Switching SSL with Apache 2 Proxy

09 February 2005

I use Apache 2 as a reverse proxy in front of my JBoss application server. I let Apache handle the SSL connections, so my JBoss server doesn't need to know anything about it.

I've now figured out how to use Apache alone to enforce switching between http and https for the login page versus the rest of the site. Now I can hit the site normally with http, and upon clicking the login link (which shows both the login form and accepts the POST), Apache redirects me up to the https port. When login is done and returns me to any other URL, it redirects me once again back down to the http port. It's all done in the proxy, so no application code must be changed.

The only thing that I've found to not quite work is the occassion where the login url comes in with a the ';jsessionid=...' appended. Apache doesn't seem to be recognizing that one to be redirected to https. I may need the more featureful mod_rewrite to accomodate that.

Here are the relevant bits of the Apache 2 config:

<VirtualHost *:80>
    # redirect only login action over to https
    ProxyPass /blog/login.java !
    Redirect /blog/login.java https://www.hjsoft.com/blog/login.java

    # reverse proxy everything else
    ProxyPass /blog/ http://localhost:8080/blog/
    ProxyPassReverse /blog/ http://localhost:8080/blog/

    ProxyPreserveHost On

    <Proxy http://localhost:8080/blog/>
        Order allow,deny
	Allow from all
    </Proxy>
</VirtualHost>
<VirtualHost *:443>
    # proxy only the login action
    ProxyPass /blog/login.java http://localhost:8080/blog/login.java

    # redirect anything else over to http
    ProxyPass /blog/ !
    Redirect /blog/ http://www.hjsoft.com/blog/
    ProxyPassReverse /blog/ http://localhost:8080/blog/

    ProxyPreserveHost On

    <Proxy http://localhost:8080/blog/>
        Order allow,deny
        Allow from all
    </Proxy>
</VirtualHost>

Update (9 Feb 2005): I figured out mod_rewrite to implement a more complete solution. I replace my ProxyPass and Redirect directives with this:

RewriteEngine on
RewriteRule ^/blog$ http://www.hjsoft.com/blog/
RewriteRule ^/blog/(login\.java.*)$ https://www.hjsoft.com/blog/$1 [L]
RewriteRule ^/blog/(.*)$ http://localhost:8080/blog/$1 [P,L]

and for the SSL virtual host config:

RewriteEngine on
RewriteRule ^/blog/(login\.java.*) http://localhost:8080/blog/$1 [P,L]
RewriteRule ^/blog$ http://www.hjsoft.com/blog/
RewriteRule ^/blog/(.*) http://www.hjsoft.com/blog/$1 [L]

These more powerful rules and their regular expressions allow me to more completely match and preserve parts of the URL, including the jsessionid.

Filed Under: Linux Java Web-Dev Computers Blog-Code