How to use HTTPS on localhost on Tomcat? - ssl

I am using Apache Tomcat 8 and also have .cert file and the .key file. But I am unable to understand how to turn on the HTTPS mode. I want the APR implementation which uses OpenSSL by default. I tried to change the server.xml file in conf folder according to the documentation but after that Tomcat failed to start and I have delete it and use new unzipped files to start. How can I turn on SSL?

If the APR is already installed and configured on your Tomcat, you could have something like this in your server.xml:
Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
Take a look at this tutorial tutorial, it was quite helpful for me.
Also this one could be interesting.

Related

Mod_jk and Tomcat stuck at Sending Reply

Currently, the server at work is underperforming and the way it's set up is not ideal either. For this reason I'm trying to find a new way to do things that will hopefully help with both, performance and deployment.
The approach I decided for is to have tomcat instances for our webapps (currently there are two, so it'd be an instance per webapp) and use Apache as a "front". I'm not experienced in this, so It's normal I'm having issues here and there, but so far I've manage to get this going.
What I expect is to redirect from mysite.com index page to either mysite.com/service1 or mysite.com/service2. Service1 was setup in out test server at port 8080 and service2 at 8081. I installed Apache2 and mod_jk yesterday and set up apache with the contents of mysite.com. Today I started the configurations, that ended up as follow:
workers.properties
worker.list=s1
worker.s1.type=ajp13
worker.s1.port=8009
#host is localhost by default according to the documentation
jk.load
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel debug
JkMount /service1/* s1
Service1's server.xml connector (The rest is all default)
<Connector protocol="AJP/1.3" port="8009" redirectPort="8443" />
I had more, but because of the errors, I took a step back and tried with only one tomcat for now. I will add the second tomcat and a loadbalancer.
Ok, so what's going on?
I can access the server and the index page of our system with no problem. The problem is when I try to redirect to service1. It just loads without response, but if I try to access service1 directly by port 8080, it works properly (I tired commenting out this connector. No luck).
Looking at server-status, I see the request stuck at w/sending reply, and in mod_jk.log I see that the worker properly matches the request. So while my configurations seem to be right, there is something in between happening. I don't really know if it's something with Apache, Tomcat or Mod_jk. I also tried to follow several guides of how to do this, but all of them got me to 404s. Looking around here and ServerFault didn't shed much light unfortunately so I'm the one asking now.
Am I missing something? Should I just use another approach? I'm very new at this and I'm at loss right now. The configuration and the logs show that nothing is really wrong (at first glance, at least...) so I'm entirely sure if my case scneario is even posible with mod_jk... HOnestly to run it back and try with proxy is very tempting at this point, but if I am, I'd rather know where Im wrong.
Additional info: Running on Ubuntu Server 18.04, lastest apache2 and mod_jk avaliable from apt (as of Apr 14), java 1.8 and Tomcat 8.5.64.
There was a change in Tomcat last year (from version 8.5.51 and version 9.0.31), which introduced a secretRequired attribute to the AJP connector with a default of true (cf. documentation). Hence you can either:
add a shared secret between the AJP connector and mod_jk
or add secretRequired="false" to the AJP connector:
<Connector protocol="AJP/1.3" port="8009" secretRequired="false" redirectPort="8443" />
Remark: AJP is a very old protocol and rarely used. Since your installation is pretty new, you might consider using directly HTTP (cf. this talk).

413 request entity too large apache "tomcat"

User when access BOBJ tomcat URL the AD SSO works without any issues, when the user tries to access the Apache load balancer, then we get the Request entity too large error message.
This is happening for few of the users and few of them can login without any issues.
Setup: configured Apache Load Balancer - to connect to two tomcat server via Workers.properties.
BOBJ AD SSO is configured on Tomcat server
Error :Request Entity Too Large
The requested resource
/BOE/portal/1712062105/BIPCoreWeb/VintelaServlet
does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.
Configuration on
Apache
Httpd:
LimitRequestLine 65536
LimitRequestBody 0
LimitRequestFieldSize 65536
LimitRequestFields 10000
ProxyIOBufferSize 65536
worker: worker.ajp13.max_packet_size=65536
Tomcat:
Request someone to help in troubleshooting the error.
Possible solution!
Apache tomcat:
1. modify /opt/ tomcat/config/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxPostSize="209715200"
disableUploadTimeout="true"
maxHttpHeaderSize="1006384" />
2. modify /tomcat/webapps/manager/WEBINFO/web.xml
<multipart-config>
<!-- 50MB max -->
<max-file-size>104857600</max-file-size>
<max-request-size>209715200</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>
Nginx:
1. modify /etc/nginx/nginx.conf
2. add this " client_max_body_size 200M; "
http{
client_max_body_size 200M;
}
* Restart tomcat server
sudo systemctl restart tomcat
* Restart nginx server
sudo systemctl restart nginx
Similar issue for me, but the fix was slightly different:
worker.ajp13.max_packet_size=65536
This was actually in: path/apache2/conf/extra/workers.properties (probably just a typo in earlier answer)
The issue here is with the Apache parameter under Worker.properties file
We initial have set this to -> worker.ajp13.max_packet_size="65536"
However the syntax should be this :
worker..max_packet_size="65536”
Your site is basically the tomcat site which we refereed as worker1 and worker2.
Once we changed that value to below
worker: worker1.max_packet_size="65536"
This issue got fixed.
Hope this helps for users who have configure Apache as load balancer to two or more tomcat web application clusters.
I'm not 100% certain this will resolve your issue, but it seems to be related. In Tomcat's server.xml, add the following to Connector: maxHttpHeaderSize="65536". The whole line should look something like:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
maxHttpHeaderSize="65536" />

Starting automatically another tomcat instance when one goes down

I am working on a Spring-MVC application and using Tomcat to deploy
it. I looked up on net how to create a custom maintenance site when
tomcat is down. It involves using Apache2 in the front and relaying
requests to and fro tomcat, and the maintenance site can be put on
Apache2. Seemed like a lot of hassle just for a webpage when tomcat
is down.
For this reasons, I created a small project and deployed it in
another instance of tomcat as ROOT.war.
I would just like to know if there is any way, I can bring the
maintainance tomcat instance online when production is down.
Here is my server.xml of production for viewing :
<Connector port="80" protocol="HTTP/1.1" compression="force" compressionMinSize="1024"
connectionTimeout="20000"
redirectPort="443" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"/>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" compression="force"
compressionMinSize="1024" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="my-keystore.jks" keystorePass="password" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
<Connector port="8010" protocol="AJP/1.3" redirectPort="443" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
Any help would be nice. Thanks a lot.
A good option used in high availability of application but not sure you would need that.
ran 2 tomcat in 2 separate ports always. one is production server and another maintainence server.
install haproxy so all request goes from here to the production server port.
when haproxy verifies that the port is down or the server not responding go to maintainence port tomcat instance.
in this way, the maintainence activity can be done without any issues. and due to some issues the prod server goes down it automatically call maintainence tomcat instance.

Access alfresco using https (SSL) url

I would like to change the url for accessing Alfresco share from http://localhost:8080/share
to https://sitename.companyname.com/share.
I would prefer to make this changes using Alfresco tomcat server and not involve a proxy.
I did the following changes to change the port number:
alfresco-global.properties
alfresco.context=alfresco
alfresco.host=sitename.companyname.com
alfresco.port=8443
alfresco.protocol=https
share.context=share
share.host=sitename.companyname.com
share.port=8443
share.protocol=https
share-config-custom.xml
Change the endpoint url to
http://localhost:8443/alfresco/
Can anyone advise as what changes are needed for the https setting?
Thanks.
Steps for using SSL with alfresco
Settings in server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Settings in alfresco-global.property
alfresco.context=alfresco
alfresco.host=sitename.companyname.com
alfresco.port=8443 alfresco.protocol=https
share.context=share
share.host=sitename.companyname.com
share.port=8443
share.protocol=https
Settings in share-config-custom.xml
Modify endpoint url accordingly ex. https://<domain>:8443/alfresco/

jsp - display tomcat configuration on jsp page

How can I display the value of maxPostSize from the server.xml of an apache tomcat 7 on my jsp page? By the way is there any solution to display the whole configuration?
I need to know if the multipart request overwrites the tomcat configuration in server.xml. That doesn't seem alright, but I think that's the truth.
java
MultipartRequest multi = new MultipartRequest(request, path, 5*1024*1024);
server.xml
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" maxPostSize="1048576" />
Maybe you use a easy js xml plugin to display the whole xml.
http://www.levmuchnik.net/Content/ProgrammingTips/WEB/XMLDisplay/DisplayXMLFileWithJavascript.html#Usage
Jep, I found out that the multipart request overrides the tomcat configuration. So I can easily set the max upload file size in the constructor of the multipart request.