Topic: Apache proxy using Java connect question

[tnzeibig]

I've got an Apache https (443) server in front of JBOSS, and this part finally works fine.
However, the Java does a connect to a payment gateway, and I'm trying to get this to go thru the Apache proxy also.

a. if I leave out the proxy command, it just goes out without going thru the proxy
b. if I point the proxy command to the 443 server, I get an error that I'm trying to talk HTTP to HTTPS
c. if I point the proxy to port 80, the connect shows up in the apache logs, but not sure this is then going out as https over 443 or just over 80?

I've pasted some of the config lines below. Is this 'tunneling'?

Any help or direction is greatly appreciated, thanks
Tom


### the Java connection ###############
URL post = new URL( "https", getHostAddress(), getHostPort(), "/somegateway/xyz.dll" );
HttpURLConnection postConn;
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("127.0.0.1",80));
postConn = (HttpURLConnection)post.openConnection(proxy);
postConn.setRequestMethod( "POST" );
postConn.setDoOutput( true );
BufferedReader in = new BufferedReader( new InputStreamReader( postConn.getInputStream() ) );


### httpd.conf ##############
Listen 80
ServerName 127.0.0.1:80
Include conf/mod-jk.conf

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<VirtualHost *:80>
ProxyRequests ON
</VirtualHost>
<Proxy *>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Proxy>
Include conf/extra/httpd-ssl.conf

### httpd-ssl.conf ##############
Listen 443
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

<VirtualHost _default_:443>
SSLProxyEngine on

JkMount /* node1
<Location /jkstatus/>
JkMount status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

ServerName localhost:443
SSLEngine on
</VirtualHost>


### workers.properties ###########
worker.node1.type=ajp13
worker.node1.host=localhost
worker.node1.port=8009
worker.node1.ping_mode=A
worker.list=node1
worker.status.type=status
worker.list=status

### mod-jk.conf ###########
LoadModule jk_module modules/mod_jk.so
JkWorkersFile conf/workers.properties

JkMount /* node1

<Location /jkstatus/>
JkMount status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

[James Blond]

You main issue seems to be that you can't connect from your java application over apache as proxy to a SSL server?

[tnzeibig]

Yes, (I can't have the Java do the HTTPS call because we are using JDK 1.6, which only supports TLS1.0)

So if I pass an HTTP Connect POST to the Apache proxy on port 80, how do get Apache to
a. re-write the request in HTTPS (using it's own JDK and protocols)
b. retain the POST data

I've been looking at mod_rewrite, mod_proxy_connect, not sure what the best direction would be, or if this is even possible.

[tnzeibig]

So my understanding of this so far;

1. Java creates a connection object, using TLS1.0 because its the only protocol available in Java 1.6

2. Java issues a HttpURLConnection.openConnection(proxy) request thru the proxy - This is a request for a tunnel.

3. Apache opens the CONNECT and creates the tunnel to the requested server. No handshake really.

4. Control is passed back to Java to do the handshakes and data transfer, using the Java TLS 1.0 connection object created earlier.

My only goal was to get the Handshake and protocols to be negotiated by Apache, but unless someone has another idea, I'm starting to think this is not possible - outside of upgrading to Java 7 (which causes other issues)

Thoughts anyone?

[tnzeibig]

Per a suggestion from another forum, I've got this to work.

My thinking on this was backward. Removed all the proxy code out of Java, and put in a dummy URL for java to call;

http://whatever:8080

In apache, on virtual host 8080 added three lines;

SSLProxyEngineOn
ProxyPass /whatever https://actualHost/...
ProxyPassReverse /whatever https://actualHost/...

and it works.

[James Blond]

You may use mod_proxy_ajp instead of plan http or https cause ajp:// is faster and also save.