Alec,
Why do you need WL 9.2 to talk HTTPS? Why don't you offload HTTPS
traffic from WL to Apache frontend only, and not between Apache
WL path. Like:
User -> HTTPS -> Apache -> HTTP -> WL
Meaning make the traffic clear text between Apache and WL, especially if
they are on the same host.
So for HTTP port 80 (this is not tested, but for you to get the idea):
LoadModule weblogic_module modules/mod_wl_22.so
Listen 80
NameVirtualHost *:80
RewriteEngine on
#RewriteLogLevel 9
#RewriteLog YourRewrite.log
<VirtualHost *:80>
ServerAdmin aaa@xxxxxx
ServerName domain.ru
# This will redirect to one of the virtual hosts
# app1.domain.ru or app2.domain.ru below
RewriteRule ^/(app[12])(.*) http://$1.domain.ru/$1$2 [P]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin aaa@xxxxxx
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName app1.domain.ru
ErrorLog logs/fmtn.brr.ru-error.log
CustomLog logs/fmtn.brr.ru-access.log common
# This will handle if we got called:
# http://app1.domain.ru or
# http://domain.ru/app1
RewriteCond %{REQUEST_URI} !^/app1
RewriteRule ^/(.*)$ /app1/$1 [PT]
<Location /app1>
<IfModule Mod_weblogic.c>
SetHandler weblogic-handler
WebLogicHost 192.168.0.1
WebLogicPort 7002
#SecureProxy ON
#TrustedCAFile "C:/bea/weblogic92/server/lib/trustedcafmtn.pem"
EnforceBasicConstraints OFF
#RequireSSLHostMatch false
# SSLHostMatchOID 30
Debug ALL
DebugConfigInfo ON
ErrorPage http://www.err.ru
WLLogFile "C:/Program Files/Apache Software Foundation/Apache2.2/logs/wl_proxy.log"
# Idempotent ON
# WLIOTimeoutSecs 100
</IfModule>
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin aaa@xxxxxx
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName app2.domain.ru
ErrorLog logs/app2.brr.ru-error.log
CustomLog logs/app2.brr.ru-access.log common
RewriteCond %{REQUEST_URI} !^/app1
RewriteRule ^/(.*)$ /app2/$1 [PT]
<Location /app2>
<IfModule Mod_weblogic.c>
SetHandler weblogic-handler
WebLogicHost 192.168.0.1
WebLogicPort 8002
#SecureProxy ON
#TrustedCAFile "C:/bea/weblogic92/server/lib/trustedcafmtn.pem"
EnforceBasicConstraints OFF
#RequireSSLHostMatch false
# SSLHostMatchOID 30
Debug ALL
DebugConfigInfo ON
ErrorPage http://www.err.ru
WLLogFile "C:/Program Files/Apache Software Foundation/Apache2.2/logs/wl_proxy.log"
# Idempotent ON
# WLIOTimeoutSecs 100
</IfModule>
</Location>
</VirtualHost>
You need the same for the HTTPS virtual hosts.
To proxy a WebLogic cluster use the WL directive WebLogicCluster
instead of WebLogicHost and WebLogicPort as:
WebLogicCluster 192.168.0.1:7001, 192.168.0.2:7001, 192.168.0.3:7001
Hope this helps.
Tamer
-----Original Message-----
From: Alec C4 [mailto:alec.c4@xxxxxxxxx]
Sent: Friday, May 23, 2008 3:42 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Apache + weblogic integration issue
Situation:
In the DMZ we have a machine with WebLogic 9.2 MP2 on Windows 2003.
There are 2 domains on it. Each have one Administrative server with one
application on in.
For example, the first is available on http://hostname:7011/app1
(https://hostname:7012/app1 - SSL) and the second on
http://hostname:6011/app2 (https://hostname:6012/app2 -- SSL).
Server is available from outside on 80 and 443 ports.
Applications may connect to the other services in local lan on 80 and other
ports.
We need next:
If we type links such as - http://domain.ru/app1 (https://domain.ru/app1),
http://app1.domain.ru (https://app1.domain.ru) - we can use any variant
(similar for other application), we may connect on these applications.
We need to have the following configuration:
User ------------------------------------- Apache
-------------------------------WLS-------------------------APP
SSL SSL
SSL
Redirecting don't satisfy us, work with applications for the end-user should
be transparent, he should not see the real location of applications + other
ports, because access them from outside is closed.
At first, one Administrative server for each application will be used, later
some more additional managed servers for load balance on cluster will be
added. We decided to use Apache 2.2.8 with a plug-in for WebLogic.
Here are WLS Settings:
Domain 1:
Administrative server:
Listen Address: 192.168.0.1
Listen Port Enabled - Enabled
Listen Port: 7001
SSL Listen Port Enabled - Enabled
SSL Listen Port: 7002
Future managed servers:
Listen Address: 192.168.0.1
Listen Port Enabled - Enabled
Listen Port: 7003 (7005, 7007...)
SSL Listen Port Enabled - Enabled
SSL Listen Port: 7004 (7006, 7008...)
Domain 2:
Administrative server:
Listen Address: 192.168.0.1
Listen Port Enabled - Enabled
Listen Port: 8001
SSL Listen Port Enabled - Enabled
SSL Listen Port: 8002
Future managed servers:
Listen Address: 192.168.0.1
Listen Port Enabled - Enabled
Listen Port: 8003 (8005, 8007...)
SSL Listen Port Enabled - Enabled
SSL Listen Port: 8004 (8006, 8008...)
For Trust and Identity keystore we use the same repository -
FMTNfrontofficekeystore.jks.
Storepass - FMTNfrontofficestorepass
Alias - FMTNfrontofficeidentityalias
In this way we generate certificate:
keytool -export -file trustedcafmtn.der -keystore
FMTNfrontofficekeystore.jks -alias FMTNfrontofficeidentityalias
Then we convert it to trustedcafmtn.pem:
java utils.der2pem trustedcafmtn.der
Apache will be listening on 80 and 443 ports.
Applications should be available for requests at the following addresses
http://app1.domain.ru (https://app1.domain.ru) and http://app2.domain.ru
(https://app2.domain.ru)
When requesting address http://app1.domain.ru application automatically
redirects the request at https://app1.domain.ru, the second application acts
in the same way.
Here is a sample configuration file settings httpd.config for Apache:
LoadModule weblogic_module modules/mod_wl_22.so
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin aaa@xxxxxx
DocumentRoot "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs"
ServerName fmtn.brr.ru
ErrorLog logs/fmtn.brr.ru-error.log
CustomLog logs/fmtn.brr.ru-access.log common
<Location />
SetHandler weblogic-handler
</Location>
<IfModule Mod_weblogic.c>
WebLogicHost 192.168.0.1
WebLogicPort 7002
SecureProxy ON
TrustedCAFile "C:/bea/weblogic92/server/lib/trustedcafmtn.pem"
EnforceBasicConstraints OFF
RequireSSLHostMatch false
# SSLHostMatchOID 30
Debug ALL
DebugConfigInfo ON
ErrorPage http://www.err.ru
WLLogFile "C:/Program Files/Apache Software
Foundation/Apache2.2/logs/wl_proxy.log"
# Idempotent ON
# WLIOTimeoutSecs 100
</IfModule>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin aaa@xxxxxx
DocumentRoot "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs"
ServerName fmtn.brr.ru
ErrorLog logs/fmtn.brr.ru-error.log
CustomLog logs/fmtn.brr.ru-access.log common
<Location />
SetHandler weblogic-handler
</Location>
<IfModule Mod_weblogic.c>
WebLogicHost 192.168.0.1
WebLogicPort 7001
SecureProxy OFF
TrustedCAFile "C:/bea/weblogic92/server/lib/trustedcafmtn.pem"
#EnforceBasicConstraints OFF
#RequireSSLHostMatch false
# SSLHostMatchOID 30
Debug ALL
DebugConfigInfo ON
ErrorPage http://www.err.ru
WLLogFile "C:/Program Files/Apache Software
Foundation/Apache2.2/logs/wl_proxy.log"
# Idempotent ON
# WLIOTimeoutSecs 100
</IfModule>
</VirtualHost>
When we didn't use SSL (SecureProxy OFF) everything work properly with 7001
port, but application redirects requests to https://fmtn.brr.ru:7002/, when
SecureProxy ON - didn't work.
Please, help us to understand what the problem, and how to configure this
section of request with our keystore and keys in Apache.
User ------------------------------------- Apache
SSL
It'll be good if that you show an example of httpd.config for the cluster of
managed servers too.
--
View this message in context: http://www.nabble.com/Apache-%2B-weblogic-integration-issue-tp17424735p17424735.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|