Proxy reverso do SSL do Apache para um Tomcat incorporado

5

Estou tentando implementar um proxy reverso para um aplicativo que esteja executando um servidor incorporado do tomcat por SSL. O aplicativo precisa ser executado por SSL na porta 9002, portanto, não tenho como "desabilitar o SSL" para este aplicativo. O esquema de configuração atual é assim:

[192.168.0.10:443 - Apache with mod_proxy] --> [192.168.0.10:9002 - Tomcat App]

Depois de pesquisar como fazer essa configuração (e testar) me deparei com isso:

link

Que levam a fazer minha configuração atual (para tentar emular a opção --secure-protocol = sslv3 do wget)

/etc/apache2/sites/enabled/default-ssl:

<VirtualHost _default_:443>

    SSLEngine On
    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    SSLProxyEngine On
    SSLProxyProtocol SSLv3
    SSLProxyCipherSuite SSLv3
    ProxyPass /test/ https://192.168.0.10:9002/
    ProxyPassReverse /test/ https://192.168.0.10:9002/

    LogLevel debug
    ErrorLog /var/log/apache2/error-ssl.log
    CustomLog /var/log/apache2/access-ssl.log combined
</VirtualHost>

O problema é que o log de erros está mostrando o erro: 14077102: rotinas SSL: SSL23_GET_SERVER_HELLO: protocolo não suportado

Log de solicitações completas:

[Wed Mar 13 20:05:57 2013] [debug] mod_proxy.c(1020): Running scheme https handler (attempt 0)
[Wed Mar 13 20:05:57 2013] [debug] mod_proxy_http.c(1973): proxy: HTTP: serving URL https://192.168.0.10:9002/
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2011): proxy: HTTPS: has acquired connection for (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2067): proxy: connecting https://192.168.0.10:9002/ to 192.168.0.10:9002
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2193): proxy: connected / to 192.168.0.10:9002
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2444): proxy: HTTPS: fam 2 socket created to connect to 192.168.0.10
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to 192.168.0.10:9002 (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection to child 0 established (server demo1agrubu01.demo.lab:443)
[Wed Mar 13 20:05:57 2013] [info] Seeding PRNG with 656 bytes of entropy
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/connect initialization
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: unknown state
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1897): OpenSSL: read 7/7 bytes from BIO#7f122800a100 [mem: 7f1230018f60] (BIO dump follows)
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1869): | 0000: 15 03 01 00 02 02 50                             ......P          |
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in unknown state
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] SSL Proxy connect failed
[Wed Mar 13 20:05:57 2013] [info] SSL Library Error: 336032002 error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection closed to child 0 with abortive shutdown (server example1.domain.tld:443)
[Wed Mar 13 20:05:57 2013] [error] (502)Unknown error 502: proxy: pass request body failed to 172.31.4.13:9002 (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [error] [client 192.168.0.10] proxy: Error during SSL Handshake with remote server returned by /dsfe/
[Wed Mar 13 20:05:57 2013] [error] proxy: pass request body failed to 192.168.0.10:9002 (172.31.4.13) from 172.31.4.13 ()
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (172.31.4.13)
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection closed to child 6 with standard shutdown (server example1.domain.tld:443)

Se eu fizer um

wget --secure-protocol=sslv3 --no-check-certificate https://192.168.0.10:9002/ 

funciona perfeitamente, mas do apache não está funcionando.

Estou em um servidor Ubuntu com as atualizações mais recentes executando o apache2 com mod_proxy e mod_ssl ativado:

~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"

~# dpkg -s apache2
...
Version: 2.2.22-1ubuntu1.2
...

~# dpkg -s openssl
...
Version: 1.0.1-4ubuntu5.7
...

Espero que alguém possa ajudar

    
por ggarcia24 14.03.2013 / 00:57

1 resposta

1

Parece que você pode tentar editar o server.xml para seu aplicativo Tomcat e, quando a porta do Conector estiver definida, adicione algo como:

proxyName="mysite.example.com" proxyPort="443" scheme="https" secure="true"
    
por 15.03.2013 / 00:14