SSL, Apache, mod_proxy and mod_ssl

[Dimitrios Zarras]

Hi there,

I'm new to SCM-Manager. Up until now I have successfully configured a reverse proxy for Apache (without ssl) and it works like a charm.

But how to I configure a reverse proxy that uses SSL?

I have enabled SSL support in SCM-Manager by following this guide: https://bitbucket.org/sdorra/scm-manager/wiki/scm-server-ssl but how do I configure Apache now?

Thanks in advance.

[Sebastian Sdorra]

Hi,
The scm-server-ssl guide is when you are using scm-server without a
reverse proxy. You have to configure ssl for your apache.

http://httpd.apache.org/docs/2.2/ssl/
http://www.sitepoint.com/securing-apache-2-server-ssl/

Sebastian

2012/5/11 Dimitrios Zarras <zarra...@gmail.com>:

[Dimitrios Zarras]

Hi Sebastian,

Can you tell me if the configuration below is correct?

<VirtualHost "IP":80>

        ServerName my.sub.com

        ProxyRequests Off

        ProxyPreserveHost On

        <Proxy *>

                Order deny,allow

                Allow from all

        </Proxy>

        ProxyPass /scm http://localhost:8080/scm

        ProxyPassReverse /scm http://localhost:8080/scm

        ProxyPassReverseCookiePath /scm http://localhost:8080/scm

        <Location /scm>

                Order allow,deny

                Allow from all

        </Location>

        Redirect permanent / /scm

</VirtualHost>

<VirtualHost "IP":443>

        ServerName my.sub.com

        SSLEngine On

        SSLCertificateFile /etc/apache2/ssl.crt/scm.crt

        SSLCertificateKeyFile /etc/apache2/ssl.key/scm.key

        SSLProxyEngine On

        ProxyRequests Off

        ProxyPreserveHost On

        <Proxy *>

                Order deny,allow

                Allow from all

        </Proxy>

        ProxyPass /scm https://localhost:8181/scm

        ProxyPassReverse /scm https://localhost:8181/scm

        ProxyPassReverseCookiePath /scm https://localhost:8181/scm

        <Location /scm>

                Order allow,deny

                Allow from all

        </Location>

        Redirect permanent / /scm

</VirtualHost>

I extracted scm.crt and scm.key from keystore.jks thus apache and scm use the same certificate.

Configuration wise is this correct?

[Sebastian Sdorra]

Hi,
No the config is not correct. You have to disable the ssl
configuration in the server-config.xml of scm-manager, because it is
not needed. The whole ssl encryption is done by the reverse proxy
(Apache in your case) and the proxy is talking to scm-manager in plain
http. So you have to change your config of the ssl virtualhost from:

ProxyPass /scm https://localhost:8181/scm
ProxyPassReverse /scm https://localhost:8181/scm
ProxyPassReverseCookiePath /scm https://localhost:8181/scm

to:

ProxyPass /scm http://localhost:8080/scm
ProxyPassReverse /scm http://localhost:8080/scm
ProxyPassReverseCookiePath /scm http://localhost:8080/scm

Sebastian

2012/5/12 Dimitrios Zarras <zarra...@gmail.com>:

[Dimitrios Zarras]

Do I keep

SSLProxyEngine On

?

[Sebastian Sdorra]

No SSLProxyEngine have to be off.

Sebastian

2012/5/12 Dimitrios Zarras <zarra...@gmail.com>:

[Dimitrios Zarras]

So here's a recap:

<VirtualHost "IP":443>
ServerName my.sub.com

SSLEngine On
SSLCertificateFile /etc/apache2/ssl.crt/scm.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/scm.key

ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /scm http://localhost:8080/scm
ProxyPassReverse /scm http://localhost:8080/scm
ProxyPassReverseCookiePath /scm http://localhost:8080/scm

<Location /scm>
Order allow,deny
Allow from all
</Location>

Redirect permanent / /scm

</VirtualHost>

Correct?

[Sebastian Sdorra]

Yes i think this could work.