Remove security warnings coming from your APEX App
Between Oracle APEX and the browser usually stands ORDS running in standalone mode or deployed, preferably, within a Tomcat Java container. However, it’s possible, for many reasons, to run Tomcat as well behind a reverse proxy such as Apache HTTP server or NGINX. To serve the whole application over HTTPS, you could only deploy SSL certificates on the reverse proxy and call it a day.
But with such setup, I encountered an issue with one of our oldest internal APEX app. I figured this is Chrome’s latest features flagging “mixed contents” and displaying warnings like below because sub-resources are being loaded over HTTP. However, as far as I could tell, I couldn’t find any “mixed contents” by simply inspecting the page and looking out for anything loading content with absolute URLs starting withhttp:// as was indicated here by the makers of chrome.
Now, what became clear to me is that implementing SSL on Tomcat webserver should fix the issue for me, so below is how I did it.
I first need to note that I prefer using the APR implementation of SSL certificates which, according to the docs, uses the OpenSSL Engine by default. I personally find the other methods to be a pain. So going with the APR implementation, there’s the native library that needs to be downloaded and loaded in the server.
Tomcat provides links to download the native connectors. At the time of writing, the latest version is 1.2.25 . After downloading the zipped file(for windows) tomcat-native-1.2.25-openssl-1.1.1g-win32-bin.zip you’ll then do the following to configure your SSL Connector:
- Stop the Tomcat Server
- Unzip the downloaded file
- Copy the binaries found in
.\bin\x64\in your extracted folder and paste them in this Tomcat${catalina.base}\bindirectory. There will be 2 files:tcnative-1.dllandtcnative-1-src.pdb - Copy as well the extracted file in
openssl.exefile in the${catalina.base}\bindirectory - When this is done, you can now edit the config file
${catalina.base}\conf\server.xmlto implement SSL. You may add below block, as exemplified in the docs, adjust depending on your needs, then start your the Tomcat server one more time:
I would suggest to use a different port for the Tomcat SSL connector, since really Tomcat is behind your Reverse Proxy server. This means then that if I set the SSL connector to be something like 4443, then the NGINX SSL listener will have, most basically, configs like below:
server{
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate localhost.crt;
ssl_certificate_key localhost.key;
location / {
proxy_pass https://yourdomain.com:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Using Apache HTTP server would yield below basic configs:
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
ServerName yourdomain.com
SSLCertificateFile "${SRVROOT}/conf/localhost.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/localhost.key"
ProxyRequests Off
ProxyPreserveHost On
RequestHeader unset Origin
ProxyPass "/" "https://yourdomain.com:4443/"
ProxyPassReverse "/" "https://yourdomain.com:4443/"
</VirtualHost>Needless to say that the above needs to be adjusted accordingly.
SSL Deployment should be easy, but I found it relatively tedious with Tomcat especially when there’s talk of key stores and importing certificates in it, when the CSR wasn’t originally generated from the same server. So, I hope this helps anyone out there…
