Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache24 https reverse proxy to Domino5 not entirely working |
|
| Author |
|
pmailhot1
Joined: 26 Sep 2018
Posts: 2
Location: US, New York
|
 Posted: Wed 26 Sep '18 19:22 Post subject: Apache24 https reverse proxy to Domino5 not entirely working |
 |
|
I have Apache24 https reverse proxy to Lotus Domino http. It works fine up to the login page for Domino. Once clients login they are getting an http page instead of an https page. Once I type in "https://" in front of the URL everything works fine through all other requests. Any ideas why the login page does not reverse proxy back to an https page?
Paul
My httpd.conf file is below:
<VirtualHost *:443>
ServerName www.myserver.com:443
<Proxy *>
Order deny,allow
Allow from All
</Proxy>
ProxyRequests Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://l27.0.0.1/
RedirectMatch ^/$ https://www.myserver.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile c:\apache24\certs\wf03.cer
SSLCertificateKeyFile c:\apache24\certs\wf03.key
</VirtualHost> |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Wed 26 Sep '18 23:56 Post subject: |
|
|
Hello Paul,
let me summarize in my words:
* you have a http-server (in this case Lotus Notes Domino) running on a server
* on the SAME server you have an apache listening to only port 443 proxying these requests to localhost:80
* I guess you are doing this to add more security (encryption) and it is hard (impossible?) to add https directly to Lotus Notes Domino?
One thing I noticed from your config-snippet is the "l" (lowercase L) instead of the "1" in the ProxyPassReverse IP-address 127.0.0.1.
Another thing is the RedirectMatch. Within the virtual host listening on port 443 you add an redirect from / to the same host (see ServerName) to https which is this VirtualHost itself. This will result in a redirect-loop if a browser tries to access https://www.myserver.com/
Assuming my guesses above are (more or less) correct I would prefer a slightly different setup than you did:
* have Lotus Notes Domino listening on some other port different than 80 (maybe 8080?)
* remove the RedirectMatch from the *:443-VirtualHost
* reconfigure the ProxyPass and ProxyPassReverse to the Lotus Notes Domino listening on port 8080
* configure Apache to listen to port 80 and redirect these requests to https - so even users entering http://www.myserver.com are redirected to https
* establish firewall-rules to prevent port 8080 be accessed from outside your server
With this configuration you have the apache in front of your Lotus Notes Domino and might do some blocking for unallowed paths/files/parameters/whatsoever without the need to do this within Lotus Notes Domino's webserver-config.
Additional you redirect users to https if they try to access the host unencrypted.
(googled a little for Lotus Notes Domino - see https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_9.0.1/admin/conf_settingupadominoserverasawebserver_t.html) it seems to be possible to configure Lotus Notes Domino to listen to https itself. So why not go this way? It might avoid some trouble that may arise using the ProxyPass-configuration within your apache?
Hope it helps? 
Best regards
Matthias |
|
| Back to top |
|
pmailhot1
Joined: 26 Sep 2018
Posts: 2
Location: US, New York
|
| Posted: Fri 28 Sep '18 3:57 Post subject: A solution |
|
|
Dear Matthias,
Thank you for your help and explanations. The R5 Domino application server I am running does not allow encryption later than SSLv3, so it is pretty much useless with any up-to-date browser.
I got things working today making some adjustments to my httpd.conf file, I believe, along the lines you suggested. I had not implemented the port 8080 suggestion you made. Can you explain the reasons that would be better than the configuration I am running? Thanks for your help. Conf file is below.
Regards,
Paul
Listen 80
Listen 443
<VirtualHost *:80>
ServerName www.myserver.com
Redirect / https://www.myserver.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.myserver.com:443
<Proxy *>
Order deny,allow
Allow from All
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://l27.0.0.1/
SSLEngine on
SSLProxyEngine On
SSLCertificateFile c:\apache24\certs\wf03.cer
SSLCertificateKeyFile c:\apache24\certs\wf03.key
</VirtualHost> |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Sat 29 Sep '18 20:40 Post subject: |
|
|
Hello,
only SSL3?  That IS a reason for not using the Domino's https-encryption.
The simple reason for not using Domino's own http-server for listening to port 80 is that you have more possibilities with apache to work on unencrypted port 80 and redirect requests to encrypted port 443.
Another effect is that now you can easy split the apache-part and the Domino-part and put them on two different servers.
Within the config you have posted there is still the lowercase L within the ProxyPassReverse instead of the number 1 
If you want to increase security on port 443 you can deny SSL3, TLS1.0 and maybe TLS1.1, too. (if your clients can speak TLS1.2)
Best regards
Matthias |
|
| Back to top |
|
|
|
|
|
|
