Redirecting https requests to two different weblogic servers using the Weblogic proxy and Apache2

Question

I have a server serverA running a weblogic application App1, with base url /app1/ on port 7001, and another server serverB, running a weblogic application App2, with base url /app2/ on port 8001. Both servers run Solaris, Apache2 and Weblogic 9.2

(details changed, but these are representantive)

In other words, app1 could be accessed on

http://serverA:7001/app1/

and app2 on

http://serverB:8001/app2/

However, the customer requires that all access to the applications use https on port 443 to server1.

If there was only one application, I could use a virtual host and set the handler for URLS beginning with /app1/ to the Weblogic proxy, which would forward them on to server 1 on port 7001.

With two apps, I would need another virtual host with another Location statement matching /app2/ and forwarding to the current server on port 8001 ... but I don't see how this could work as the first virtual host will have done the SSL negotiation to determine the URL, and Apache presumably can't do that over when things fall through to the second virtual server.

So how do I handle this?

My current idea is to proxy all SSL requests arrving at server1 to the same server server1, on port 80 (so essentially just doing SSL termination), then adding two virtual hosts for the /app1/ and /app2/ URLs in the way described above.

Is this going to work? Have I missed something obvious about other ways of doing this?

EDIT: I think I may have missed that the Weblogic plugin can have several blocks each directing the page to different places. In which case this becomes easy.

I will test tomorrow when back at work and update the question

Answer 1

I don't have any experience with weblogic, so maybe I'm missing something important. But this sounds like a straightforward application for apache's reverse proxy capability. Set up an apache instance serving https, and configure two locations as follows:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<Location /app1>
    ProxyPass http://serverA:7001/app1
    ProxyPassReverse http://serverA:7001/app1
</Location>
<Location /app2>
    ProxyPass http://serverB:8001/app2
    ProxyPassReverse http://serverB:8001/app2
</Location>

Answer 2

First, the must read resource for this is of course the official documentation : Installing and Configuring the Apache HTTP Server Plug-In (see also this previous answer for more links about the WLS 9 plugin).

As detailed in the section Configuring the Apache HTTP Server Plug-In, I'd define several IfModule, one for each application (clustered or not), and, indeed, several VirtualHost (which can include IfModule). There is an example in the documentation:

# VirtualHost1 = localhost:80
<VirtualHost 127.0.0.1:80>
  DocumentRoot "C:/test/VirtualHost1"
  ServerName localhost:80 <IfModule mod_weblogic.c> 
  #... WLS parameter ...
  WebLogicCluster localhost:7101,localhost:7201
  # Example: MatchExpression *.jsp <some additional parameter>
  MatchExpression *.jsp PathPrepend=/test2
  </IfModule>
</VirtualHost>

# VirtualHost2 = 127.0.0.2:80
<VirtualHost 127.0.0.2:80>
  DocumentRoot "C:/test/VirtualHost1"
  ServerName 127.0.0.2:80
  <IfModule mod_weblogic.c> 
  #... WLS parameter ...
  WebLogicCluster localhost:7101,localhost:7201
  # Example: MatchExpression *.jsp <some additional parameter>
  MatchExpression *.jsp PathPrepend=/test2
  #... WLS parameter ...
  </IfModule>
</VirtualHost>    <IfModule mod_weblogic.c>

Note that this is a Multiple IP-Based Virtual Hosts configuration (and not Name-Based as stated in the documentation). But this is actually good because this is exactly what you need when using SSL as you can't use name-based virtual hosts. Quoting Why can't I use SSL with name-based/non-IP-based virtual hosts? from Apache's SSL/TLS Strong Encryption: FAQ

The reason is very technical, and a somewhat "chicken and egg" problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!

So, in the sampel above, modify the virtual hosts IP addresses and ports, the ServerName, adapt the IfModule to suit your needs (and set up DNS entries to point on the IPs) and there you go.