Setting up an SSL Reverse Proxy in Apache on Linux

This one I'm writing so I don't forget it. It is highly valuable info and spent a few hours wrangling with Linux to figure it out. This is a great way to proxy an Ajax web service so you avoid any cross domain scripting issues. Note, that if you also have WebSphere App Server, you could use the Web 2.0 Feature Pack and the Ajax Proxy Servlet which is included with it. These instructions assume either you are not using it and have some other implementation. The instructions below will also work with IBM HTTP Server since its based on Apache.

Let's say you have a web service that you have secured in SSL. Now you want to call that web service with an Ajax call (i.e. Dojo, JQuery, etc), and from either a static HTTP page, or a JSP that is may or may NOT be secured (i.e. HTTPS).

Let's say the web service URL is
https://webservice.strongbackconsulting.com/mywebservice

and the web page the audience is viewing is
http://portal.strongbackwidgets.co.uk/myorders.htm

On Apache, set up SSL. If the SSL modules have not been installed you can call one of the following commands to do most of the heavy lifting for you.
yum install mod_ssl (for Fedora, Red Hat)
yast -i apache2-worker (for Suse, OpenSuse)

Then in your httpd.conf files enter the following stanzas:

<VirtualHost 0.0.0.0:443>
   ServerName portal.strongbackwidgets.co.uk
   SSLEnable
   SSLServerCert selfSigned  
   SSLProxyEngine on
   SSLEngine on
   SSLCAProxyCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCAProxyCertificatePath /etc/pki/tls/certs
</VirtualHost>

<IfModule mod_proxy.c>
<Proxy *>
   SSLProxyEngine on
   Order deny,allow
   Allow from all
</Proxy>

RewriteEngine on

ProxyPass /mywebservice/ https://webservice.strongbackconsulting.com/mywebservice
ProxyPassReverse /mywebservice/ https://webservice.strongbackconsulting.com/mywebservice
RewriteRule ^/mywebservice$ /mywebservice/ [R]
</IfModule>

Note that you need the SSLProxyEngine statement for both the *:80 and *:443 virtual hosts. That way the user can be in either HTTP or HTTPS. The SSLCAProxyCertificatePath should suffice. You will need to create your certificate file if it does not already exist. It should already be there if you are using Fedora or OpenSuse. The directories for SSLCAProxyCertificatePath  and SSLCAProxyCertificateFile above are explicit to Fedora Linux. On OpenSuse, the default directory is /etc/apache2/ssl/.


For more detailed information on setting up Apache HTTP Server, this book has been a helpful reference:

Apache HTTP Server Cookbook


Lastly, are you automating the deployment of your applications to your servers? This is a core discipline of DevOps, Continuous Integration and Deployment should be a part of your overall solution. There's a few tricks that will make it easy to deploy to Tomcat with Maven, for example. However, if you have custom variables that are environment dependent, or have to deploy multiple components across many severs for a single business application, you'll need a more robust tool like Urbancode.

Labels: , , , ,