Example Apache Configuration:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 <VirtualHost 10.11.12.13:80> ServerName documentation.example.com ServerAliaS documentation   ProxyPreserveHost On RewriteEngine on # Redirect http traffic to https RewriteRule ^/(.*)$ https://documentation.example.com/$1 [L,R] </VirtualHost>   <VirtualHost 10.11.12.13:443> ServerName documentation.example.com   ErrorLog /var/log/httpd/documentation.example.com-ssl_error_log TransferLog /var/log/httpd/documentation.example.com-ssl_access_log CustomLog /var/log/httpd/documentation.example.com-ssl_request_log ssl_combined   ProxyPreserveHost On ProxyRequests Off   ProxyPass /synchrony  http://localhost:8091/synchrony <Location /synchrony>     Require all granted     RewriteEngine on     RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]     RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]     RewriteRule .* ws://localhost:8091%{REQUEST_URI} [P]     RequestHeader unset Authorization </Location>     ProxyPass / http://localhost:8090/ retry=2 acquire=3000 timeout=120 Keepalive=On ProxyPassReverse / http://localhost:8090/   LogLevel info   Include conf.d/ssl.inc   </VirtualHost>

 

Very often, multiple applications run on the same server. Having SSL configuration in one place makes sense.

We like to include the following into VirtualHosts that should be configured with SSL Include conf.d/ssl.inc

 

1 2 3 4 5 6 7 8 SSLEngine on SSLHonorCipherOrder On SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" SSLCertificateFile /etc/pki/tls/certs/wildcard/wildcard.example.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/wildcard/wildcard.example.com.key SSLCertificateChainFile /etc/pki/tls/certs/wildcard/wildcard.example.com.ca-bundle

 

APPLICATION_HOME:/conf/server.xml

Locate the connector in server.xml.

When a proxy server behind SSL serves the application, changes to server.xml are required.

Because Kerberos tokens in some environments may exceed the default 8K bytes, our recommendation is to increase maxHttpHeaderSize. 

1 2 3 4 5 proxyName="documentation.example.com" proxyPort="443" scheme="https" secure="true" maxHttpHeaderSize="32768"