Page tree
Skip to end of metadata
Go to start of metadata

 

Example Apache Configuration:

<VirtualHost 10.11.12.13:80>
ServerName documentation.example.com
ServerAliaS documentation

ProxyPreserveHost On
RewriteEngine on
# Redirect http traffic to https
RewriteRule ^/(.*)$ https://documentation.example.com/$1 [L,R]
</VirtualHost>

<VirtualHost 10.11.12.13:443>
ServerName documentation.example.com

ErrorLog /var/log/httpd/documentation.example.com-ssl_error_log
TransferLog /var/log/httpd/documentation.example.com-ssl_access_log
CustomLog /var/log/httpd/documentation.example.com-ssl_request_log ssl_combined

ProxyPreserveHost On
ProxyRequests Off

ProxyPass /synchrony  http://localhost:8091/synchrony
<Location /synchrony>
    Require all granted
    RewriteEngine on
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RewriteRule .* ws://localhost:8091%{REQUEST_URI} [P]
	RequestHeader unset Authorization
</Location>


ProxyPass / http://localhost:8090/ retry=2 acquire=3000 timeout=120 Keepalive=On
ProxyPassReverse / http://localhost:8090/

LogLevel info

Include conf.d/ssl.inc

</VirtualHost>

 

Very often multiple applications run on the same server. Having SSL configuration in one place makes sense.

We like to include the following into VirtualHosts that should be configured wil SSL Include conf.d/ssl.inc

 

SSLEngine on
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/pki/tls/certs/wildcard/wildcard.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/wildcard/wildcard.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/wildcard/wildcard.example.com.ca-bundle

 

APPLICATION_HOME:/conf/server.xml

Locate the connector in server.xml.

When the application is served by a proxy server behind SSL, changes to server.xml are required.

Because Kerberos tokens in some environments may exceed the default 8K bytes, our recommendation is to increase maxHttpHeaderSize. 

proxyName="documentation.example.com" 
proxyPort="443" 
scheme="https" 
secure="true"
maxHttpHeaderSize="32768"

 

 

  • No labels