Eu faço isso para minhas instâncias do Tomcat. (Anteriormente Confluence, agora XWiki.)
- O http → https vHost é um redirecionamento direto, sem proxies.
- O https vHost gerencia as regras de proxy para o Tomcat, sabendo que o URI tem um padrão sã.
Aqui está uma versão (ligeiramente) editada da minha configuração:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName confluence.example.com
DocumentRoot /home/www/confluence.example.com/docroot
# Global protection
#
<Directory />
Options none
AllowOverride None
</Directory>
# Send users to canonical website
#
Redirect / https://confluence.example.com/
# Logging
#
ServerSignature On
LogLevel warn
ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-error.log"
CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-access.log" combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName confluence.example.com
DocumentRoot /home/www/confluence.example.com/docroot
AddDefaultCharset UTF-8
# Global protection
#
<Directory />
Options none
AllowOverride None
</Directory>
# Access to the application itself
#
ProxyPassMatch /(.*) http://confluence.example.com:8090/$1
ProxyPassReverse / http://confluence.example.com:8090/
ProxyPassReverseCookieDomain confluence.example.com confluence.example.com
# Logging
#
ServerSignature On
LogLevel warn rewrite:debug
ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-error.log"
CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-access.log" combined
#RewriteLogLevel 1
#RewriteLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-rewrite.log"
# SSL
#
SSLEngine on
SSLCertificateFile "...crt"
SSLCertificateKeyFile "...key"
SSLCertificateChainFile "...ca-bundle"
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>