<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hi,</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">We use MidPoint 3.8 on Ubuntu Server 16.04.5 LTS. We installed Apache and did reverse proxy to MidPoint. We also enable SSL-connection to Apache. Now when we use Midpoint and trying to open any tabs, they won't response
or open at all. How we fix this problem?</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Our custom application.yml -file (Path: /opt/midpoint/var) is following:</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<div>server.address: 127.0.0.1</div>
<div>server.port: 8080</div>
<div>server.session.timeout: 60</div>
<div>server.use-forward-hearders: true</div>
<div>server.tomcat.internal-proxies: 127.0.0.1</div>
<div><br>
</div>
<br>
<p></p>
<p style="margin-top:0;margin-bottom:0">Our 000-default.conf -file (Path: </p>
<div>/etc/apache2/sites-available/) is following:</div>
<div><br>
</div>
<div>
<div><VirtualHost *:80></div>
<div> # The ServerName directive sets the request scheme, hostname and port that</div>
<div> # the server uses to identify itself. This is used when creating</div>
<div> # redirection URLs. In the context of virtual hosts, the ServerName</div>
<div> # specifies what hostname must appear in the request's Host: header to</div>
<div> # match this virtual host. For the default virtual host (this file) this</div>
<div> # value is not decisive as it is used as a last resort host regardless.</div>
<div> # However, you must set it for any further virtual host explicitly.</div>
<div> ServerName http://172.28.230.27</div>
<div><br>
</div>
<div> # ServerAdmin markus.nissinen@myy.haaga-helia.fi</div>
<div> # DocumentRoot /var/www/html</div>
<div><br>
</div>
<div> Redirect /secure https://172.28.230.27</div>
<div> Redirect permanent "/" "https://172.28.230.27"</div>
<div><br>
</div>
<div> # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,</div>
<div> # error, crit, alert, emerg.</div>
<div> # It is also possible to configure the loglevel for particular</div>
<div> # modules, e.g.</div>
<div> #LogLevel info ssl:warn</div>
<div><br>
</div>
<div> ErrorLog ${APACHE_LOG_DIR}/error.log</div>
<div> CustomLog ${APACHE_LOG_DIR}/access.log combined</div>
<div><br>
</div>
<div> # For most configuration files from conf-available/, which are</div>
<div> # enabled or disabled at a global level, it is possible to</div>
<div> # include a line for only one particular virtual host. For example the</div>
<div> # following line enables the CGI configuration for this host only</div>
<div> # after it has been globally disabled with "a2disconf".</div>
<div> #Include conf-available/serve-cgi-bin.conf</div>
<div></VirtualHost></div>
<div><br>
</div>
<div># vim: syntax=apache ts=4 sw=4 sts=4 sr noet</div>
<div><br>
</div>
Our default-ssl.conf file <span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
Path: </span>
<div style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
/etc/apache2/sites-available/) is following:</div>
<div style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<div><IfModule mod_ssl.c></div>
<div> <VirtualHost _default_:443></div>
<div> # ServerAdmin markus.nissinen@myy.haaga-helia.fi</div>
<div> # ServerName 172.28.230.27</div>
<div> DocumentRoot /var/www/html</div>
<div> ProxyPass / http://127.0.0.1:8080/</div>
<div> ProxyPassReverse / http://127.0.0.1:8080/</div>
<div><br>
</div>
<div> # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,</div>
<div> # error, crit, alert, emerg.</div>
<div> # It is also possible to configure the loglevel for particular</div>
<div> # modules, e.g.</div>
<div> #LogLevel info ssl:warn</div>
<div><br>
</div>
<div> ErrorLog ${APACHE_LOG_DIR}/error.log</div>
<div> CustomLog ${APACHE_LOG_DIR}/access.log combined</div>
<div><br>
</div>
<div> # For most configuration files from conf-available/, which are</div>
<div> # enabled or disabled at a global level, it is possible to</div>
<div> # include a line for only one particular virtual host. For example the</div>
<div> # following line enables the CGI configuration for this host only</div>
<div> # after it has been globally disabled with "a2disconf".</div>
<div> #Include conf-available/serve-cgi-bin.conf</div>
<div><br>
</div>
<div> # SSL Engine Switch:</div>
<div> # Enable/Disable SSL for this virtual host.</div>
<div> SSLEngine on</div>
<div><br>
</div>
<div> # A self-signed (snakeoil) certificate can be created by installing</div>
<div> # the ssl-cert package. See</div>
<div> # /usr/share/doc/apache2/README.Debian.gz for more info.</div>
<div> # If both key and certificate are stored in the same file, only the</div>
<div> # SSLCertificateFile directive is needed.</div>
<div> SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt</div>
<div> SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key</div>
<div><br>
</div>
<div> # Server Certificate Chain:</div>
<div> # Point SSLCertificateChainFile at a file containing the</div>
<div> # concatenation of PEM encoded CA certificates which form the</div>
<div> # certificate chain for the server certificate. Alternatively</div>
<div> # the referenced file can be the same as SSLCertificateFile</div>
<div> # when the CA certificates are directly appended to the server</div>
<div> # certificate for convinience.</div>
<div> #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt</div>
<div><br>
</div>
<div> # Certificate Authority (CA):</div>
<div> # Set the CA certificate verification path where to find CA</div>
<div> # certificates for client authentication or alternatively one</div>
<div> # huge file containing all of them (file must be PEM encoded)</div>
<div> # Note: Inside SSLCACertificatePath you need hash symlinks</div>
<div> # to point to the certificate files. Use the provided</div>
<div> # Makefile to update the hash symlinks after changes.</div>
<div> #SSLCACertificatePath /etc/ssl/certs/</div>
<div> #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt</div>
<div><br>
</div>
<div> # Certificate Revocation Lists (CRL):</div>
<div> # Set the CA revocation path where to find CA CRLs for client</div>
<div> # authentication or alternatively one huge file containing all</div>
<div> # of them (file must be PEM encoded)</div>
<div> # Note: Inside SSLCARevocationPath you need hash symlinks</div>
<div> # to point to the certificate files. Use the provided</div>
<div> # Makefile to update the hash symlinks after changes.</div>
<div> #SSLCARevocationPath /etc/apache2/ssl.crl/</div>
<div> #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl</div>
<div><br>
</div>
<div> # Client Authentication (Type):</div>
<div> # Client certificate verification type and depth. Types are</div>
<div> # none, optional, require and optional_no_ca. Depth is a</div>
<div> # number which specifies how deeply to verify the certificate</div>
<div> # issuer chain before deciding the certificate is not valid.</div>
<div> #SSLVerifyClient require</div>
<div> #SSLVerifyDepth 10</div>
<div><br>
</div>
<div> # SSL Engine Options:</div>
<div> # Set various options for the SSL engine.</div>
<div> # o FakeBasicAuth:</div>
<div> # Translate the client X.509 into a Basic Authorisation. This means that</div>
<div> # the standard Auth/DBMAuth methods can be used for access control. The</div>
<div> # user name is the `one line' version of the client's X.509 certificate.</div>
<div> # Note that no password is obtained from the user. Every entry in the user</div>
<div> # file needs this password: `xxj31ZMTZzkVA'.</div>
<div> # o ExportCertData:</div>
<div> # This exports two additional environment variables: SSL_CLIENT_CERT and</div>
<div> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the</div>
<div> # server (always existing) and the client (only existing when client</div>
<div> # authentication is used). This can be used to import the certificates</div>
<div> # into CGI scripts.</div>
<div> # o StdEnvVars:</div>
<div> # This exports the standard SSL/TLS related `SSL_*' environment variables.</div>
<div> # Per default this exportation is switched off for performance reasons,</div>
<div> # because the extraction step is an expensive operation and is usually</div>
<div> # useless for serving static content. So one usually enables the</div>
<div> # exportation for CGI and SSI requests only.</div>
<div> # o OptRenegotiate:</div>
<div> # This enables optimized SSL connection renegotiation handling when SSL</div>
<div> # directives are used in per-directory context.</div>
<div> #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire</div>
<div> <FilesMatch "\.(cgi|shtml|phtml|php)$"></div>
<div> SSLOptions +StdEnvVars</div>
<div> </FilesMatch></div>
<div> <Directory /usr/lib/cgi-bin></div>
<div> SSLOptions +StdEnvVars</div>
<div> </Directory></div>
<div><br>
</div>
<div> # SSL Protocol Adjustments:</div>
<div> # The safe and default but still SSL/TLS standard compliant shutdown</div>
<div> # approach is that mod_ssl sends the close notify alert but doesn't wait for</div>
<div> # the close notify alert from client. When you need a different shutdown</div>
<div> # approach you can use one of the following variables:</div>
<div> # o ssl-unclean-shutdown:</div>
<div> # This forces an unclean shutdown when the connection is closed, i.e. no</div>
<div> # SSL close notify alert is send or allowed to received. This violates</div>
<div> # the SSL/TLS standard but is needed for some brain-dead browsers. Use</div>
<div> # this when you receive I/O errors because of the standard approach where</div>
<div> # mod_ssl sends the close notify alert.</div>
<div> # o ssl-accurate-shutdown:</div>
<div> # This forces an accurate shutdown when the connection is closed, i.e. a</div>
<div> # SSL close notify alert is send and mod_ssl waits for the close notify</div>
<div> # alert of the client. This is 100% SSL/TLS standard compliant, but in</div>
<div> # practice often causes hanging connections with brain-dead browsers. Use</div>
<div> # this only for browsers where you know that their SSL implementation</div>
<div> # works correctly.</div>
<div> # Notice: Most problems of broken clients are also related to the HTTP</div>
<div> # keep-alive facility, so you usually additionally want to disable</div>
<div> # keep-alive for those clients, too. Use variable "nokeepalive" for this.</div>
<div> # Similarly, one has to force some clients to use HTTP/1.0 to workaround</div>
<div> # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and</div>
<div> # "force-response-1.0" for this.</div>
<div> # BrowserMatch "MSIE [2-6]" \</div>
<div> # nokeepalive ssl-unclean-shutdown \</div>
<div> # downgrade-1.0 force-response-1.0</div>
<div><br>
</div>
<div> </VirtualHost></div>
<div></IfModule></div>
<div><br>
</div>
<div># vim: syntax=apache ts=4 sw=4 sts=4 sr noet</div>
<div><br>
</div>
<div><br>
</div>
<div>Best regards,</div>
<div>Jan Parttimaa</div>
<div><br>
</div>
<br>
</div>
</div>
<p></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 12pt; background-color: rgb(255, 255, 255);">
<p><span style="color:rgb(0,0,0)"><i><span style="font-family:Calibri,Arial,Helvetica,sans-serif">Jan Parttimaa</span></i></span></p>
<span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span><span style="color:rgb(0,0,0)"><i></i></span><span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span>
<p><span style="color:rgb(0,0,0)"><i><span style="font-family:Calibri,Arial,Helvetica,sans-serif">1602738,</span></i></span></p>
<span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span><span style="color:rgb(0,0,0)"><i></i></span><span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span>
<p><span style="color:rgb(0,0,0)"><i><span style="font-family:Calibri,Arial,Helvetica,sans-serif">Tietojenkäsittelyn koulutusohjelma,</span></i></span></p>
<span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span><span style="color:rgb(0,0,0)"><i></i></span><span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span>
<p><span style="color:rgb(0,0,0)"><i><span style="font-family:Calibri,Arial,Helvetica,sans-serif">Haaga-Helia ammattikorkeakoulu</span><span style="font-family:Calibri,Arial,Helvetica,sans-serif"></span><span style="font-family:Calibri,Arial,Helvetica,sans-serif">,
Pasilan kampus</span></i></span></p>
</div>
</div>
</div>
</body>
</html>