By: Jozef Babjak user 13 Mar 2017 at 7:42 a.m. CDT

1 Response
Jozef Babjak gravatar
We are deploying Gluu on AWS environment. To make Gluu accessible from ouside, we are placing it behind an Elastic Load Balancer (ELB) with the single EC2 instance configured. On this ELB, we also configures HTTPS with with out own certificates for the registered domain name. This ELB now communicates by HTTPS with Gluu server. So far, so good. **We would like to offload HTTPS overhead from Gluu server and use plain HTTP between ELB and Gluu.** Please note that we still would like to have two virtual hosts on Apache: 1) The first one serving http://example.com, unconditionally redirecting to https://example.com, as it is configured now, 2) the second one listening on other port, for instance 88, where the traffic from ELB port 443 -- i.e. HTTPS -- is forwarded, handling all the reverse proxy magic for Gluu. I was already able to re-configure Apache this way, http-to-https redirects fine -- no magic there, right? -- and I get also Gluu login page in browser, but after submitting the valid credentials, I got an error. Analyzing the logging files, apparently Jetty is trying to validate client certificate from HTTP header; I guess the relevant part in Apache config is this: ``` <LocationMatch /oxauth/cert-login> SSLVerifyClient optional_no_ca SSLVerifyDepth 10 SSLOptions -StdEnvVars +ExportCertData # Forward certificate to destination server RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s </LocationMatch> ``` As I understand that, the X-ClientCert is not filled if SSL is disabled on VirtualHost, or entire header is missing, but Jetty-deployed app rely on it. Is there any way around it?

By Mohib Zico Account Admin 13 Mar 2017 at 7:44 a.m. CDT

Mohib Zico gravatar
Not possible and highly not recommended.