SSL + gzip Compression with Apache and Tomcat
My setup is a single Fedora Core 6 server running Apache 2.2.4 (with mod_ssl and mod_proxy) and Tomcat 5.
With mod_ssl the following virtualhost is setup using an SSL certificate from GoDaddy. Notice the SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt reference. This intermediate certificate comes from GoDaddy and is required. I didn’t catch this at first and couldn’t understand what my web browser was unhappy about. When I called GoDaddy support they told me my certificate was setup correctly and worked in all of there “off-site” test browsers. They were no help, so I continued to dig around and finally found the answer.
The mod_proxy lines pass all requests to the Tomcat instance listening on port 9014.
/etc/httpd/conf.d/ssl.conf
<virtualhost>
DocumentRoot /var/www/html/
ServerName myserver.com:433 SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/myserver.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myserver.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
SetEnvIf User-Agent ".*MSIE.*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
CustomLog logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyPreserveHost On
ProxyPass / http://localhost:9014/
ProxyPassReverse / http://localhost:9014/
SetEnv proxy-nokeepalive 1
</virtualserver>
For the Tomcat setup, a proxy connector is configured to listen on port 9014 and to proxy port 443 requests (SSL). The communication between Apache and Tomcat is not secure, but this is not a concern since this communication is local to the server. Finally, compression is turned on for several common mime-types.
server.xml
... <Connector acceptCount="100" connectionTimeout="60000" disableUploadTimeout="true" port="9014" redirectPort="8944" scheme="https" proxyPort="443" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript"/> ...