Example Apache Configuration:
<VirtualHost 10.11.12.13:80>
ServerName documentation.example.com
ServerAliaS documentation
ProxyPreserveHost On
RewriteEngine on
# Redirect http traffic to https
RewriteRule ^/(.*)$ https://documentation.example.com/$1 [L,R]
</VirtualHost>
<VirtualHost 10.11.12.13:443>
ServerName documentation.example.com
ErrorLog /var/log/httpd/documentation.example.com-ssl_error_log
TransferLog /var/log/httpd/documentation.example.com-ssl_access_log
CustomLog /var/log/httpd/documentation.example.com-ssl_request_log ssl_combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /synchrony http://localhost:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:8091%{REQUEST_URI} [P]
RequestHeader unset Authorization
</Location>
ProxyPass / http://localhost:8090/ retry=2 acquire=3000 timeout=120 Keepalive=On
ProxyPassReverse / http://localhost:8090/
LogLevel info
Include conf.d/ssl.inc
</VirtualHost> |
|
Very often, multiple applications run on the same server. Having SSL configuration in one place makes sense.
We like to include the following into VirtualHosts that should be configured with SSL Include conf.d/ssl.inc
SSLEngine on
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/pki/tls/certs/wildcard/wildcard.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/wildcard/wildcard.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/wildcard/wildcard.example.com.ca-bundle |
|
APPLICATION_HOME:/conf/server.xml
Locate the connector in server.xml.
When a proxy server behind SSL serves the application, changes to server.xml are required.
Because Kerberos tokens in some environments may exceed the default 8K bytes, our recommendation is to increase maxHttpHeaderSize.
proxyName="documentation.example.com"
proxyPort="443"
scheme="https"
secure="true"
maxHttpHeaderSize="32768" |