Solution for SSL in CIS WMS viewer and CMCDataServer

Table of Contents

I have a solution which will work and which I think is the cleanest.

I suggest we change 

- ada.cmc.ec.gc.ca:9090
+ ada.cmc.ec.gc.ca/cmcdataserver

together with the Apache configuration 

 <VirtualHost ada.cmc.ec.gc.ca:443>
         DocumentRoot /var/www/html
         ServerName ada.cmc.ec.gc.ca
         SSLEngine on
         SSLCertificateFile /root/ssl-certificates/ServerCertificate.crt
         SSLCertificateKeyFile /root/ssl-certificates/ada.cmc.ec.gc.ca
         SSLCertificateChainFile /root/ssl-certificates/ChainBundle2.crt

+        SSLProxyEngine on
+        ProxyRequests Off
+        ProxyPreserveHost On
+        ProxyPass /cmcdataserver http://localhost:9090/
+        ProxyPassReverse /cmcdataserver http://localhost:9090/
 </VirtualHost>

I'll be ready to add this and re-enable SSL on ada.cmc.ec.gc.ca when you give me the signal. And in the mean time, if I can help, just let me know.

Cheers
Philippe Carphin – RPN-SI

1 Demonstration on Emmy

We make this HTTPS request to a program running on port 5447 which is the URL below: 

https://emmy.cmc.ec.gc.ca/echo-server?&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&LAYERS=GIOPS_DIVI&WIDTH=361&HEIGHT=872&SRS=EPSG%3A3857&BBOX=-22406508.884210523,-51839936.75789476,20269345.515789475,51244121.51578944&STYLES=DIV&FORMAT=image/png&TRANSPARENT=TRUE&&time=2025-02-21T12%3A00%3A00Z&0.1350919983241088

This is the URL Amir gave in his email with ada.cmc.ec.gc.ca:9090/?... replaced with emmy.cmc.ec.gc.ca/echo-server?....

My echo-server is listening on port 5447 and serves HTTP requests. I.E. I do not have to implement SSL which would be quite a job working with encryption and certificates.

Therefore, we can make HTTPS requests to a program that doesn't do HTTPS because Apache unwraps the SSL layer. Apache also wraps the response in an HTTPS response and the browser is happy.

2 Testing CIS WMS

On Emmy, I have made the following configuration on Emmy: 

<VirtualHost emmy.cmc.ec.gc.ca:443>
        DocumentRoot /var/www/html
        ServerName emmy.cmc.ec.gc.ca
        SSLEngine on
        SSLCertificateFile /root/ssl-certificates/ServerCertificate.crt
        SSLCertificateKeyFile /root/ssl-certificates/emmy.cmc.ec.gc.ca
        SSLCertificateChainFile /root/ssl-certificates/ChainBundle2.crt


        SSLProxyEngine on
        ProxyRequests Off
        ProxyPreserveHost On

        ProxyPass /echo-server http://localhost:5447/
        ProxyPassReverse /echo-server http://localhost:5447/

        ProxyPass /cmcdataserver http://localhost:9090/
        ProxyPassReverse /cmcdataserver http://localhost:9090/
</VirtualHost>

HTTPS requests to /cmcdataserver are unwrapped and sent as HTTP requests to localhost:9090.

This should allow you to try out the change with your viewer.

I will also leave my echo-server running if that can be of any help to you. It's not a robust program, just something I made for myself to troubleshoot my personal website so it could go down. If you think it's down, just let me know and I'll restart it.

3 Note

It doesn't have to be cmcdataserver, that's just what I used because you are running CMCDataServer. If you want it to be something else, just let me know: by email or by Teams.

Author: Philippe Carphin

Created: 2025-02-14 Fri 19:12

Validate