I have a wildcard ssl cert for domain "www.abc.com", which running on Apache and using port 80 for http & port 443 for https.
Now, I would like to add a new domain "www2.abc.com", which running on Tomcat and using port 8080 for http & port 443 for https.
Is there any conflicts if I use both on port 443?
Many thanks.
Well, technically you can't have tomcat and apache listen on 443 at the same time. You could have Apache forward requests to tomcat and handle the encryption. Look up mod_jk, mod_proxy or mod_proxy_ajp for how to do this.
Once you do this, you can have multiple <VirtualHost> declarations for port 443 on Apache. If they all use the same wildcard certificate for *.abc.com this will work fine.
With this scenario, tomat probably won't be configured to do ssl at all. I'm recommending to use the protocol ajp (not http) for the forwarding part, as this will forward all necessary information about the nature of the connection to tomcat.
Is there any conflicts if I use both on port 443?
yes, you can't set two or more applications to listen on a same port at the same time.
Related
I would like to set a server on port 443 to handle safari web notifications. So I would like to disable port 443 from Apache for that subdomain. I tried doing it by removing the web domain from ssl.conf or setting SSLEngine off after putting the domain on port 80, but in all cases when I execute nmap on the domain port 443 always pops up, and when I execute the other service on port 443 I get an error.
How do I manage it?
I have currently setup Apache Tomcat 7 in port 8080 and I am using NGINX with a Let's Encrypt SSL in front of it as a reverse proxy. The current configuration is working like a charm, but I need one be able to pass to Tomcat when the page been view is using SSL or not.
I found on the documentation the use of SSLValve in the server.xml file should do the trick, but the examples I have found are for apache as the reverse proxy and not for NGINX.
Has anyone done this setup?
Assuming you're using :8080 as the backend for both http and https:
server {
listen :80;
listen :443 defaultserver ssl;
...ssl directives....
location ~ / {
proxy_pass http://apache:8080;
}
NGINX configuration can fill in the ssl directive parts for your particular case
http://nginx.org/en/docs/http/configuring_https_servers.html
I have the following setup:
one public IP
2 different domain names pointing to the same IP above: domain1.com and domain2.com
2 different ssl certificates: one for domain1.com and one for domain2.com
2 physical machines on the same LAN (192.168.1.10 and 192.168.1.20) running Apache2 and debian 8.5
I tested both servers indipendently forwarding the 443 port traffic to either of the machines. They work nicely.
Now, I am forwarding all port 443 requests arriving to the public IP to the first server at 192.168.1.10 and I would like this server to act as a https server for https://domain1.com and redirect the requests for https://domain2.com to address 192.168.1.20
I have tried to configure a reverse proxy in the first machine. It does redirect the requests for domain2 to the machine at 192.168.1.20 BUT it serves the certificate for domain1.
How can I configure reverse proxy as to present the right certificate for each one of my servers?
thank you in advance.
julia
Easiest "solution" (well, workaround) would be to use a single certificate that contains both hostnames. If you cannot do that, then you need to configure Apache SNI, like so: SSL with Virtual Hosts Using SNI
As some suggested I tried to use the Apache2 reverse proxy.
This somehow works but you have to install all the certificates on the machine running Apache2. Thus the trafic on the lan is no longer https which does not satisfy my requirement.
The solution is to use haproxy. This package can be set up as a pass through for https. There are many examples of such applications on the internet. It does exactly what I am asking for: I can host many https servers on a lan behind a nat router with one single public IP. The trafic is sent by haproxy as https to the indicated server on the LAN. If anyone is interested, I will be glad to share my config file solving precisely the problem I set out in my question.
To Robert M:
here is my configuration to be added at the end of the default haproxy.cfg file:
frontend ft_https
mode tcp
option tcplog
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl domain1_com req.ssl_sni -m end domain1.com # all url ending with domain1.com
acl domain2_com req.ssl_sni -i www.domain2.com # exactly www.domain2.com
use_backend b_domain1_com if domain1_com
use_backend b_domain2_com if domain2_com
default_backend b_default
backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:1443
backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.10:1443
backend b_domain2_com
mode tcp
option tcplog
server srv_domain2 192.168.1.20:443
I had to change the https port for apache on the first server to 1443 because both haproxy and apache cannot bind to the same 443 port as they reside on the same machine, but it is transparent to the user.
It seems that it is possible to get Apache server to Proxy and Manage SSL handshake on https requests and service them as 'http' thru another server behind it.
I have configured an apache server for ProxyPass using following configuration
SSLProxyEngine On
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
I am able to get all all traffic to the apache server that is listening to port 8080 direct and serve by the localhost:8081 server so
http://localhost:8080/hi is being correctly served by http://localhost:8081/hi
However the following does not work :
http**s**://localhost:8080/hi to be served by http://localhost:8081/hi
Apache is trying to pass the https:// traffic to the 8081 server, without managing the SSL handshake.
Your Apache listener on port 8080 is an http listener, not an https listener. You can't handle both types of traffic on the same port. If you want to handle SSL traffic, you'll need to set up a new context on another port with SSLEngine On and all the other normal SSL configuration (certificate, key, etc).
This question has one version of this configuration.
Also this post.
I am running a NodeJS app on apache and using mod_proxy to forward requests on 443 to the nodeJS app.
This works fine on port 80, but when I try to set it up for port 443, I get the following error in apache:
[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
It appears that this error is caused because I am trying to listen on port 443 in apache but not providing an ssl certificate... but I dont need to as my NodeJS app is performing the SSL.
How can I tell apache to ignore this error?
What you are trying cannot work. A client connecting to port 443 will speak HTTPS/SSL - so the application that handles the connection needs to use SSL for connections on that port.