Configuring a Reverse Proxy with Apache that handles HTTPS connections

There is a great post on the LiveCycle Product Blog here that explains how to set up a reverse proxy to filter the URLs of our LiveCycle server that we want to expose. In the case we want our server to be accessed over SSL, there are some additional steps we will need to follow. Here, I am going to cover this additional piece of configuration required for your Apache reverse proxy to handle HTTPS traffic.

1.  Download and install the Apache server from I used Apache 2.2 with OpenSSL when I was writing this. Also, this post is based on JBoss 4.2.1 (Turnkey) running on Windows.

2.  Edit the Tomcat configuration file $JBOSS_HOME\server\lc_turnkey\deploy\jboss-web.deployer/server.xml of your JBoss server, adding the proxyName and proxyPort parameters with the name and port of the LiveCycle server. It should look something like this:

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
proxyName=”” proxyPort=”443″
maxThreads=”150″ scheme=”https” secure=”true”
keystoreFile=”C:/Adobe/Adobe LiveCycle ES2/jboss/server/lc_turnkey/conf/lces.keystore”
clientAuth=”false” sslProtocol=”TLS” />

3.  Use the openssl command to generate a certificate and key that our Apache server will need to handle SSL connections. Open a command prompt, go to Apache2.2\bin and run the openssl command with values matching your environment:

openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj “/O=CompanyXYZ/OU=PS/” -config  “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\openssl.cnf”

4.  Copy the generated server.key and server.crt files to the Apache2.2\conf folder.

5.  Open Apache2.2\conf\httpd.conf and uncomment the following lines, which will enable proxying and SSL on the Apache server.:

LoadModule proxy_module modules/
LoadModule proxy_http_module modules/
LoadModule ssl_module modules/
Include conf/extra/httpd-ssl.conf

6.  Also add the following lines to the httpd.conf:

# Prevent Apache from acting like a forward proxy
ProxyRequests Off
# Control Client Access
<Proxy>Order Deny,Allow
Allow from all

# Set TCP/IP network buffer size for better throughput (bytes)
ProxyReceiveBufferSize 4096

7.  Add the reverse proxy configuration at the end of the httpd.conf file:

ProxyPass /
ProxyPassReverse / https://

As explained in the post I referenced at the beginning, this configuration won’t filter any URL, and it will just redirect every request (/) to the SSL port of the JBoss server. If we want to be more restrictive and only allow specific URLs, we will need to configure that. For example, here we only allow access to the Rights Management UI:

ProxyPass /edc
ProxyPassReverse /edc
ProxyPass /um
ProxyPassReverse /um
ProxyPass /rightsmgmt_help_en
ProxyPassReverse /rightsmgmt_help_en

8.  We also need to configure the SSL connection for the Apache server. Open Apache2.2\conf\extra\httpd-ssl.conf and perform the following modifications:

– Uncomment the following line:

SSLSessionCache         “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”

– Comment out the following line:

SSLSessionCache        “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”

– Locate the <VirtualHost _default_:443> block and insert the following line in it:

SSLProxyEngine on

The block should look something like the following:

## SSL Virtual Host Context
<VirtualHost _default_:443>
#   General setup for the virtual host
DocumentRoot “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs”
ErrorLog “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/error.log”
TransferLog “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/access.log”
#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProxyEngine on

9.  Restart JBoss and Apache servers.

5 Responses to Configuring a Reverse Proxy with Apache that handles HTTPS connections

  1. Pingback: Fronting LiveCycle/JBoss With Apache Web Server | LiveCycle Product Blog

  2. Oved says:

    What happens if we want to proxy both HTTP and HTTPS requests?

  3. swami says:

    it is very good.i need more steps how to download to download the modules,how to configure the reverseproxy to the apache httpd server

  4. Sujeeth says:

    Hi Carlos,

    Thanks for the good post.

    BTW, where do we need to mention about key and certificate in Apache server.

    I am trying to proxy a intranet website (which can be accessed via SSL). I installed the certificates from the browser, then exported the certificate file as .cer, and I mentioned in httpd-sl.conf file as :
    SSLCertificateFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/Certificate.cer”.

    But I ended up with this error when I try to start the Apache server :

    [Thu Feb 09 13:15:50 2012] [error] Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/Program Files/Apache Software Foundation/Apache2.2/conf/Certificate.cer).

    Please help me on this, thanks for quick reply.