Clever Geek Handbook

Is this a bogus SSL connection between Apache + Tomcat?

I was looking for this guide to install tomcat + apache with SSL: http://www.mulesoft.com/tcat/tomcat-ssl

Under "When to use SSL with Tomcat" it says:

"... In other words, if you are playing Tomcat with a web server and only use it as an application server or Tomcat servlet container, in most cases you should let the web server act as a proxy for all SSL requests."

Since I already have a web server with SSL installed, I decided to be lazy. I installed tomcat with default settings and started it. In my httpd.conf I redirected all 80 traffic to 443 and then proxypass and proxypassreverse to ajp: //hostname.com: 8009. I restarted httpd and it "appears" to redirect to the tomcat server over ssl. Is this completely broken or did I actually manage to do what I wanted? Any suggestions for testing are greatly appreciated.

<VirtualHost *:80>
        ServerName hostname_DNS_alias.com
        Redirect / https://hostname_DNS_alias.com
</VirtualHost>

<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/pki/tls/certs/thecrt.crt
        SSLCertificateKeyFile /etc/pki/tls/private/thekey.key
        SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
        ServerName hostname_DNS_alias.com
        DocumentRoot /var/www/html

        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass          /    ajp://hostname.com:8009/
        ProxyPassReverse   /    ajp://hostname.com:8009/
</VirtualHost>
+3


source to share


1 answer


I think you have this, but you can look at the access logs in HTTPD and Tomcat to confirm that the request is proxied. You should see an entry in the access log on both systems.

A few quick notes ...



  • As stated in the comment, you can remove the HTTP connector from Tomcat. It's not obligatory. Sometimes it is nice to open it for testing (ie you can go straight to the server) or if you want to run the "Dispatcher" application on it. If you save it, especially if you are using it to launch the Manager application, you should probably restrict access to it. Two easy ways to do this by setting an attribute address

    on the HTTP connector to localhost

    or by setting the RemoteAddressFilter .

  • Be aware that the AJP connection from your HTTPD server to Tomcat is not encrypted (SSL terminated in HTTPD), so you want to make sure that traffic never travels over an insecure network (like the Internet).

  • Since you already have HTTPD in your mix, you can also use it to serve up your static files. If you deploy them to the document root, you can add "ProxyPass!". to exclude this path from proxy to Tomcat. This will require slightly less request timeout since the HTTPD needs to get the static file from Tomcat.

0


source






More articles:


All Articles