SSL certificate in tomcat and apache ( use in both) - apache

I have SSL wildcard certificate.
I have tomcat as well as apache server running on my machine.
Currently ssl has been applied on tomcat but apache being my wrapper server needs ssl certificate too.
Both apache and tomcat are on same machine.
Can I use same wildcard for both of them ?

Yes, you can use same Wildcard SSL certificate (but for only one domain such as *.domain.com) for both tomcat and Apache server. Even you can use the same wildcard SSL certificate for different server too.

Related

NGINX or Apache2 reverse proxy to a server with client certificate authentication

Below is the setup of the infrastructure:
Assume that it's not possible for the script/computer to authenticate with the certificate. I really need the intermediate reverse NGINX/APACHE2 proxyserver to strip the SSL authentication.
Any idea how I do this in the configuration of NGINX or APACHE2?

Use same SSL certificate for Tomcat and Nginx

I have got a SSL certificate for domain "www.example.com" and I have installed this certificate in tomcat server which runs on port 443 which runs fine. Now my requirement is to run nodejs code in https.
So i want to configure through nginx. So nginx will listen for incoming request and use ProxyPass. I am trying this but we get key mismatch error
So main question is:- Is it possible to use same certificate generated for tomcat keystore in Nginx

Will a self-signed certificate work behind an Apache reverse-proxy?

We want to use Apache as our reverse proxy to a collection of app servers. We plan to se a CA-signed SSL certificate on the Apache instance but wanted to use self-signed certificates on the app server instances (so that the Apache to app sever connection also was encrypted). We dont want to install a CA-signed SSL certificate on the app server instances if we dont have to.
Will Apache allow this configuration of having self-signed certificates on the app server instances?
If you have a large collection of app servers, it would probably make more sense to have your own internal CA, instead of having to manage each self-signed certificate one by one.
If you want to the connections between an Apache Httpd reverse proxy and its worker nodes to use HTTPS, you can configure the certificates trusted by Apache Httpd using the SSLProxy* directives of mod_ssl (as documented in the introduction of the mod_proxy documentation), in particular SSLProxyCACertificateFile.
You'll need to use mod_proxy_http for this, since AJP connections are not made over SSL/TLS.

mod_proxy: when proxying tomcat from apache on 8443, is tomcat certificate needed

I am getting started now on adding SSL login pages to my webapp. I am using apache mod_proxy to proxy tomcat.
Some tutorials showed that I need to get an SSL certificate for apache and proxy my login pages to tomcat on port 8443.
Is port 8443 automatically an encrypted SSL port for tomcat? Do I need both an apache certificate and a tomcat certificate?
Andy
As far as the browser is concerned, Apache Httpd will "terminate" the SSL/TLS connection to your web server. Whether the content it serves is in fact coming from Tomcat doesn't matter to the browser. The browser will only see as far as Apache Httpd in that scenario. If it is set up with a certificate recognised by the browser, this is sufficient.
In addition to this, you may want to encrypt the connection between Apache Httpd and Tomcat. This is only really useful if you don't trust the network between the two (rarely useful on the same host, for example). I don't think mod_proxy_ajp supports SSL/TLS, but mod_proxy_http does, in which case you need to configure the SSLProxy* directives (see introduction): Apache Httpd will be a client in that respect, and Tomcat will need to be configured with a certificate in this case.
If you don't need to encrypt the link between Apache Httpd and Tomcat, the easiest is probably to use mod_proxy_http as a reverse proxy to the plain HTTP port of Tomcat (and make sure that port can't be accessed externally, via a firewall for example).

Is it possible to have a client certificate authentication only for a subdirectory in Tomcat behind Apache?

Let's say I have
example.com
and I would like a client certificate authentication on
example.com/admin
Is this possible?
Perhaps by configuring your (Apache or Lighttpd) web server to act as an HTTP[S] proxy (to another HTTPS server doing the certificate (but I am not sure).