Loading...

Wednesday, August 25, 2010

Setting up an SSL Reverse Proxy in Apache on Linux

This one I'm writing so I don't forget it. It is highly valuable info and spent a few hours wrangling with Linux to figure it out. This is a great way to proxy an Ajax web service so you avoid any cross domain scripting issues. Note, that if you also have WebSphere App Server, you could use the Web 2.0 Feature Pack and the Ajax Proxy Servlet which is included with it. These instructions assume either you are not using it and have some other implementation. The instructions below will also work with IBM HTTP Server since its based on Apache.

Let's say you have a web service that you have secured in SSL. Now you want to call that web service with an Ajax call (i.e. Dojo, JQuery, etc), and from either a static HTTP page, or a JSP that is may or may NOT be secured (i.e. HTTPS).

Let's say the web service URL is
https://webservice.strongbackconsulting.com/mywebservice

and the web page the audience is viewing is
http://portal.strongbackwidgets.co.uk/myorders.htm

On Apache, set up SSL. If the SSL modules have not been installed you can call one of the following commands to do most of the heavy lifting for you.
yum install mod_ssl (for Fedora, Red Hat)
yast -i apache2-worker (for Suse, OpenSuse)

Then in your httpd.conf files enter the following stanzas:

<VirtualHost 0.0.0.0:443>
   ServerName portal.strongbackwidgets.co.uk
   SSLEnable
   SSLServerCert selfSigned  
   SSLProxyEngine on
   SSLEngine on
   SSLCAProxyCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCAProxyCertificatePath /etc/pki/tls/certs
</VirtualHost>

<IfModule mod_proxy.c>
<Proxy *>
   SSLProxyEngine on
   Order deny,allow
   Allow from all
</Proxy>

RewriteEngine on

ProxyPass /mywebservice/ https://webservice.strongbackconsulting.com/mywebservice
ProxyPassReverse /mywebservice/ https://webservice.strongbackconsulting.com/mywebservice
RewriteRule ^/mywebservice$ /mywebservice/ [R]
</IfModule>

Note that you need the SSLProxyEngine statement for both the *:80 and *:443 virtual hosts. That way the user can be in either HTTP or HTTPS. The SSLCAProxyCertificatePath should suffice. You will need to create your certificate file if it does not already exist. It should already be there if you are using Fedora or OpenSuse. The directories for SSLCAProxyCertificatePath  anhd SSLCAProxyCertificateFile above are explicit to Fedora Linux. On OpenSuse, the default directory is /etc/apache2/ssl/.
Posted by Kenny Smith at 10:32 AM
Labels: , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)