Config directives to enable ssl behind Apache RevProxy

p.labate87 · December 7, 2018, 10:45am

Hi there, whats’up?

I’m using nexus 3.14 on CentOS 6.9 for academic reasons and I came across a problem during config phase.
What I would like is to run this nexus repo on my local server via https, behind reverse proxy (i’m using apache 2.2) and my steps was:

create a self-signed cert by openssl (.crt and .key)
add this crt in keystore.jks
set up a new vhost in httpd.conf like this:

<VirtualHost :443>
** ServerName nexus.example.it*
** ServerAlias nexus.example.it**
** <Proxy >*
** Order deny,allow**
** Allow from all**
** **

** SSLEngine on**
** SSLProxyEngine On**
** SSLCertificateFile “/etc/pki/tls/certs/server.crt”**
** SSLCertificateKeyFile “/etc/pki/tls/certs/server.key”**

** ProxyRequests Off**
** ProxyPreserveHost On**
** ProxyPass / http://localhost:8082/ nocanon **
** ProxyPassReverse / http://localhost:8082/**
** AllowEncodedSlashes On**
** ErrorLog “logs/server.log”**
** CustomLog “logs/server.log” common**

I’ve added nocanon directive cause my endpoint have /nexus.
When I restart the httpd service, nexus give me some errors like this:

[warn] RSA server certificate CommonName (CN) `example’ does NOT match server name!?

First time i’ve thought that was an error in certificate’s directives (when i wrote his properties during openssl session) but CN = CommonName is correct.

I’ve read apache logs and I can’t get out yet so i come here to find someone who can help me.
Am I wrong about something in vhost?

PS.= I have not changed the jetty settings intentionally cause i need to enable https just by apache.

Thanks a lot,
Pasquale.

rseddon · December 7, 2018, 2:04pm

You need to have subject alternative name set correctly. Use these instructions to generate a self signed certificate:

You’re also missing the “X-Forwarded-Proto” header:

https://help.sonatype.com/display/NXRM3/Run+Behind+a+Reverse+Proxy#RunBehindaReverseProxy-Apachehttpd-ensureApachehttpdisloadingmod_sslandmod_headers

Regards,

Rich

p.labate87 · December 7, 2018, 2:32pm

Hi rseddon and thanks…

Yes, I think that the problem stay here.
Maybe, certs generated by openssl have some kind of incompatibility unlike creation by keytool.
Just to understand, when i wrote SAN to map my dnss I won’t add, for example (nexus.example.it/nexus) but just (nexus.example.it) and the console output will be like this:

-ext 'SAN=DNS:*.example.it,DNS:nexus.example.com’

also in the specification of the:

-dname 'CN=nexus.example.it

I’ll also add RequestHeader set X-Forwarded-Proto “https” so, let me try this way!
Thanks anyway…i’ll reply later

p.labate87 · December 10, 2018, 8:48am

Hi Rich…
I’ve follow your advices and now https work fine so thanks a lot!

There is a little particular…you remember I’ve told you that my domain was nexus.example .it/nexus ok but, when I try to reach nexus.example.it (index page of my domain) I receive:

## HTTP ERROR 404

Problem accessing /. Reason:

Not Found

[Powered by Jetty:// 9.4.11.v20180605](http:// eclipse. org/jetty)

The cert was for nexus.example.it as I said above (CN and SAN). How it’s possible?
Finally, i want to redirect http over https so when I attempt to reach (http://nexus…) he must sends me under https…I’ve tryed to add this config but seems not work:

<VirtualHost *:80>
_ ServerName nexus.example .it_
_ ServerAlias nexus.example .it_
_ ProxyPass / http:// localhost:8082/ nocanon_
_ ProxyPassReverse / http:// localhost:8082_
_ ProxyRequests Off_
_ <Proxy http://localhost:8082>_
_ Order deny,allow_
_ Allow from all_
_ _
_ Redirect permanent /nexus https:// nexus. example .it/nexus_
_ ProxyPreserveHost On_
_ AllowEncodedSlashes On_
_ ErrorLog “logs/server.log”_
_ CustomLog “logs/server.log” common_

Once again I ask for your (and others) advices.
Thank you!

PS: don’t mind spaces in links

Pasquale.

rseddon · December 10, 2018, 6:14pm

Problem accessing /. Reason:

Not Found

Sounds like you may have altered the context path Nexus is running on?

https://help.sonatype.com/display/NXRM3/Configuring+the+Runtime+Environment#ConfiguringtheRuntimeEnvironment-ChangingtheContextPath

p.labate87 · December 12, 2018, 9:17am

context path is correct.

When I’ve added dns in SAN, bash give me a warn on *.example.it saying that a dns may start/finish with letters so I left just nexus.example.it.

I don’t think but maybe is this the problem?

p.labate87 · December 14, 2018, 10:53am

I’ve solved the http redir creating .htaccess file in nexus root folder (in my case apache don’t want to accept directives of redirect or rewrite also with mod enabled).

Now I’ve my repo under https, along with other personal things.
However, the 404 on general domain remain.
Any ideas?

MOD:
find a reason of 404. I thought the root context it wasn’t modified by me but I’ve forgot to comment the conf.
I’ve lost my mind but the ending was happy.

Thanks anyway to all and hope you merry christmas,
Pasquale.