Search code examples
apachetomcatmod-proxy

Apache ssl frontend for plain http tomcat give unsecure content

We have setup Apache as ssl frontend for plain http jboss(tomcat)

<VirtualHost *:5555>
    ServerName my.server.com

    SSLEngine on
    SSLCertificateFile /x.crt
    SSLCertificateKeyFile /x.pem
    SSLProxyEngine on
    ...
    ...
    ProxyPass / http://my.server:8080/
    ProxyPassReverse / http://my.server.com:8080/
</VirtualHost>

In our jsp we have something like this:

<link href="/css/my.css" rel="stylesheet" type="text/css">

When we load the page from

https://my.server.com:5555

The browser telling us this page has unsecure content because the it will load the css from

http://my.server.com:5555/css/my.css

I don't want to use absolute URL in href. Can I somehow tell tomcat to use https from apache without setup ssl in tomcat? Or is the best combination to setup ssl in both Apache & Tomcat?

I have tried the solution as Dirk pointed out but it's still not working.

server.xml

<Connector port="8080" protocol="HTTP/1.1" enableLookups="false" proxyPort="5555" scheme="https" secure="true" />

I still get the error about the unsecure content. Is it because struts 1.1 does not use request.getScheme() or is it because the communication between Apache and Tomcat is with plain http and Apache think

<link href="/css/my.css" rel="stylesheet" type="text/css">

should be download from 

http://my.server.com:5555/css/my.css

before sending it back to the browser?

Thx in advance

Solution

  • I'd guess that problem is that your (tomcat) server thinks it is still living at the http address (you can confirm that by looking at the headers and the HTML).

    So it includes references in the page to the http address, unaware the request came in on the https version.

    Assuming you want all traffic https (and the http path is blocked and/or tomcat is bound to localhost) - you want to check http://tomcat.apache.org/tomcat-7.0-doc/proxy-howto.html as to how to tell tomcat that it is living not at the address it can see - but at the address you are exposing to the internet from apache (i.e. the front door).

    The ones you are after are proxyName, proxyPort along with scheme and secure.

    See for example option 4 and 3 of http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2007800.