On 7/25/2016 12:42 PM, Mark Eggers wrote:
> I'm going to do a bit of trimming here:
>
> On 7/25/2016 7:34 AM, Paul Roubekas wrote:
>
>>>>> # # Add this before your first ProxyPass # However, after your
>>>>> aliases #
>>>>>
>>>>> ProxyPass "/bb" ! ProxyPass "/tt" !
>>>> This works now. Thanks
>>>>> # # Also this would be a good idea to prevent TomEE manager
>>>>> access # ProxyPass "/manager" !
>>>> I protect this page via IP address. <Valve
>>>> className="org.apache.catalina.valves.RemoteAddrValve"
>>>> allow="[redacted]" />
>>>>> # # Finally, to protect your one servlet # ProxyPass
>>>>> "/path-to-servlet" !
>>>> I have done something wrong here. It is not working. See more
>>>> details below.
>>> Well this should block access to the servlet that you don't want to
>>> be visible via HTTP (only HTTPS).
>>>
>>>>> # # Now add the proxypass # ProxyPass "/"
>>>>> "ajp://TomEE-host:8009/"
>>>> ok
>>>>> In your ssl.conf, you'll need to proxy the HTTPS-protected
>>>>> servlet
>>>>>
>>>>> # # Protected servlet # ProxyPass "/path-to-servlet"
>>>>> "ajp://TomEE-host:8009/path-to-servlet"
>>>> I did a find on my whole Fedora 23 server looking for ssl.conf.
>>>> The file did not exist. I created one(ssl.conf) and put it in
>>>> the same directory as httpd.conf. Now the https servlet returns
>>>> a "Not Found The requested URL /DonateServlet was not found on
>>>> this server." 1) Did I put the ssl.conf in the correct
>>>> directory? 2) What else can I check?
>>> If you want Apache HTTPD to serve HTTPS content (in addition to
>>> HTTP content), you'll need to install the mod_ssl RPM.
>>>
>>> 2.4.23-3.fc23.x86_64.rpm
>>>
>>> is the latest release I believe. I'm not sure - my laptop died and
>>> with it my Fedora install (time to get a new laptop).
>>>
>>> In that rpm, you'll find:
>>>
>>> /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.modules.d/00-ssl.conf
>>> /usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
>>> /usr/lib64/httpd/modules/mod_ssl.so
>>> /usr/libexec/httpd-ssl-pass-dialog /var/cache/httpd/ssl
>>>
>>> If Fedora and systemd haven't hacked things up too badly, you'll
>>> put proxypass statements (again, I use mod_jk, so I put in JkMount
>>> statements) in /etc/httpd/conf.d/ssl.conf.
>>>
>>> You'll be terminating SSL on Apache HTTPD, and sending AJP (not
>>> encrypted) traffic between Apache HTTPD and TomEE.
>>>
>>> Prevent the proxypass to your protected servlet (whatever the URL
>>> is) by using the exclamation point in httpd.conf. Add the required
>>> proxypass in ssl.conf, which is what Apache HTTPD uses in order to
>>> configure SSL.
>> Not working. I am getting
>>
>> Not Found
>>
>> The requested URL /DonateServlet was not found on this server.
>>
>> ==== ssl.conf =====
>>
>> # Protected servlet
>> ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet"
>> ErrorLog "/var/log/myDomain.com-error_log"
>> TransferLog "/var/log/myDomain.com-access_log"
>
> You're right, the simple solution does not work. :-(
>
> At this point, the only way I know how to manage this is with ReWrite rules.
>
> These get pretty complicated, and I strongly suggest that you read the
> rewrite rule documentation before playing around with them.
>
> This is also pretty far afield from the Apache Tomcat mailing list. You
> might want to head on over to the Apache HTTPD mailing list for better
> answers.
>
> That being said, I hacked together something that works.
>
> In your httpd.conf file before the ProxyPass "/" statement:
>
> # Turn on the rewrite Engine
> RewriteEngine on
>
> # Make sure you're not on HTTPS
> RewriteCond %{HTTPS} !=on
>
> # Send the DonateServlet to HTTPS
> RewriteRule ^/DonateServlet$ https://%{SERVER_NAME}/DonateServlet [R,L]
>
> # Send everything else to TomEE
> ProxyPass "/" "ajp://localhost:8009/Protect"
>
> In your ssl.conf file in the VirtualHost portion:
>
> # Make sure the engine is on
> RewriteEngine on
>
> # Make sure you're not on port 80
> RewriteCond %{SERVER_PORT} !^80$
>
> # Rewrite everything except the URL you want in HTTPS
> RewriteCond %{REQUEST_URI} !^/DonateServlet$
> RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R,L]
>
> # Send the DonateServlet to TomEE
> ProxyPass "/Protect/Dressed" "ajp://localhost:8009/DonateServlet"
>
> I'm sure people can come up with better rewrite rules, but this should work.
>
> . . . just my two cents
> /mde/
>
Oops, that should have read:ProxyPass "/DonateServlet" "ajp://localhost:8009/DonateServlet" Copy-paste error from my test case . . . /mde/
signature.asc
Description: OpenPGP digital signature
