I'm trying to install some Atlassian products (Bitbucket Server, Jira, Confluence etc.) on my VPS with using HTTPS. Every product should be available on their own subdomain e.g. https://bitbucket.mydomain.de or https://jira.mydomain.de I tried many things but now I'm very confused. It always redirect me to the Tomcat-GUI instead of my installed Bitbucket Server application. Maybe managing the ports is too confusing for me.
Three configuration files are involved - Tomcats server.xml, Apaches mydomain.conf file and Bitbuckets bitbucket.properties configuration.
I've tried to use an own Bitbucket Connector in Tomcat, while using an reverse Proxy in Apache. Here are some of my files.
Apaches mydomain.conf
<VirtualHost *:443>
ServerName bitbucket.mydomain.de
ServerAlias bitbucket.mydomain.de
ProxyRequests Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://bitbucket.mydomain.de:7990/
ProxyPassReverse / http://bitbucket.mydomain.de:7990/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/mydomain_ssl_certificate.cer
SSLCertificateKeyFile /etc/ssl/private/mydomainprivate_key.key
SSLCertificateChainFile /etc/ssl/certs/mydomain_ssl_certificate_intermediate.cer
</VirtualHost>
Bitbuckets bitbucket.properties
server.port=7990
server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=bitbucket.mydomain.de
And Tomcats server.xml
<Server port="8005" shutdown="SHUTDOWN">
<...>
<Service name="Catalina">
<!-- Default Connector -->
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>
<!-- Bitbucket Connector -->
<Connector port="7990" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
secure="true" scheme="https" proxyName="bitbucket.mydomain.de" proxyPort="443" />
<!-- SSL Connector -->
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="tomcat"
SSLEnabled="true" keystoreFile="keystore/mydomain-keystore.jks" keypass="mypass" keystoreType="JKS"/>
</Service>
</Server>
Actually, it shows me on bitbucket.mydomain.de every single time the Tomcat GUI instead of Bitbucket.. and I can't explain why. What am I missing? I think the whole server.xml is misconfigured...
Thanks a lot for every help!
You can use something a little bit lighter than Apache like haproxy. Haproxy is available as a standard Linux package. Haproxy will terminate your SSL connection. It will act as a reverse proxy for the various Atlassian applications. See the following link for information on how to set it up:
https://confluence.atlassian.com/bitbucketserver/securing-bitbucket-server-behind-haproxy-using-ssl-779303273.html
You won't have to change your Tomcat server.xml
Related
My Apache web server runs on port 433 with https protocol. I wish to run Tomcat on port 8080 because there is no need for additional encryption, Tomcat is on the same machine, so I don't need port 8433. But when I forward traffic from 433 to 8080 via iptables but I got an error: This site can’t provide a secure connection
ERR_SSL_PROTOCOL_ERROR
What configurations do I need in tomcat server.xml and apache.conf in order to make this work?
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- I've tried this before when I thought I need an SSL for Tomcat. I think it's irrelevant now -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
in httpd.conf
<VirtualHost *:80>
ServerAdmin root#localhost
DocumentRoot "/var/www/html"
DirectoryIndex index.html
ServerName mydomain.zone
ErrorLog "/var/log/httpd/mydomain.zone.error_log"
CustomLog "/var/log/httpd/mydomain.zone.access_log" common
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomain.zone
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Include /etc/httpd/conf/httpd-le-ssl.conf
EDIT: I've tried to delete iptables rule, and after that I added in httpd.conf:
ProxyPass / http://www.mydomain.zone:8080
ProxyPassReverse / http://www.mydomain.zone:8080
But I got the message: Service Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. (Tomcat is running I checked and Apache is restarted).
I've noticed that my web app works with normal HTTP protocol currently, but not with https, and I need to type:8080
I had 2 problems that occurred and the problem was not about proxy rules, I wrote them correctly.
I found the solution for the first problem here: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/
Apparently, SELinux didn't allow httpd could not initiate outbound connections. I needed to allow it: /usr/sbin/setsebool -P httpd_can_network_connect 1
The second problem was that my Tomcat used too much RAM memory because I configure SSL in server.xml, but SSL is already enabled in my Apache. When I commented that out, Tomcat reduced his RAM consumption.
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
<Connector executor="tomcatThreadPool"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?
You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So you don't have to change it on the web.xml of your webapp.
That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:
<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate certificateKeyFile="/your/own/privkey.pem"
certificateFile="/eyour/own/cert.pem"
certificateChainFile="/your/own/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
The connector configuration you shown does not redirect a specific URL in the way you suppose.
That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.
I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.
So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.
Edit
As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.
To configure this HTTPS connector, you can use a configuration as following:
<Connector connectionTimeout="20000"
acceptCount="100" scheme="https" secure="true"
port="443" clientAuth="false" sslProtocol="TLS"
keystoreFile="PATH_TO_KEY_STORE"
keystorePass="KEY_STORE_PASS"
keyAlias="KEY_STORE_ALIAS"/>
This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.
The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.
There is no way to overwrite that setting on per-application basis.
If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.
// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.
If you use tomcat with httpd, you can use RewriteEngine.
With port specified is like the followings in the http.conf:
NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
ServerName www.example.com
Redirect permanent / https://secure.example.com/
</VirtualHost>
See: RewriteHTTPToHTTPS and Redirect Request to SSL
Putting transport-guarantee CONFIDENTIAL in conf/web.xml is good, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
My solution is to put a valve in conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/
It's too late to answer, still I'm sharing my experience over the same, do the following changes in
Apache Software Foundation\Tomcat 8.5\conf\web.xml
Take a restart.
Pre-Req: configure https port and disable http port(optional[I did it])
<Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443"
SSLEnabled="true"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="550"
minSpareThreads="25"
scheme="https"
secure="true"
compression="on"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.2"
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
<Certificate type="RSA"
certificateKeystoreFile="/ssl/self-signed/your-keystore.jks"
certificateKeystorePassword="123456"
certificateKeyAlias="your-alias" />
</SSLHostConfig>
</Connector>
I have a tomcat server running perfectly at http://68.169.56.63:8080 I have a subdomain http://solar.wbe.in. Now I want my website http://solar.wbe.in to point to that tomcat server so that if I open http://solar.wbe.in site my browser it should show http://68.169.56.63:8080 I was looking at A records in DNS management. It has option to map IP but not port number. How do I map port 80 of http://solar.wbe.in to port 8080 of http://68.169.56.63
You could change the port in the Tomcat Server.xml e.g
<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
Or you could install a webserver like apache to listen on port 80 and proxy the requests through to Tomact either use mod_jk or mod_proxy.
I received a SSL cert to use for a Tomcat 6.0 server, ready to use.
I configured Tomcat to use it with the following in server.xml:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\Tomcat 6.0\ssl\cert" keystorePass="*****"
clientAuth="false" sslProtocol="TLS"/>
I started Tomcat using the command prompt so I could see any error message as they happened. There were none.
The results for accessing different URLS:
http://localhost -> normal page loads fine
https://localhost -> browser claims page cannot be found
https://localhost:8443 -> page cannot be found
http://localhost:8443 -> offers a certificate, after accepted redirects to https://localhost (I suspect the https:// urls initially offer the certificate which is automatically accepted by the browser, as it was issued by Verisign)
How to fix?
Edit: I've also tried port="443". Same result.
Do you require SSL on both 8443 and 443?
If all you need is 443 (the standard HTTP port), you can simply change the port="8443" to "443" and https:// URLs should work fine.
EDIT:
OK, so if you've made the change and bounced tomcat and it's still listening on 8443 then there must be another connector specified which is listening on 8443.
Here's my connector configuration from my server.xml
<Connector
port="8080"
redirectPort="443"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,application/xml">
</Connector>
<Connector
port="443"
minProcessors="5"
maxProcessors="75"
keystorePass="*****"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,application/xml">
</Connector>
That results in traffic coming in on 8080 being (internally) redirected to the connector on port 443. Traffic from 443 doesn't have any redirect directive.
I'd do a grep of your configurations for 8443 to make sure another one hasn't sneaked in somewhere.
I looks like you referenced a cert file in the keystoreFile attribute... if that file is actually a cert file you should use something like this
SSLCertificateFile="C:\Tomcat 6.0\ssl\cert"
... if that is correct (that the file a cert) then you will also need a key, for example:
SSLCertificateKeyFile="C:\Tomcat 6.0\ssl\cert.key"
If you have intermediate certs that you need in the CA chain, add:
SSLCertificateChainFile=
Hoping someone can help / advise as i'm not very familiar with Apache / Tomcat .. I already have Apache in front of Tomcat with grails app deployed. I have IIs setup (by someone else) which redirects www.xyz.com/myApp to an Apache instance which runs a grails app. In my apache conf I have a proxy ..
ProxyPass /myApp http://localhost:8080/myApp
ProxyPassReverse /myApp http://localhost:8080/myApp
and I have a connector defined in my tomcat server.xml
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
This works without problem
I now want to add another app so in IIS I had setup for me www.xyz.com/myOtherApp
with
ProxyPass /myOtherApp http://localhost:8081/anotherApp
ProxyPassReverse /myOtherApp http://localhost:8081/anotherApp
in my Apache conf I added another connector
<Connector port="8081" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
When i go to www.xyz.com/myOtherApp i get the url rendered (correctly i think) as https://www.xyz.com/anotherApp but with a 404 error saying "Object not Found" ..
Can anyone help me with the config ? Is it possible to have 2 connectors on different ports
with the same proxyName ? As i say i'm not familiar with Apache/Tomcat and i'd really like to get this done asap ..
Thanks
Hi #Stefan, The apps do live on the same server and domain so i eliminated one of the connector definitions . I'm now left with
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Also I switched on the logging (JULI) but it didn't seem to report anything . The apache error log just gives me a 404 .. I left it as HTTP rather than AJP as i'd have to setup HTTPS and i'm not sure how easy that is. So i'm left with the same problem in that one app works, the other doesn't .. Is it possible to run multiple grails apps over http as opposed to using ajp and virtual hosts ? Forgive me if i'm being stupid - i haven't had much exposure to webapps and i seem to have come to a grinding halt at what i thought should have been relatively easy - deployment !
If you want to use Apache in front of Tomcat, it's better to use mod_proxy_ajp instead of mod_proxy_http. For setting this up, see https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp.
Be sore to add
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
to your config to prevent abuse of the proxy.
If /myApp and /myOtherApp reside in the same tomcat engine, you only need a single connector for both apps. Aside from this, I can see no obvious error in your setup. Maybe you could post your tomcat's server.xml. During working on the config, using LogLevel Debug might be a good idea.
This isn't a direct answer to your question, but I was configuring Tomcat behind Apache before and I had problem with it.
I now use Amazons Elastic beanstalk...where you can deploy your grails app war file directly. It works a beautifully, especially with in built auto scaling and health monitoring!
Less configuration == Ease of life.