Re: Issue with SSL configuration.

On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar ravi
<josvasanth@gmail.com> wrote:

> SSLCertificateFile /usr/share/ssl/certs/server.crt/
> SSLCertificateKeyFile /usr/share/ssl/certs/server.key/

The argument to SSLCertifacateFile and SSLCertificateKeyFile is a
_file_, not a directory. Just enter the full path to your cert and
private key here.

> I had copied the certs to the openssl certs directory and created hashlinks
> for them.

Creating hashkeys is not necessary. Apache knows where to find its
cert if you give SSLCertificateFile the correct value.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Thanks folks..
After posting this in the forum , I did an extensive research on the
internet and it was resolved.
Major problem was due to the Virtual host configuration..Now i am able to
use the SSL at the apache level.

wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:362)
port 443 namevhost
gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:362)
port 443 namevhost
gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:376)
*:80 is a NameVirtualHost
default server gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:332)
port 80 namevhost
gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:332)
port 80 namevhost
gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:343)

I need your help in some configuration ideas.
I m trying to setup something like the below.
Client *<---SSL--->* Apache *<---HTTP--->* WebLogic

I request http://<hostname>/OPSWeb/neo from the browser and it goes to the
login page and I am able to perform all the functions.
When I request https://<hostname>/OPSWeb/neo , it doesnt give a login page,
but it gives a pop-up in IE "Access is Denied. Type Error"
As stated earlier, I need to have HTTPS between the browser and the web
server and HTTP between the Apache and Weblogic.
Also there is no SSL enabled at the Weblogic level.

Do we have to write some ProxyReverse Parameters/Rewrite rules.
Let me know if you need any further details.

Please advise.



On Tue, Oct 28, 2008 at 10:35 PM, Krist van Besien <
krist.vanbesien@gmail.com> wrote:

> On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar ravi
> <josvasanth@gmail.com> wrote:
>
> > SSLCertificateFile /usr/share/ssl/certs/server.crt/
> > SSLCertificateKeyFile /usr/share/ssl/certs/server.key/
>
> The argument to SSLCertifacateFile and SSLCertificateKeyFile is a
> _file_, not a directory. Just enter the full path to your cert and
> private key here.
>
> > I had copied the certs to the openssl certs directory and created
> hashlinks
> > for them.
>
> Creating hashkeys is not necessary. Apache knows where to find its
> cert if you give SSLCertificateFile the correct value.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--
Regards&Thanks,
Vasanth Kumar Ravi

All,
Can someone throw light on this issue.

Thanks.

On Wed, Oct 29, 2008 at 4:28 PM, Vasanth Kumar ravi <josvasanth@gmail.com>wrote:

> Thanks folks..
> After posting this in the forum , I did an extensive research on the
> internet and it was resolved.
> Major problem was due to the Virtual host configuration..Now i am able to
> use the SSL at the apache level.
>
> wildcard NameVirtualHosts and _default_ servers:
> *:443 is a NameVirtualHost
> default server gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:362)
> port 443 namevhost gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:362)
> port 443 namevhost gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:376)
> *:80 is a NameVirtualHost
> default server gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:332)
> port 80 namevhost gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:332)
> port 80 namevhost gelxd002.sony.com.sg(/home/apache/conf/httpd.conf:343)
>
> I need your help in some configuration ideas.
> I m trying to setup something like the below.
> Client *<---SSL--->* Apache *<---HTTP--->* WebLogic
>
> I request http://<hostname>/OPSWeb/neo from the browser and it goes to the
> login page and I am able to perform all the functions.
> When I request https://<hostname>/OPSWeb/neo , it doesnt give a login
> page, but it gives a pop-up in IE "Access is Denied. Type Error"
> As stated earlier, I need to have HTTPS between the browser and the web
> server and HTTP between the Apache and Weblogic.
> Also there is no SSL enabled at the Weblogic level.
>
> Do we have to write some ProxyReverse Parameters/Rewrite rules.
> Let me know if you need any further details.
>
> Please advise.
>
>
>
>
> On Tue, Oct 28, 2008 at 10:35 PM, Krist van Besien <
> krist.vanbesien@gmail.com> wrote:
>
>> On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar ravi
>> <josvasanth@gmail.com> wrote:
>>
>> > SSLCertificateFile /usr/share/ssl/certs/server.crt/
>> > SSLCertificateKeyFile /usr/share/ssl/certs/server.key/
>>
>> The argument to SSLCertifacateFile and SSLCertificateKeyFile is a
>> _file_, not a directory. Just enter the full path to your cert and
>> private key here.
>>
>> > I had copied the certs to the openssl certs directory and created
>> hashlinks
>> > for them.
>>
>> Creating hashkeys is not necessary. Apache knows where to find its
>> cert if you give SSLCertificateFile the correct value.
>>
>> Krist
>>
>> --
>> krist.vanbesien@gmail.com
>> krist@vanbesien.org
>> Bremgarten b. Bern, Switzerland
>> --
>> A: It reverses the normal flow of conversation.
>> Q: What's wrong with top-posting?
>> A: Top-posting.
>> Q: What's the biggest scourge on plain text email discussions?
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> Regards&Thanks,
> Vasanth Kumar Ravi
>



--
Regards&Thanks,
Vasanth Kumar Ravi

I think you're not getting responses because your question is a bit
muddled...

By ".. able to use the SSL at the apache level .. " I am assuming that
https://server/filepath returns the file at <DocumentRoot>/filepath -
i.e. you can get local content via HTTPS. Is this so?

If so, all you need to do now is proxy this VH to the back-end server
(i.e. the weblogic thingy). For this you need Proxy directives,e.g.

ProxyPass / http://back-end-server/

then a request for https://server/filepath will cause apache to fetch
http://back-end-server/filepath and return it, via HTTPS, to the client.

I don't quite understand why you have paths like /OPSWeb/neo... That
makes it look like apache is fetching the back-end content via the
filesystem (e.g. shared disks). If so, that's not right - a proxy is
simply a way of forwarding HTTP requests so that all data are
transferred by HTTP. No need for the servers to see each other's files.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.




________________________________

From: Vasanth Kumar ravi [mailto:josvasanth@gmail.com]
Sent: Thursday, October 30, 2008 6:30 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Issue with SSL configuration.


All,
Can someone throw light on this issue.

Thanks.


On Wed, Oct 29, 2008 at 4:28 PM, Vasanth Kumar ravi
<josvasanth@gmail.com> wrote:


Thanks folks..
After posting this in the forum , I did an extensive
research on the internet and it was resolved.
Major problem was due to the Virtual host
configuration..Now i am able to use the SSL at the apache level.

wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:362)
port 443 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:362)
port 443 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:376)
*:80 is a NameVirtualHost
default server gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:332)
port 80 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:332)
port 80 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:343)

I need your help in some configuration ideas.
I m trying to setup something like the below.
Client <---SSL---> Apache <---HTTP---> WebLogic

I request http://<hostname>/OPSWeb/neo from the browser
and it goes to the login page and I am able to perform all the
functions.
When I request https://<hostname>/OPSWeb/neo , it doesnt
give a login page, but it gives a pop-up in IE "Access is Denied. Type
Error"
As stated earlier, I need to have HTTPS between the
browser and the web server and HTTP between the Apache and Weblogic.
Also there is no SSL enabled at the Weblogic level.

Do we have to write some ProxyReverse Parameters/Rewrite
rules.
Let me know if you need any further details.

Please advise.




On Tue, Oct 28, 2008 at 10:35 PM, Krist van Besien
<krist.vanbesien@gmail.com> wrote:


On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar
ravi
<josvasanth@gmail.com> wrote:

> SSLCertificateFile
/usr/share/ssl/certs/server.crt/
> SSLCertificateKeyFile
/usr/share/ssl/certs/server.key/


The argument to SSLCertifacateFile and
SSLCertificateKeyFile is a
_file_, not a directory. Just enter the full
path to your cert and
private key here.


> I had copied the certs to the openssl certs
directory and created hashlinks
> for them.


Creating hashkeys is not necessary. Apache knows
where to find its
cert if you give SSLCertificateFile the correct
value.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text
email discussions?



---------------------------------------------------------------------
The official User-To-User support forum of the
Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html>
for more info.
To unsubscribe, e-mail:
users-unsubscribe@httpd.apache.org
" from the digest:
users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail:
users-help@httpd.apache.org






--
Regards&Thanks,
Vasanth Kumar Ravi





--
Regards&Thanks,
Vasanth Kumar Ravi



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Thu, Oct 30, 2008 at 9:31 PM, Vasanth Kumar ravi
<josvasanth@gmail.com> wrote:
> Alright.
> Let me make the requirements clear then.
>
> Currently we have an application hosted in weblogic and we do not have any
> web servers in the setup.
> This application is accessed by the url http://<ip address>/OPSWeb/neo.
>
> I have setup an Apache 2.0.63 web server in front of th weblogic , which
> will act to proxy all the client requests to weblogic.
> I do not have any static files / application hosted in the Apache(it has to
> fwd all requests to the weblogic).
> I have setup VH for both ports 80 and 443.
> The apache ssl setup has been completed.
> The client would request https://<ip address>/OPSWeb/neo from the browser
> which should be proxied to weblogic server.
> Also bear in mind that the weblogic is not running on https.
> Do I have to define a Directory/Document root for proxying all the requests.
> I have attached my httpd.conf file along with this, let me know if the
> settings I have done is correct.
>
>
>
> On Thu, Oct 30, 2008 at 7:27 PM, Boyle Owen <Owen.Boyle@six-group.com>
> wrote:
>>
>> I think you're not getting responses because your question is a bit
>> muddled...
>>
>> By ".. able to use the SSL at the apache level .. " I am assuming that
>> https://server/filepath returns the file at <DocumentRoot>/filepath -
>> i.e. you can get local content via HTTPS. Is this so?
>>
>> If so, all you need to do now is proxy this VH to the back-end server
>> (i.e. the weblogic thingy). For this you need Proxy directives,e.g.
>>
>> ProxyPass / http://back-end-server/
>>
>> then a request for https://server/filepath will cause apache to fetch
>> http://back-end-server/filepath and return it, via HTTPS, to the client.
>>
>> I don't quite understand why you have paths like /OPSWeb/neo... That
>> makes it look like apache is fetching the back-end content via the
>> filesystem (e.g. shared disks). If so, that's not right - a proxy is
>> simply a way of forwarding HTTP requests so that all data are
>> transferred by HTTP. No need for the servers to see each other's files.

You haven't configured Apache to proxy anything.

http://httpd.apache.org/docs/2.2/mod...html#proxypass
http://httpd.apache.org/docs/2.2/mod...oxypassreverse

Perhaps your application server has an apache module for this, or a
configuration guide.

--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org