Parece que você pode tentar editar o server.xml para seu aplicativo Tomcat e, quando a porta do Conector estiver definida, adicione algo como:
proxyName="mysite.example.com" proxyPort="443" scheme="https" secure="true"
Estou tentando implementar um proxy reverso para um aplicativo que esteja executando um servidor incorporado do tomcat por SSL. O aplicativo precisa ser executado por SSL na porta 9002, portanto, não tenho como "desabilitar o SSL" para este aplicativo. O esquema de configuração atual é assim:
[192.168.0.10:443 - Apache with mod_proxy] --> [192.168.0.10:9002 - Tomcat App]
Depois de pesquisar como fazer essa configuração (e testar) me deparei com isso:
Que levam a fazer minha configuração atual (para tentar emular a opção --secure-protocol = sslv3 do wget)
/etc/apache2/sites/enabled/default-ssl:
<VirtualHost _default_:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLProxyEngine On
SSLProxyProtocol SSLv3
SSLProxyCipherSuite SSLv3
ProxyPass /test/ https://192.168.0.10:9002/
ProxyPassReverse /test/ https://192.168.0.10:9002/
LogLevel debug
ErrorLog /var/log/apache2/error-ssl.log
CustomLog /var/log/apache2/access-ssl.log combined
</VirtualHost>
O problema é que o log de erros está mostrando o erro: 14077102: rotinas SSL: SSL23_GET_SERVER_HELLO: protocolo não suportado
Log de solicitações completas:
[Wed Mar 13 20:05:57 2013] [debug] mod_proxy.c(1020): Running scheme https handler (attempt 0)
[Wed Mar 13 20:05:57 2013] [debug] mod_proxy_http.c(1973): proxy: HTTP: serving URL https://192.168.0.10:9002/
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2011): proxy: HTTPS: has acquired connection for (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2067): proxy: connecting https://192.168.0.10:9002/ to 192.168.0.10:9002
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2193): proxy: connected / to 192.168.0.10:9002
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2444): proxy: HTTPS: fam 2 socket created to connect to 192.168.0.10
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to 192.168.0.10:9002 (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection to child 0 established (server demo1agrubu01.demo.lab:443)
[Wed Mar 13 20:05:57 2013] [info] Seeding PRNG with 656 bytes of entropy
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/connect initialization
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: unknown state
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1897): OpenSSL: read 7/7 bytes from BIO#7f122800a100 [mem: 7f1230018f60] (BIO dump follows)
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1869): | 0000: 15 03 01 00 02 02 50 ......P |
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in unknown state
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] SSL Proxy connect failed
[Wed Mar 13 20:05:57 2013] [info] SSL Library Error: 336032002 error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection closed to child 0 with abortive shutdown (server example1.domain.tld:443)
[Wed Mar 13 20:05:57 2013] [error] (502)Unknown error 502: proxy: pass request body failed to 172.31.4.13:9002 (192.168.0.10)
[Wed Mar 13 20:05:57 2013] [error] [client 192.168.0.10] proxy: Error during SSL Handshake with remote server returned by /dsfe/
[Wed Mar 13 20:05:57 2013] [error] proxy: pass request body failed to 192.168.0.10:9002 (172.31.4.13) from 172.31.4.13 ()
[Wed Mar 13 20:05:57 2013] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (172.31.4.13)
[Wed Mar 13 20:05:57 2013] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully
[Wed Mar 13 20:05:57 2013] [info] [client 192.168.0.10] Connection closed to child 6 with standard shutdown (server example1.domain.tld:443)
Se eu fizer um
wget --secure-protocol=sslv3 --no-check-certificate https://192.168.0.10:9002/
funciona perfeitamente, mas do apache não está funcionando.
Estou em um servidor Ubuntu com as atualizações mais recentes executando o apache2 com mod_proxy e mod_ssl ativado:
~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"
~# dpkg -s apache2
...
Version: 2.2.22-1ubuntu1.2
...
~# dpkg -s openssl
...
Version: 1.0.1-4ubuntu5.7
...
Espero que alguém possa ajudar
Parece que você pode tentar editar o server.xml para seu aplicativo Tomcat e, quando a porta do Conector estiver definida, adicione algo como:
proxyName="mysite.example.com" proxyPort="443" scheme="https" secure="true"
Tags tomcat mod-ssl apache-2.2 mod-proxy