accessing ofbiz only over SSL/TLS using Apache's httpd server

> I am studying how to install OFBiz and a multi-domain WordPress site
> on the same server, and I want a) all access to all content in either
> to be over a secure connection (but I have yet to succees to figure
> out how to get mod_rewrite to redirect all requests coming in on port
> 80 using http to be remade using https over port 443 - I always get an
> error that the redirection was done in a way that will never
> complete), and b) to ensure that whatever I do getting ofbiz to work
> with apache's httpd server will not break what I have to do to get a
> working multi-site WordPress install (which I will begin with by
> experimenting with simulating multiple virtual hosts served by httpd
> based on a small number of entries to the hosts file on both the
> server and a couple client virtual machines).
>
> I know I found a web page in the past that talked about configuring
> Apache's httpd server receive requests for OFBiz and pass them on to
> OFBiz, but for the life of me, and despite many Google searchs, I have
> not found it again.  Does anyone know what the URL for that page is?
>
> Thanks
>
> Ted
>

> https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
>
> But you would do something like this:
>
> <Location /ecommerce/>
>         proxyPass ajp://127.0.0.1:8009/ecommerce/
>  </Location>
>  <Location /images/>
>        proxyPass ajp://127.0.0.1:8009/images/
>  </Location>
>  <Location /content/>
>         proxyPass ajp://127.0.0.1:8009/content/
>  </Location>
>
> You just have to make sure anything ofbiz-specific is short-circuited to
> ajp://
>
> This also pretty much disables accessing the backend (/webtools/, etc.) as
> well.
>

> Thanks,
>
> But ....
>
> On Fri, Mar 8, 2013 at 10:38 PM, Mike <[hidden email]> wrote:
> >
> https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
> >
> > But you would do something like this:
> >
> > <Location /ecommerce/>
> >         proxyPass ajp://127.0.0.1:8009/ecommerce/
> >  </Location>
> >  <Location /images/>
> >        proxyPass ajp://127.0.0.1:8009/images/
> >  </Location>
> >  <Location /content/>
> >         proxyPass ajp://127.0.0.1:8009/content/
> >  </Location>
> >
> > You just have to make sure anything ofbiz-specific is short-circuited to
> > ajp://
> >
> > This also pretty much disables accessing the backend (/webtools/, etc.)
> as
> > well.
> >
>
> What would I need to do to ensure that the backend remains usable?
> For my situation, I need both the ecommerce support and the webtools.
>
> Thanks
>
> Ted
>

> There are a couple of ways to do it, each of which requires you to really
> know apache the AJP module:
>
> On a running ofbiz system, there is this "runtime" directory:
>
> ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
>
> accounting  bizznesstime  droppingcrumbs  example googlecheckout multiflex
> ordermgr tempfiles workeffort ap bluelight     ebay exampleext  hhfacility
> myportal osafe_theme  tomahawk  ar catalog ebaystore facility humanres
> oagis partymgr   assetmaint cmssite ecommerce flatgrey iCalendar
> manufacturing  ofbiz projectmgr webpos content images marketing
>  ofbizsetup  webslinge birt googlebase  ismgr  minimal  sfa webtools
>
> These are all reserved paths that ofbiz creates when started, so you can
> create a bunch of <Location>...</Location> tags for each of the above
> --or-- you can also just use: (with out /Location tags).
>
> proxyPass /catalog ajp://127.0.0.1:8009/catalog
> proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> proxyPass /content ajp://127.0.0.1:8009/content
>
> However, just looking at the shear amount of mount points that ofbiz
> exposes by default it is crazy to expose all of them on the internet.  You
> can probably lock down the external facing mounts that you really need
> (like /ecommerce) and just access the backend via a direct connection to
> port 8080/8443, only from your LAN.
>

> Thanks Mike,
>
> On Sat, Mar 9, 2013 at 12:38 PM, Mike <[hidden email]> wrote:
> > There are a couple of ways to do it, each of which requires you to really
> > know apache the AJP module:
> >
> > On a running ofbiz system, there is this "runtime" directory:
> >
> > ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
> >
> > accounting  bizznesstime  droppingcrumbs  example googlecheckout
> multiflex
> > ordermgr tempfiles workeffort ap bluelight     ebay exampleext
>  hhfacility
> > myportal osafe_theme  tomahawk  ar catalog ebaystore facility humanres
> > oagis partymgr   assetmaint cmssite ecommerce flatgrey iCalendar
> > manufacturing  ofbiz projectmgr webpos content images marketing
> >  ofbizsetup  webslinge birt googlebase  ismgr  minimal  sfa webtools
> >
> > These are all reserved paths that ofbiz creates when started, so you can
> > create a bunch of <Location>...</Location> tags for each of the above
> > --or-- you can also just use: (with out /Location tags).
> >
> > proxyPass /catalog ajp://127.0.0.1:8009/catalog
> > proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> > proxyPass /content ajp://127.0.0.1:8009/content
> >
> > However, just looking at the shear amount of mount points that ofbiz
> > exposes by default it is crazy to expose all of them on the internet.
>  You
> > can probably lock down the external facing mounts that you really need
> > (like /ecommerce) and just access the backend via a direct connection to
> > port 8080/8443, only from your LAN.
> >
>
> Would I not be able to handle the security implications of exposing
> some selection of mounts for the back end by requiring client side
> certificates for them.  If so, I know how to add support or a
> requirement, for client side certificates in Apache's httpd server,
> but what about the application server OFBiz lives in?
>
> Thanks,
>
> Ted
>