[Go-essp-tech] Apache Http Proxy Configuration for esg-gateway.jpl.nasa.gov

Nathan Hook nhook at ucar.edu
Thu Mar 17 11:41:09 MDT 2011 

Hi Luca,

Thank you for the reply.

When you test publishing could you verify if you're publishing to 
either: esg-gateway.jpl.nasa.gov or jpl-esg.jpl.nasa.gov?

I've tried verifying that our setup is the same as the one setup at JPL, 
but there does seem to be a communication problem between apache and tocmat.

There are some software version differences, but I'm not sure those by 
themselves could be causing the problems.

Here are our software versions:
Apache/2.2.3
Tomcat/6.0.29
Java/6.0_23

The could be issues with SSL Renegotiation...

Thanks again Luca.

Regards,

Nathan H.




On 3/17/2011 11:28 AM, Cinquini, Luca (3880) wrote:
> Hi Nathan,
> 	this is probably not going to be very useful, but just to give you an update...
>
> In the past, I have been able to publish to the JPL Gateway via the standard ESG publisher, which means that the proxy certificate was indeed getting to the Tomcat server. Yesterday I started trying to reproduce the steps to give you some debug information, but I realized I had to upgrade our datanode first. So that's what I have been doing, and as soon as I am done I can report back on the results. It might take till tomorrow since I have a few meetings this pm.
>
> Sorry I can't be more helpful at this time.
>
> thanks, Luca
>
> On Mar 16, 2011, at 4:52 PM, Nathan Hook wrote:
>
>> Hi Paul,
>>
>> Thank you for the very complete explanation of your environment's setup.
>>   It has been very helpful so far.
>>
>> I do seem to be having difficultly getting a client's x509 certificate
>> to the tomcat server at this point.  I am testing this functionality by
>> importing a p12 certificate into my browser and then visiting a page
>> that uses ssl.
>>
>> Do you happen to know of a reasonable way to debug what might be going
>> wrong?
>>
>> After snooping both the Apache ssl logs and the ssl debug output of
>> Tomcat I'm a little nervous that the client's x509 certificate is not
>> being sent from Apache to Tomcat.
>>
>> Any reasonable suggestions on either what might be wrong or how to debug
>> the situation would be greatly appreciated.
>>
>> Thank you for your time Paul,
>>
>> Nathan H.
>>
>>
>> On 3/16/2011 4:16 AM, Zimdars, Paul A (3880-Affiliate) wrote:
>>> Hi Nathan,
>>>
>>> Here is an overview of our site deployment:
>>>
>>> CentOS 5.5 x86_64
>>> Apache HTTPD 2.2.15
>>> OpenSSL 0.9.8k (required for SNI)
>>> Apache Tomcat 6.0.20 (Deployed by Luca)
>>> JDK 1.6.0_13 (Deployed by Luca)
>>>
>>> We first installed OpenSSL 0.9.8k in order to use SNI (Server Name Indication) which allows multiple SSL virtual hosts to share the same IP address while providing unique SSL certificates for each host. I recommend that you read more about it at the following site:
>>>
>>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>>>
>>> We have multiple SSL virtual hosts using the same IP so SNI was required for our site. We did a standard OpenSSL install with no special flags (deployed to /usr/local/openssl-0.9.8k).
>>>
>>> The next step involved installing Apache 2.2.15 using the OpenSSL deployment mentioned above + the following flags:
>>>
>>>   --with-ssl=/usr/local/openssl-0.9.8k --prefix=/usr/local/apache-2.2.15 --enable-proxy --enable-ssl --enable-cgi --enable-suexec --enable-rewrite --enable-so --enable-proxy-connect --enable-proxy-http --enable-proxy-ajp --enable-ldap --enable-dav --enable-vhost-alias --enable-http --enable-unique-id
>>>
>>> We then configured the VHOST for esg-gateway (80,443). We tried a couple of different configurations but found that the configuration listed below worked well (we also made esg-gateway the first vhost found in httpd.conf since we had a couple of minor issues with wget if it wasn't first (wget doesn't know about SNI)):
>>>
>>> <VirtualHost *:80>
>>>    ServerName esg-gateway.jpl.nasa.gov
>>>    ServerAlias esg-gateway
>>>    ProxyRequests Off
>>>    ProxyPreserveHost On
>>>    <Proxy *>
>>>      AddDefaultCharset Off
>>>      Order deny,allow
>>>      Allow from all
>>>    </Proxy>
>>>    ProxyPass / http://jpl-esg.jpl.nasa.gov:9080/
>>>    ProxyPassReverse / http://jpl-esg.jpl.nasa.gov:9080/
>>>    ServerAdmin sa at list.jpl.nasa.gov
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>>    ServerAlias esg-gateway
>>>    SSLEngine on
>>>    SSLProxyEngine on
>>>    SSLProtocol all
>>>    ProxyRequests Off
>>>    ProxyPreserveHost On
>>>    ServerName esg-gateway.jpl.nasa.gov
>>>    SSLCipherSuite HIGH:MEDIUM
>>>    SSLCertificateFile /etc/httpd/conf/certs/esg-gw.crt
>>>    SSLCertificateKeyFile /etc/httpd/conf/certs/esg-gw.key
>>>    SSLVerifyClient optional_no_ca
>>>    SSLOptions +ExportCertData
>>>    <Proxy *>
>>>      AddDefaultCharset Off
>>>      Order deny,allow
>>>      Allow from all
>>>    </Proxy>
>>>    ProxyPass / https://esg-gateway.jpl.nasa.gov:9443/
>>>    ProxyPassReverse / https://esg-gateway.jpl.nasa.gov:9443/
>>>    ServerAdmin sa at list.jpl.nasa.gov
>>> </VirtualHost>
>>>
>>> The tomcat installation was fairly standard so I won't provide details on it. The keystore was purchased from RapidSSL.com and I roughly followed the following site to create and install the keystore:
>>>
>>> http://www.agentbob.info/agentbob/79-AB.html
>>>
>>> Which provided me with our keystore that we added to Tomcat:
>>>
>>> Keystore type: JKS
>>> Keystore provider: SUN
>>>
>>> Your keystore contains 1 entry
>>>
>>> 1, Mar 16, 2011, PrivateKeyEntry,
>>> Certificate fingerprint (MD5): 82:03:51:77:CC:4B:F2:8E:44:92:21:C5:BA:FE:39:92
>>>
>>> I do notice that if I use safari (5.0.4) in Windows I have issues accessing esg-gateway over SSL (works fine on my Mac). I also tested using Safari on my Mac (OSX 10.6.6/5.0.4) to directly access our Tomcat installation (bypassing apache) and it fails on the SSL connection.
>>>
>>> Please let me know if you have any further questions or no more information.
>>>
>>> Thanks,
>>> Paul
>>> 626-824-1393
>>> ________________________________________
>>> From: Nathan Hook [nhook at ucar.edu]
>>> Sent: Tuesday, March 15, 2011 11:13 AM
>>> To: Zimdars, Paul A (3880-Affiliate)
>>> Cc: go-essp-tech at ucar.edu
>>> Subject: Apache Http Proxy Configuration for esg-gateway.jpl.nasa.gov
>>>
>>> Good Day Paul,
>>>
>>> My name is Nathan Hook with the National Center for Atmospheric Research
>>> (NCAR) and I have been working with a colleague of yours Luca Cinquini
>>> on a SSL Handshake problem with a product of ours.
>>>
>>> I am hoping that if you have the time available you would be able to
>>> help me out a bit.
>>>
>>> Currently a collaboration that I'm working on (with Luca and others) is
>>> having difficulties with a ssl handshake being too large for the Safari
>>> web browser buffer and therefore causing Safari users not to access our
>>> web application via ssl.  Which, is a problem.
>>>
>>> Luca has mentioned that the esg-gateway.jpl.nasa.gov site is proxied
>>> behind an Apache Http server and it seems as though that configuration
>>> does not cause the same buffer problem for Safari that a stand alone
>>> Apache Tomcat server does.
>>>
>>> Would you be willing to share with us your configuration settings for
>>> both apache and tomcat so we can attempt to duplicate your environment
>>> here on our test servers and see exactly what is happening during a ssl
>>> request?
>>>
>>> Thank you for your time Paul.
>>>
>>> Regards,
>>>
>>> Nathan Hook
>>>
>>
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>

More information about the GO-ESSP-TECH mailing list