuration look like?

Personally I prefer to use mod_jk when proxying Tomcat with Apache, it's very simple to setup and seems to be pretty failsafe:

http://tomcat.apache.org/connectors-doc/generic_howto/quick.html
Hi again gronfelt,

I am quite new to Tomcat6… Could you enlighten me on why you prefer mod_jk over ordinary apache proxying? Is it better speedwise, more secure, or just easier, etc… Thanks for sharing.  Smiley Happy

BTW, I am currently on Ubuntu 9.04 server. When running a2enmod I have module proxy_ajp available. Is that the same as mod_jk? Also, is it just Apache2 I have to configure (like with normal proxy) or do I have to configure Tomcat6 as well?

EDIT: proxy_ajp is not the same as mod_jk. apt-get install libapache2-mod-jk installed the correct Apache2 module…  Smiley Surprisedops:

Regards,

Oblivian

gronfelt
Champ in-the-making
Champ in-the-making
Well, to a great extent it's probably just due to the fact that I started to use mod_jk and got used to that.

But as far as I understand using ajp is normally much faster than accessing tomcat through http, but wether you choose to use proxy_ajp/proxypass or mod_jk seems to be mostly a matter of taste.

Tomcat configuration is the same, regardless, the only thing you need to do is to uncomment the AJP connector in server.xml.

oblivian
Champ in-the-making
Champ in-the-making
Hi gronfelt,

I have now set up Apache2 to use mod_jk and it works perfectly with Alfresco/Tomcat6. All traffic is now sent correctly over SSL and so no more warnings.  Smiley Very Happy

Thanks for all your help.

Oblivian

unknown-user
Champ on-the-rise
Champ on-the-rise
I have Alfresco working with SSL, however in IE8 I keep getting a security warning that pops up on every single page telling me that some of the pages are non-secure. This is true, there is one hardcoded Alfresco call to http://www.alfresco.com/assets/images/common/alfresco_community_horiz30.gif

This one http call are the only one that's not transferred into a https page. After reading the following I tried to upgrade to the latest Alfresco build without luck. https://issues.alfresco.com/jira/browse/ETHREEOH-2331

Do you have this also? Did any manage to get this to work?  :cry:

oblivian
Champ in-the-making
Champ in-the-making
I use to have the same problem when running Alfresco with Apache reverse proxy over SSL. When using mod_jk instead, all problems vanished.

I recommend you do the same.

Regards.

unknown-user
Champ on-the-rise
Champ on-the-rise
I use to have the same problem when running Alfresco with Apache reverse proxy over SSL. When using mod_jk instead, all problems vanished.

I recommend you do the same.

Regards.

That sounds really good  Smiley Very Happy

Could you post your configuration files, that would help me alot. You are right, I was running reverse proxy over SSL but after reading this page I tried to change to mod_jk, apparently without any luck  Smiley Surprisedops:

oblivian
Champ in-the-making
Champ in-the-making
Hi,

Sorry for late reply. Did you manage or do you want me to post my configs?

Oblivian

PS. What platform are you on? I'm on Ubuntu 9.04.