Question moved to Serverfault ( https://serverfault.com/questions/346125/ssl-error-rx-record-too-long-ff-django-startssl-windows )
Feel free to delete this on if that's more appropriate (I don't know what the convention is).
(That's a question for ServerFault more than StackOverflow.)
If I understand correctly, you've set up Django with SSL on port 8082 and without SSL on port 8081.
It's often not necessary to secure the communication between the Apache Httpd server and the server behind ProxyPass, from localhost to localhost. You could simply use ProxyPass http://127.0.0.1:8081/.
Alternatively, if you really want to use SSL/TLS for the communication to the backend (typically, if the server in the back is remote), you'd need to use ProxyPass https://127.0.0.1:8082/ (https) and set the SSLProxy* directives (see mod_proxy summary).
Related
As many others, we have got bitten by the lack of TLS and SHA-2 support in IBM Domino.
Our application relies heavily on consuming web services that require authentication using certificates. And everything worked fine until last week. Then, one of the providers started requesting SHA-2 certificates for authentication and the other started requesting TLS instead of SSS v3.
Our current solution uses Java web consumers, similar to this:
ServiceBinding stub = new ServiceLocator().getWebService(portAddress);
stub.setSSLOptions(PortTypeBase.NOTES_SSL_SEND_CLIENT_CERT + PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);
Certificates are kept in the server's keyring.
How can we use SHA-2 certificates and TLS with Domino web consumers?
I tried importing the certificates in Java truststore / keystore and using code like this:
System.setProperty("javax.net.ssl.keyStore", "/path/to/keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "pwd);
System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore");
System.setProperty("javax.net.ssl.trustStorePassword", "pwd");
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
but it didn't seem to work. I am still debugging the code in order to find the exact cause.
But what to do with TLS? Is is possible to use Apache / Nginx as some kind of proxy for web service authentication?
Or is our only option to write web service consumers as standalone Java applications and call them from Notes?
Thanks,
Sasa
We were able to solve both SHA-2 and TLS issues by using an Apache reverse proxy. We first tried with forward proxy, but it didn't work.
In the working solution, our Domino web service consumer first contacts the Apache reverse proxy using SSL, but without any authentication. Then Apache contacts the web service provider using the certificate that Domino used previously.
After Apache and web service provider finished handshake and authentication, it is free for the web service consumer in Domino to do its stuff.
As it turns out, it was rather easy to set up. You'll need an Apache server (obviously), we installed our in a CentOS virtual machine.
The configuration you need to do is quite simple and looks like this:
<VirtualHost *:8443>
# Turn off forward proxy
ProxyRequests Off
# Communication with Domino is using SSL, so we need SSL support
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# This is necessary for authentication to work.
SSLProxyEngine On
# This is Domino certificate including private key saved as unecrypted pem file.
SSLProxyMachineCertificateFile /etc/httpd/certs/domino-cert.pem
# This is list of CA certificates necessary to authenticate the provider.
SSLProxyCACertificateFile /etc/httpd/certs/provider-cert.pem
# Redirection rules are in this case very simple - redirect everything that comes
# to the proxy to the web service provider address.
ProxyPass / https://ws.provider.com/
ProxyPassReverse / https://ws.provider.com/
# Allow only connections from Intranet.
<Proxy *>
Order deny,allow
Deny from all
Allow from 172.20.20.0/24
</Proxy>
</VirtualHost>
Just a few things to mention here:
You should be able to use certificate and key installed by default with Apache, as they are only used to secure communication between the Domino and the proxy.
Domino key and certificate must be in unencrypted pem format. Use openssl to convert if necessary. If you should get error message about missing or encrypted private key, open your pem certificate and confirm that it includes RSA in lines -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----. openssl sometimes generates certificate without the RSA and then Apache won't be able to use it.
That concludes the Apache configuration. The only thing that remains is to modify the web service consumer - find in your code the line where you set endpoint address, something like
https://ws.provider.com/ws/getTemperature
and change it to
https://proxy.mycompany.com:8443/ws/getTemperature
And that's it. We now have working solution for using Domino web services together with TLS and SHA-2 certificates. And we can calmly wait for IBM to implement support for this in Domino.
SHA2 works but TLS for Windows and Unix use tips
I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.
http://www.infoware.com/?p=1592
TLS is NOT SOLVED by this only SHA-2.
For Windows use IHS integration
For unix look at this link http://blog.darrenduke.net/darren/ddbz.nsf/dx/here-is-a-freely-available-vm-to-reverse-proxy-domino-shoot-the-poodle.htm
Regards
Mats
You can avoid having to change your addresses to use a different port.
The way I solved this was to use IBM HTTP Server (IHS) installed with Domino 9 Server (you have to choose IBM HTTP Server from the Custom installation screen). IHS is a version of Apache with a Domino HTTP handler. You can install your TLS certificates on the IHS/Apache server, and will proxy to the Domino server on-the-fly. So you don't even have to change your URLs.
Here are some instructions from IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg27039743&aid=1
It shows you how to Create Signing Requests (CSRs) using IKEYMAN and store the certificate in Domino.
In the domino\ihs\conf\ domino.conf file, edit by uncommenting the lines as per below and add the VirtualHost nodes:
# IPv4 support:
Listen 0.0.0.0:80
# Uncomment the following line for IPv6 support on Windows XP or Windows
# 2003 or later. Windows IPv6 networking must be configured first.
# Listen [::]:80
...
Listen 0.0.0.0:443
## IPv6 support:
#Listen [::]:443
#default vhost for Domino HTTP:
<VirtualHost *:80>
ServerName "${DOMINO_SERVER_NAME}"
DocumentRoot "${DOMINO_DOCUMENT_ROOT}"
</VirtualHost>
<VirtualHost *:443>
ServerName "${DOMINO_SERVER_NAME}"
DocumentRoot "${DOMINO_DOCUMENT_ROOT}"
SSLEnable
#SSLProtocolDisable SSLv2
#SSLProtocolDisable SSLv3
</VirtualHost>
KeyFile d:/keys/myserver.kdb
SSLDisable
#
Remember to add HTTPIHSEnabled=1 to notes.ini when all the domino.conf modifications are done. Then watch the Domino console for any errors during HTTP Start due to domino.conf. You can also add HTTPIHSDebugStartup=1 to notes.ini to get a bit of debug info during HTTP IHS startup.
I intend to run a Jetty server (for generating PDF files with PDFreactor) on a dedicated (virtual) machine; I don't want to have it on my webserver.
According to the PDFreactor documentation, the Jetty server must run on localhost to be usable by the Python API; but a port and host can be given to the PDFreactor constructor, and apparently the restriction to listen to localhost only can be lifted.
Can Jetty be configured to accept requests from some whitelist of hosts only, or is it preferable to put it in a VirtualHost and let apache httpd do the work?
I've just started studying Winsocks and I've a simple question for you: how can I determine if the connection to a server must take place over a HTTP or HTTPS connection?
Let's say I want to connect to randomsite.random, how can I know what kind of connection I need? I know that for HTTP I must connect to port 80, while for HTTPS is needed 443, but how can I determine WHEN is needed a HTTPS connection?
Thank you for the attention!
The same way a web browser decides: Based on the URL you are trying to load. In a web browser, the URL begins with http or https, which is used to determine whether an SSL connection should be used. This is also used to determine the port if no port number is specified in the URL.
Many sites offer both a secure and a non-secure version. Some offer only a secure version, but still run a non-secure server which issues a redirect to the URL of the secure version. If you implement following of redirects, you don't need to worry about which version to use: it will happen automatically.
This is usually a function of the site you are connecting to.
If the site requires a HTTPS connection, then if you connect over HTTP you will get a redirect response code with a HTTPS URL.
Firstly, it's not always port 80 and port 443. Secondly, you won't establish successful communication if you use the wrong communication protocol. As said in another answer, if you try to connect via HTTP to an HTTPS server, it will give you a redirect response code with an HTTPS URL.
Most of the time, you have this information before-hand!
I have a web-server written in CPP. I want to determine the server-type of the request. i.e whether the request came from http or https URL ?
If you have your own web-server written in c++ you already know whether it came over http or https as they come through different ports and require different handling.
Which port you're listening to?
By default HTTPS URLs begin with "https://" and use port 443 by default, where HTTP URLs begin with "http://" and use port 80 by default.
There are other questions like how you're managing certificates to serve secure connections?
This article might be helpful - http://java.sun.com/developer/technicalArticles/Security/secureinternet/
The "main" one should be IIS. Is there an option to address the Apache without typing in the port-number
The reason for this is: I cannot get Django to work on IIS
Any ideas will be appreciated
You could set up Apache on a different port, then use redirects or proxying on IIS to get people to the Apache port without them having to type it.
The only way to avoid typing in the port number is to set up a proxy, which could be either one of the two webservers. That way, the proxy makes the connection on the alternate port and the client doesn't have to know where it is.
I don't know about IIS, but on Apache, you would have to load mod_proxy (and I think, mod_proxy_http) and then do something like this:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar
Also check the docs for mod_proxy online.
You might also want to look at lightweight webservers such as lighttpd, if you're going to have two running. It's a common setup to have a light webserver taking specific tasks away from the main one. (Apache for dynamic and lighttpd for static content is one typical example).
There's also other possibilities, ranging from getting more fancy, such as
Have a third webserver doing only the proxying and the other two on alternate ports
Have them running on the same port but two IPs and hide that fact via your network setup
to attacking the root cause by either
finding somenone who knows how to get Django running on IIS
moving from IIS to another webserver
Of course, I have no clue what might be appropriate for your situation.
If this is a matter of running Django on a server that already needs IIS, you can run django on IIS directly, thanks to efforts like Django-IIS and PyISAPIe. I think it would be preferable to NOT run a second web server when all its going to be doing is proxying requests out to a third server, the Django code.