SSL offloading and WebLogic server

Introduction

A couple of weeks ago I wrote about using Apache to simulate an SSL load balancer and showed this diagram:

Screen shot 2011-04-05 at 2.27.24 PM

One of the important things to note is that by default in this architecture WebLogic and any J2EE applications won’t know that the user is using SSL to access the server because any calls to HttpServletRequest.isSecure() will return false!

 

Main Article

There is a solution though – two configuration directives in the Weblogic web server plug-ins (mod_wl in Apache and OHS) allow you to tweak the behavior. Those directives are WLProxySSL and WLProxySSLPassThrough.

Before you change your web server plug-ins you need to tell WebLogic that it is running behind a proxy server by changing a setting in your WebLogic domain’s configuration. To do that open the WebLogic console (http://adminserverhost:port/console/), click on the domain name on the left hand nav and then click on the Web Applications tab:

dom_webapps

then scroll down toward the bottom and check the WebLogic Plugin Enabled:

dom_wlpluginenabled

then scroll down to the bottom of the page and hit “Save”. You shouldn’t have to restart anything once you make this change.

Checking that box tweaks WebLogic’s behavior so that it looks for certain HTTP headers from the web server plug-in, among them WL-Proxy-SSL. If that checkbox is checked and the incoming HTTP request contains WL-Proxy-SSL then WebLogic will pretend that the request came in over SSL and request.isSecure() will return true. The checkbox has some other important impacts on WLS’ behavior so take a quick look through the documentation to see what else it does.

When you install and enable the WebLogic plug-ins for your web server the configuration defaults to doing things “safely”, meaning that any existing WL-Proxy-SSL header will be removed and no WL-Proxy-SSL header will ever be sent to the WebLogic Server. This protects you from a malicious user sending in a request and tricking WebLogic into thinking it’s secure when it wasn’t.

If you want to have the web server plugin populate WL-Proxy-SSL if the original request came into your web server over SSL then you need to add a setting called WLProxySSL and set it to ON. More information about this setting is available in the plug-in documentation.

This works great when your web server is doing the SSL work. But if you scroll back to my diagram you’ll see that in my environment I have SSL being terminated by a load balancer. And since mod_wl will remove any incoming WL-Proxy-SSL and the request will reach OHS over HTTP this means that the WebLogic server won’t ever get that header and so request.isSecure() will always return false.

Naturally we’ve got you covered in that case too!

There’s an additional configuration directive for the web server plug-ins which, though not discussed in the documentation I linked to above, does what we want and IS supported. That directive is WLProxySSLPassThrough and defaults to OFF. If you add that directive and set it to ON then the WebLogic plug-in will not remove any incoming WL-Proxy-SSL header.

So my OHS configuration looks like this:

<IfModule weblogic_module>
	WebLogicHost localhost
	WebLogicPort 7070
	WLProxySSLPassThrough ON
</IfModule>
<Location /SimpleTestApp>
	AuthType Oblix
	require valid-user
	SetHandler weblogic-handler
</Location>

 

In my environment I’m using Apache to simulate a VIP. My Apache config looks like this:

<VirtualHost *:443>
 	ServerName app.oracledemo.com

	SSLEngine on
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	SSLCertificateFile /home/oracle/simpleCA/app.oracledemo.com.crt
	SSLCertificateKeyFile /home/oracle/simpleCA/app.oracledemo.com.key

	RequestHeader set IS_SSL ssl
	RequestHeader set WL-Proxy-SSL true

	ProxyPass / http://localhost:7777/
	ProxyPassReverse / http://localhost:7777/
</VirtualHost>

The IS_SSL HTTP header tells the OAM WebGate that the original request was over SSL and WL-Proxy-SSL does the same for WebLogic Server.

 

If you also have HTTP coming into your load balancer you will want to make sure that you remove any incoming WL-Proxy-SSL header.

 

In my Apache config that looks like this:

<VirtualHost *:80>
	ServerName app.oracledemo.com

	RequestHeader unset IS_SSL
	RequestHeader unset WL-Proxy-SSL

	ProxyPass / http://localhost:7777/
	ProxyPassReverse / http://localhost:7777/
<VirtualHost>

 

Update Feb 23, 2012 if you need to do client certificate authentication check out this other post

Add Your Comment