I've a frontal server with Apache 2.4.23 deployed + OpenSSL 1.0.2j.
Then I've another server with Tomcat 7 installed.
The idea is that Apache has a VHOST on *:443, which uses ProxyPass to send the request via AJP to Tomcat server according to specifyc URLs.
That's my vhosts.conf file (it has SSL configuration as I don't want to use the httpd-ssl.conf file, cause I've to change many things on it), according to this site:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
##################################################################################################################
# VHOSTS HTTP
# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
##################################################################################################################
# VHOSTS HTTPS
Listen 443
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:c:/ap24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache "shmcb:c:/ap24/logs/ocsp(128000)"
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "conf/xin.foo.com/xin.crt"
SSLCertificateChainFile "conf/xin.foo.com/bundle.crt"
SSLCertificateKeyFile "conf/xin.foo.com/xin.key"
# Uncomment the following directive when using client certificate authentication
#SSLCACertificateFile /path/to/ca_certs_for_client_authentication
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /bar ajp://X.X.X.X:XXXX/bar/
ProxyPass /bar/ ajp://X.X.X.X:XXXX/bar/bar.html
</VirtualHost>
Now as you can see, I've 2 proxypasses according to how URL is. That's because I've and "admin"/backend zone, and a user zone. First proxypass is per Admin Zone, and second one to User zone.
Now, for those sites I need those URLS:
ADMIN: https://xin.foo.com/bar/bar
USER: https://xin.foo.com/bar/bar?app=personal
I'm using Apache server on a "local" context right now, which means I have not a TLD subdomain already with the Apache server public IP on it. So, on my local machine in the office, I've edited my "hosts" file on "windows/system32/drivers/etc" and added the line:
xin.foo.com Y.Y.Y.Y (which is the IP address of the Apache frontal server). This way I can emulate from my machine, what a public acces from inet will be.
Said all that, now comes the thing:
Inet people, will access thorugh https://xin.foo.com. That's it.
I want "https://xin.foo.com" to access directly to USER zone.
And something like https://xin.foo.com/admin, to access to ADMIN backend zone.
Then, here I guess are 2 things to take in account:
- AJP proxypasses
- Possibility of mod-rewrite'ing first with parametters or something, to force the already configured proxypasses to work? As tha aplication mounted on Tomcat server, expects some parameters (?app=personal) to show user zone. And no params = admin zone.
Maybe I've to delete the Proxypasses and do some mod_proxy_ajp to it?
What will be the right way to do it and how? I would appreciate the final recipe, as mod_rewrite and Porxypass is not my speciality... And I'm convinced that even those 2 proxypasses are wrong, but that's what they got me.
EDIT ACCORDING TO COMMENTS:
To sumarize, all is working porperly right now, but I need to write the URLs as explained before, to acces the proper zones. What I want is to change the behaviour of the server, according to what is logic, and let the simple TLD url go to user zone, and "/admin" to backend zone. I've added a rewirte from http to https which works OK. Now I've thought that I can add a rewrite which says:
"IF https://xin.foo.com THEN https://xin.foo.com/bar/bar?app=personal"
and
"IF https://xin.foo.com/admin THEN https://xin.foo.com/bar/bar"
With that, I guess the AJP proypasses should still working normally. And what would be of an A+ grade, would be to not to modify the URL on the browser, so people keep reading "https://xin.foo.com" for the real and "hidden" "https://xin.foo.com/bar/bar?app=personal".
Thanks you all so much, and kind regards.
