apachessltomcatvirtualhostproxypass

Apache httpd ProxyPass to SSL enabled tomcat throws "connection for this site is not secure"

I have a server running Apache httpd service (on port 8000) which has ProxyPass rules configured to redirect user traffic to different servers based on the domain they are on. When a user is on domain1.com their request is redirected to 123.45.67.89:8444 where I have a tomcat web app running. Similarly, if a user is on domain2.com their request is redirected to 123.45.67.90:8444 where there is a different tomcat webapp running.

My virtualhost.conf file looks like this

<VirtualHost *:8000>
    ServerName domain1.com

    ProxyPreserveHost On
    SSLProxyEngine on
    SSLCertificateFile /app/certs/domain1.com.crt
    SSLCertificateKeyFile /app/certs/domain1.com.key
    SSLCertificateChainFile /app/certs/domain1.com.pem

    ProxyPass             / https://123.45.67.89:8444/ connectiontimeout=300 timeout=300
    ProxyPassReverse      / https://123.45.67.89:8444/
</VirtualHost>

<VirtualHost *:8000>
    ServerName domain2.com

    ProxyPreserveHost On
    SSLProxyEngine on
    SSLCertificateFile /app/certs/domain2.com.crt
    SSLCertificateKeyFile /app/certs/domain2.com.key
    SSLCertificateChainFile /app/certs/domain2.com.pem

    ProxyPass             / https://123.45.67.90:8444/ connectiontimeout=300 timeout=300
    ProxyPassReverse      / https://123.45.67.90:8444/
</VirtualHost>

Port 8444 on my tomcat servers are SSL enabled and server.xml on both the tomcat servers looks similar to this

<Connector port="8080" protocol="HTTP/1.1"
   connectionTimeout="20000"
   redirectPort="8444" />

<Connector port="8444"
   protocol="HTTP/1.1"
   SSLEnabled="true"
   maxThreads="300"
   scheme="https"
   secure="true"
   keystoreType="JKS"
   keystoreFile="/app/conf/key/identity.jks"
   keystorePass="${KEYSTORE_PASS}"
   truststoreFile="/app/conf/key/truststore.jks"
   truststorePass="${TRUSTSTORE_PASS}"
   clientAuth="false"
   sslProtocol="TLS"
   sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
   ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, <multiple-ciphers follows>"

When I access domain1.com/ or domain2.com/, they give a "The connection for this site is not secure" (ERR_SSL_PROTOCOL_ERROR) message on browser. Appreciate if someone could point out any mistakes in my approach or implementation.

Solution

  • I had to add SSLEngine on in the VirtualHost block to enable the SSL on the incoming traffic on Apache Server. That resolved the ERR_SSL_PROTOCOL_ERROR. My final VirtualHost configuration looks like this

    <VirtualHost *:8000>
    ServerName domain1.com

    ProxyPreserveHost On
    SSLProxyEngine on
    SSLEngine on
    SSLCertificateFile /app/certs/domain1.com.crt
    SSLCertificateKeyFile /app/certs/domain1.com.key
    SSLCertificateChainFile /app/certs/domain1.com.pem

    ProxyPass             / https://123.45.67.89:8444/ connectiontimeout=300 timeout=300
    ProxyPassReverse      / https://123.45.67.89:8444/
</VirtualHost>