How to set up a SSL / NON-SSL proxy to Tomcat (or any other service) on Mac OS 10.7 Lion

gistfile1.md

Apache HTTPS proxy

First, follow the installation guide at Andy Hunt's Blog

Set up a http and https proxy for Tomcat on 8080

In addition to Andy's guide above, perform the following steps:

Add a directory to hold Apache virtual host configurations

sudo mkdir /etc/apache2/vhosts

Add the following line to the bottom of /etc/apache2/httpd.conf

Include /etc/apache2/vhosts/*.conf

Remove or comment the VirtualHost section of /private/etc/apache2/extra/httpd-ssl.conf

As the virtual host configuration in /etc/apache2/extra/httpd-ssl.conf will be loaded first, it takes precedence over the one we are adding. So either comment it out by adding a # at the beginning of each line that's not commented out in the SSL Virtual Host Context (between VirtualHost _default_:443> and </VirtualHost>), or remove them altogether.

Create an Apache Virtual Host configuration

nano /etc/apache2/vhosts/000-localhost.conf

And paste the following configuration:

# Proxy http://localhost:8080 to http://localhost
<VirtualHost *:80>
        ServerName localhost

        CustomLog "/private/var/log/apache2/localhost-access_log" combined
        ErrorLog "/private/var/log/apache2/localhost-error_log"

        <IfModule mod_proxy.c>
                <Proxy *>
                        Order deny,allow
                        Allow from all
                </Proxy>

                ProxyStatus On
                ProxyPreserveHost On
                ProxyPass / balancer://localhost-cluster/ stickysession=JSESSIONID|jsessionid nofailover=On
                ProxyPassReverse / balancer://localhost-cluster/
                ProxyPassReverseCookiePath / /
                ProxyTimeout 900

                <Location />
                        SetOutputFilter proxy-html
                </Location>

                <Proxy balancer://localhost-cluster>
                        BalancerMember http://localhost:8080
                </Proxy>
        </IfModule>
</VirtualHost>

# Proxy http://localhost:8080 to https://localhost
<VirtualHost *:443>
        ServerName localhost

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key

        CustomLog "/private/var/log/apache2/ssl_localhost-access_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        ErrorLog "/private/var/log/apache2/ssl_localhost-error_log"

        <IfModule mod_proxy.c>
                <Proxy *>
                        Order deny,allow
                        Allow from all
                </Proxy>

                ProxyStatus On
                ProxyPreserveHost On
                ProxyPass / balancer://localhost-cluster/ stickysession=JSESSIONID|jsessionid nofailover=On
                ProxyPassReverse / balancer://localhost-cluster/
                ProxyPassReverseCookiePath / /
                ProxyTimeout 900

                <Location />
                        SetOutputFilter proxy-html
                </Location>

                <Proxy balancer://localhost-cluster>
                        BalancerMember http://localhost:8080
                </Proxy>
        </IfModule>
</VirtualHost>

Congratulations, you have now set up a http/https proxy!

Check if your configuration if right:

sudo apachectl configtest

When OK, you can (re)start Apache:

sudo apachectl restart

And access the service that's running on port 8080 by browsing to http://localhost (non-SSL) or https://localhost (SSL).

Note

Note that some browsers may show a warning as you are using a self signed certificate and not one issued by a certificate authority. Just accept that the connection might not be secure as it is not relevant anyways... You can also permanently accept the certificate to get rid of the warning(s).

Debugging

Tail the logfile(s) for connection information:

sudo tail -f /var/log/apache2/ssl_localhost-*