Apache Https Reverse Proxy

Windows Configuring a Reverse Proxy with Apache that handles HTTPS connections

1. Download and install the Apache server from http://httpd.apache.org. I used Apache 2.2 with OpenSSL when I was writing this. Also, this post is based on JBoss 4.2.1 (Turnkey) running on Windows.

2. Edit the Tomcat configuration file $JBOSS_HOME\server\lc_turnkey\deploy\jboss-web.deployer/server.xml of your JBoss server, adding the proxyName and proxyPort parameters with the name and port of the LiveCycle server. It should look something like this:

<Connector port=”8443protocol=”HTTP/1.1SSLEnabled=”trueproxyName=”cg-w2k8-lces2.eur.adobe.comproxyPort=”443maxThreads=”150scheme=”httpssecure=”truekeystoreFile=”C:/Adobe/Adobe LiveCycle ES2/jboss/server/lc_turnkey/conf/lces.keystorekeystorePass=”passwordclientAuth=”falsesslProtocol=”TLS/>

3. Use the openssl command to generate a certificate and key that our Apache server will need to handle SSL connections. Open a command prompt, go to Apache2.2\bin and run the openssl command with values matching your environment:

openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout ..\conf\server.key -out ..\conf\server.crt -subj "/O=CompanyXYZ/OU=PS/CN=yourserver.companyxyz.com" -config "..\conf\openssl.cnf"

4. Copy the generated server.key and server.crt files to the Apache2.2\conf folder.

5. Open Apache2.2\conf\httpd.conf and uncomment the following lines, which will enable proxying and SSL on the Apache server.:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

6. Also add the following lines to the httpd.conf:

# Prevent Apache from acting like a forward proxy
ProxyRequests Off
# Control Client Access
<Proxy https://jboss.company.com:8443/>Order Deny,Allow
Allow from all
# Set TCP/IP network buffer size for better throughput (bytes)
ProxyReceiveBufferSize 4096

7. Add the reverse proxy configuration at the end of the httpd.conf file:

ProxyPass / https://yourserver.companyxyz.com:8443/
ProxyPassReverse / https:// yourserver.companyxyz.com:8443/

As explained in the post I referenced at the beginning, this configuration won’t filter any URL, and it will just redirect every request (/) to the SSL port of the JBoss server. If we want to be more restrictive and only allow specific URLs, we will need to configure that. For example, here we only allow access to the Rights Management UI:

ProxyPass /edc https://jboss.company.com:8443/edc
ProxyPassReverse /edc https://jboss.company.com:8443/edc
ProxyPass /um https://jboss.company.com:8443/um
ProxyPassReverse /um https://jboss.company.com:8443/um
ProxyPass /rightsmgmt_help_en https://jboss.company.com:8443/rightsmgmt_help_en
ProxyPassReverse /rightsmgmt_help_en https://jboss.company.com:8443/rightsmgmt_help_en

8. We also need to configure the SSL connection for the Apache server. Open Apache2.2\conf\extra\httpd-ssl.conf and perform the following modifications:

- Uncomment the following line:

SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”

- Comment out the following line:

SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”

- Locate the <VirtualHost _default_:443> block and insert the following line in it:

SSLProxyEngine on

The block should look something like the following:

## SSL Virtual Host Context
<VirtualHost _default_:443>
#   General setup for the virtual host
DocumentRoot “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs”
ServerName yourserver.companyxyz.com:443
ServerAdmin admin@companyxyz.com
ErrorLog “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/error.log”
TransferLog “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/access.log”
#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProxyEngine on

9. Restart JBoss and Apache servers.



build apache with modules

./configure --prefix=/usr/local/apache --enable-rule=SHARED_CORE --enable-module=so
./configure --prefix=/usr/local/apache --enable-rule=SHARED_CORE --enable-module=so --with-included-apr --enable-proxy --enable-ssl --enable-proxy-connect
make && make install