Our installation of Liferay Tomcat 6.2 EE bundle is behind an Apache HTTPD reverse proxy server with the SSL terminating at the load balancer. We do not have any SSL configuration on Tomcat 7 and are not using AJP.
We ran into an issue with using the web form portlet with the reCaptcha on the default site using SSL. The reCaptcha image was not rendered on the web form after configuring reCaptcha in the Control panel and then configuring the web form to use reCaptcha.
ReCaptcha worked on another HTTP Liferay 6.2 EE installation and site without an issue.
There were errors in the console in Firefox and Chrome:
Blocked loading mixed active content "http://www.google.com/recaptcha/api/challenge?k=asabsds50"[Learn More]
The reCaptcha call seemed to be made using http not https.
Thanks!
Liferay needs to have the tomcat configured in the server.xml to specify redirectport to be the same as the port tomcat is listening on ex. 8080 and adding the secure flag set to true. Restart Tomcat and test.
Apache reverse proxy in our case points to this port. This configuration worked. Now reCaptcha renders and the web forms submits successfully.
<Connector port="listeningport" protocol="HTTP/1.1"
connectionTimeout="20000" secure="true"
redirectPort="listeningport" URIEncoding="UTF-8" />
The old server.xml config was
<Connector port="listeningport" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" URIEncoding="UTF-8" />
Hope this helps
Related
I'm testing our app on a kubernetes cluster. So we have Nginx Controller which handles SSL termination and passes HTTP traffic to Apache server. Apache server handles static content and forwards all JSP related to tomcat.
For some reason the webapp doesn't work on the first try (website works fine though) when doing SSL termination but if I reload the page and try to use the app again then during this second attempt everything works fine (means it doesn't load some of the automatic functions on first attempt and can be reproduced by clearing the cache and logging in).
I spoke to dev they mentioned it could be cookie issues.
Current setup which is not working:
Nginx controller (SSL termination) -> Apache (HTTP port 80 ) -> Tomcat (HTTP port 8080).
Setup which works fine:
Nginx controller (SSL passthrough) -> Apache (HTTPS port 443) -> Tomcat (HTTPS port 8080).
I can't get rid of Apache in between and it is really needed for the app temporarily.
What settings are required to make this work? I've tired the following:
Disable port 443 on apache
Disable 8443 ports and all redirects to port 8443 and listen only 8080
Modified web.xml to set http-only to true and secure bit to true on tomcat server.
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Anything else that needs to be done? I've spent a day trying to troubleshooting this and couldn't figure it out yet.
Server.xml contains only these enabled lines, rest of them are commented out or defaults:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" />
<Connector port="8009" maxThreads="2000"
enableLookups="false" redirectPort="80" protocol="AJP/1.3"/>
<Engine name="Catalina" defaultHost="localhost" jvmRoute="server001">
# Removed cluster config since they're all default
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/usr/local/tomcat/webapps/ROOT.war" debug="0" distributable="true">
</Context>
http.conf - has nothing but default since SSL is disabled. So no virtual host. Only thing that's added to http.conf is
JkMount /* ajp13
Worker.properties is the following.
# - An ajp13 worker that connects to localhost:8009
worker.list=ajp13
#------ DEFAULT ajp13 WORKER DEFINITION ------------------------------
# Defining a worker named ajp13 and of type ajp13
worker.ajp13.port=8009
worker.ajp13.host=$(TOMCAT_SERVER)
worker.ajp13.type=ajp13
worker.ajp13.reply_timeout=15000
worker.ajp13.lbfactor=1
#worker.ajp13.cachesize
worker.loadbalancer.balanced_workers=ajp13
The webapp needs to communicate with Java TCP server through websocket so we have a webSocket server written in nodejs. It just forwards traffic from websocket to Java server TCP connection.
But it has its own SSL certs setup. Since by default Nginx controller on GCP doesn't deal with ssl termination for TCP services, I have configured NodeJS backend service to accept SSL traffic directly on port 1234 for example. This service runs on the tomcat server. Don't know if this is creating a conflict since they all connect to same domain name.
Your problem probably arises, because the application does not understand that the request came from a secure channel.
Servlet API applications understand that a request was sent through a secure channel based on the result of ServletRequest#isSecure(). For requests that came through HTTP, this value depends on whether SSL was enabled or not.
When you use the AJP connector, this information and many more are trasmitted by the Apache server. This works perfectly well in the "SSL passthrough" configuration. However when the SSL connection terminates at NGINX you are in the situation described by the Reverse Proxy HOW-TO:
In some situations this is not enough though. Assume there is another less clever reverse proxy in front of your web server, for instance an HTTP load balancer or similar device which also serves as an SSL accelerator.
Then you are sure that all your clients use HTTPS, but your web server doesn't know about that. All it can see is requests coming from the accelerator using plain HTTP.
If you wanted to keep this configuration for a long time, I would suggest following the aforementioned HOW-TO. For short-term usage there is a simpler solution: you need to hardcode in Tomcat's configuration that all AJP requests are secure:
<Connector port="8009"
maxThreads="2000"
enableLookups="false"
protocol="AJP/1.3"
secure="true"
scheme="https"/>
The scheme attribute tells Tomcat which scheme was used by the original client, the connector will still use AJP.
I've configured hybris and apache,mod_jk using below blog article.
www.facebook.com/permalink.php?id=317609748375071&story_fbid=680730588729650
hybris is completely running fine on tomcat ports http on 9001 and https on 9002.
one of developer has also configured redirection at hybris level
so any request comes in for http://hot.local:9001/ it gets automatically
redirect to https://hot.local:9002/abc/en.
Now I'm stuck at apache and mod_jk configuration point of view.
I'm not able to setup URL redirection in apache with mod_jk configuration.
Getting below error
[22993:22208] [debug] jk_handler::mod_jk.c
(2047): Service finished with status=302 for worker=tss1
I'm configuring above stuff on UBUNTU.
1) Opened Port 443 exclusively in ubuntu
2) Include redirectPort="8443" in tomcat siemap.xml
3) Include below tag in apache2 ssl config
JkMountCopy On
I know this seems like a very basic question.
I have a Java EE web application running on port 8080. So when I try to access it, I have to type domainname.com:8080/DomainName . I want to access it by domainname.com . For which I'm supposed to change the port number from 8080 to 80. I made this change in my server.xml in the conf folder after going thru a few answers on SO :
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
But I still get a 404 error. Please help. Is there something I'm not doing/doing wrong?
I'm using Tomcat7 on a Windows server.
If there's a similar question (which I may have not come across) please post it in the comments, thanks!
You can install apache and configure it to work with your tomcat via AJP port so apache will listen on port 80 and redirect request to your tomcat
here some reference:
http://www.ntu.edu.sg/home/ehchua/programming/howto/ApachePlusTomcat_HowTo.html
I have a grails application deployed on Tomcat7 and exposed by Apache2. The grails application respond on 8080 of the server the standard way but on Apache2 it is served to the user by https://
All works right except for a WebFlow controller. When the webflow redirect the user it change the https:// to http://
How I can force WebFlow to use https:// ?
Have you configured the Tomcat to be aware of the fact that it is behind an https reverse proxy? You should set scheme="https" and secure="true" on the Connector element in server.xml.
Also make sure your grails.serverURL in Config.groovy is the full https URL from the clients' point of view.
I have Apache as front-end to my Tomcat server where I have deployed a CXF web service. All access to my web service happens through SSL which is handled by Apache web server. This means that my Tomcat server is totally unaware of SSL. As a result my CXF generated web service has a http endpoint URL. How do I make it HTTPS while giving the opportunity of handling SSL to Apache web server. Any clue to override endpoint URL scheme?
If you do that, you should also set proper address (that with HTTPS) in publishedEndpointURL.
Like here: How to start cxf service on localhost but return external address in wsdl?
This will make imports in generated WSDL point to proper URLs.
In you case you need to enable SSL connector for Tomcat (in case you use mod_proxy in Apache), or you need to to enable secured AJP connector (in case you use mod_jk):
<Connector protocol="AJP/1.3" redirectPort="443" scheme="https" secure="true" address="127.0.0.1" port="8009" />
CXF is out of game here.
I had the same problem, and solved it by using a JNDI lookup for a base URL, then constructing a url for publishEndpointUrl. In XML config, it looks something like this:
<jee:jndi-lookup id="ProxyURL" jndi-name="myProxyURL" resource-ref="true" cache="true" />
<bean id="EndpointURL" class="java.lang.String">
<constructor-arg value="#{ProxyURL+'/myServiceAddress'}"/>
</bean>
<jaxws:endpoint
id="myServiceEndpoint"
...[other parameters]...
publishedEndpointUrl="#EndpointURL">