[Go-essp-tech] Apache Http Proxy Configuration for esg-gateway.jpl.nasa.gov

Zimdars, Paul A (3880-Affiliate) Paul.A.Zimdars at jpl.nasa.gov
Wed Mar 16 04:16:47 MDT 2011 

Hi Nathan,

Here is an overview of our site deployment:

CentOS 5.5 x86_64
Apache HTTPD 2.2.15
OpenSSL 0.9.8k (required for SNI)
Apache Tomcat 6.0.20 (Deployed by Luca)
JDK 1.6.0_13 (Deployed by Luca)

We first installed OpenSSL 0.9.8k in order to use SNI (Server Name Indication) which allows multiple SSL virtual hosts to share the same IP address while providing unique SSL certificates for each host. I recommend that you read more about it at the following site:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

We have multiple SSL virtual hosts using the same IP so SNI was required for our site. We did a standard OpenSSL install with no special flags (deployed to /usr/local/openssl-0.9.8k).

The next step involved installing Apache 2.2.15 using the OpenSSL deployment mentioned above + the following flags:

 --with-ssl=/usr/local/openssl-0.9.8k --prefix=/usr/local/apache-2.2.15 --enable-proxy --enable-ssl --enable-cgi --enable-suexec --enable-rewrite --enable-so --enable-proxy-connect --enable-proxy-http --enable-proxy-ajp --enable-ldap --enable-dav --enable-vhost-alias --enable-http --enable-unique-id

We then configured the VHOST for esg-gateway (80,443). We tried a couple of different configurations but found that the configuration listed below worked well (we also made esg-gateway the first vhost found in httpd.conf since we had a couple of minor issues with wget if it wasn't first (wget doesn't know about SNI)):

<VirtualHost *:80>
  ServerName esg-gateway.jpl.nasa.gov
  ServerAlias esg-gateway
  ProxyRequests Off
  ProxyPreserveHost On
  <Proxy *>
    AddDefaultCharset Off
    Order deny,allow
    Allow from all
  </Proxy>
  ProxyPass / http://jpl-esg.jpl.nasa.gov:9080/
  ProxyPassReverse / http://jpl-esg.jpl.nasa.gov:9080/
  ServerAdmin sa at list.jpl.nasa.gov
</VirtualHost>

<VirtualHost *:443>
  ServerAlias esg-gateway
  SSLEngine on
  SSLProxyEngine on
  SSLProtocol all
  ProxyRequests Off
  ProxyPreserveHost On
  ServerName esg-gateway.jpl.nasa.gov
  SSLCipherSuite HIGH:MEDIUM
  SSLCertificateFile /etc/httpd/conf/certs/esg-gw.crt
  SSLCertificateKeyFile /etc/httpd/conf/certs/esg-gw.key
  SSLVerifyClient optional_no_ca
  SSLOptions +ExportCertData
  <Proxy *>
    AddDefaultCharset Off
    Order deny,allow
    Allow from all
  </Proxy>
  ProxyPass / https://esg-gateway.jpl.nasa.gov:9443/
  ProxyPassReverse / https://esg-gateway.jpl.nasa.gov:9443/
  ServerAdmin sa at list.jpl.nasa.gov
</VirtualHost>

The tomcat installation was fairly standard so I won't provide details on it. The keystore was purchased from RapidSSL.com and I roughly followed the following site to create and install the keystore:

http://www.agentbob.info/agentbob/79-AB.html

Which provided me with our keystore that we added to Tomcat:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

1, Mar 16, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 82:03:51:77:CC:4B:F2:8E:44:92:21:C5:BA:FE:39:92

I do notice that if I use safari (5.0.4) in Windows I have issues accessing esg-gateway over SSL (works fine on my Mac). I also tested using Safari on my Mac (OSX 10.6.6/5.0.4) to directly access our Tomcat installation (bypassing apache) and it fails on the SSL connection.

Please let me know if you have any further questions or no more information.

Thanks,
Paul
626-824-1393
________________________________________
From: Nathan Hook [nhook at ucar.edu]
Sent: Tuesday, March 15, 2011 11:13 AM
To: Zimdars, Paul A (3880-Affiliate)
Cc: go-essp-tech at ucar.edu
Subject: Apache Http Proxy Configuration for esg-gateway.jpl.nasa.gov

Good Day Paul,

My name is Nathan Hook with the National Center for Atmospheric Research
(NCAR) and I have been working with a colleague of yours Luca Cinquini
on a SSL Handshake problem with a product of ours.

I am hoping that if you have the time available you would be able to
help me out a bit.

Currently a collaboration that I'm working on (with Luca and others) is
having difficulties with a ssl handshake being too large for the Safari
web browser buffer and therefore causing Safari users not to access our
web application via ssl.  Which, is a problem.

Luca has mentioned that the esg-gateway.jpl.nasa.gov site is proxied
behind an Apache Http server and it seems as though that configuration
does not cause the same buffer problem for Safari that a stand alone
Apache Tomcat server does.

Would you be willing to share with us your configuration settings for
both apache and tomcat so we can attempt to duplicate your environment
here on our test servers and see exactly what is happening during a ssl
request?

Thank you for your time Paul.

Regards,

Nathan Hook

More information about the GO-ESSP-TECH mailing list