I am using Apache 2.4 in front of Tomcat 7. I am trying to use web-sockets so I have configured http based connector in tomcat as below
<Connector port="8009"
protocol="HTTP/1.1"
proxyPort="80"
maxPostSize="10485760"
redirectPort="8443"
URIEncoding="UTF-8"/>
I have configured mod_proxy and mod_proxy_wstunnel and mod_proxy_http in Apache 2.4 Web-socket connections works fine when accessed App via "http://webserver/myapp".
However app can also be accessed via http://webserver:8009/myapp.
I want my app to be accessible only via Apache webserver (http://webserver/myapp) and NOT directly using tomcat(http://webserver:8009/myapp). I cannot use AJP modules (mod_proxy_ajp or mod_jk) because AJP modules doesn't support web-sockets.
Is there a way I can limit tomcat Connector to Apache webserver only.
You can use this.
<Context path="/manager" docBase="manager" reloadable="true" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteIpValve"/>
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="<your IP regex>"/>
</Context>
Change appropriate valve in Context Path, docbase and IP Address. This would at least restrict to localhost.
Other way is to listen tomcat only on localhost with help of below code.
<Connector port="8009" address="127.0.0.1"
Use a firewall on your server. This way you not only make tomcat unavailable, but also any other process that happens to open a port on that machine.
Whitelist the ports that you want to be available to the world and default to blocking every other port.
Related
I am serving up content on an ec2 instance running tomcat 7. I have all traffic routing in the tomcat config to 8443 and a valid cert installed. When i explicitly put https://website.com:443 the site loads fine, but when i put in http://website.com it should route to the https with port 443, but it uses the port 8443 instead. Anyone have any idea why this would be happening? I have the exact same config working on another server but i have two new servers that dont want to behave.
in my tomcat server.xml i have:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
keystoreFile="conf/cert.p12"
keystorePass="password"
keystoreType="PKCS12" />
and in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Found an answer to this, turns out i had to route all traffic over TCP from 8443 to 8443. The client was requesting port 80, routing to 8080 per my load balancer config for tomcat to serve up content, tomcat was turning the request into requesting port 8443.
8443 wasnt being routed back to 8443 on the tomcat server so it just ended up in a dead end. hope this helps someone else someday.
Tomcat sends a redirect when using a transport-guarantee of CONFIDENTIAL
By default this is your connector port. Run a curl -vs http://website.com to confirm.
You could set the http/8080 connectors redirectPort to 443 but this means you are choosing ELB redirects to work. Local Tomcat redirects will then start failing as nothing listens locally on 443, just the ELB does.
I am developing with WebSockets, and made a working web application running on Tomcat 8. However, when testing with Apache 2 in front of it, the client is getting an HTTP 500 and the Tomcat log says:
java.lang.UnsupportedOperationException: HTTP upgrade is not supported by the AJP protocol
at org.apache.coyote.ajp.AbstractAjpProcessor.action(AbstractAjpProcessor.java:587)
at org.apache.coyote.Request.action(Request.java:379)
at org.apache.catalina.connector.Request.upgrade(Request.java:1886)
at org.apache.catalina.connector.RequestFacade.upgrade(RequestFacade.java:1114)
at org.apache.tomcat.websocket.server.UpgradeUtil.doUpgrade(UpgradeUtil.java:231)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:77)
This worked when accessing Tomcat directly through its HTTP connector. If this is not supported with AJP, is there a workaround?
Use Apache module mod_proxy_wstunnel:
sudo a2enmod mod_proxy_wstunnel
Then use it to let WebSocket connections through by adding this to apache.conf:
ProxyPass "/ws2/" "ws://localhost:8180/ws"
And make sure you have enabled an HTTP connector in Tomcat by using <Connector protocol="HTTP/1.1" port="8180" ...> in server.xml.
I used apache proxy support in tomcat to remove the port number from url. Here is what I did,
In http.conf file I added
LoadModule proxy_module mod_proxy.so
ProxyPass /alfresco http://localhost:8080/alfresco
ProxyPassReverse /alfresco http://localhost:8080/alfresco
In server.xml file of tomcat
<Connector port="8080" ...
proxyPort="80"/> (I didn't give proxy name)
Now I am able to access the web application using http:\\localhost/alfresco in my machine. But when I try this from other machine in my lan using http:\\machine1\alfresco I am getting page cannot be displayed error. But if I try http:\\machine1 I am getting It works page of apache. What went wrong?
Previously I am able to use the application from other machine.
I removed the proxy port="80" in server.xml file and now its working
Actually, I'm new to Linux and its configurations. I just installed Tomcat Apache 7.0.52 on my debian linux. I entered IP192.168.56.10, the server ip, but it shows it works! page which means the older version of apache server:Apache/2.2.16 (Debian) is running, not tomcat, the correct page should contain tomcat's logo. Is there any configurations I missed?
Check the server.xml. Tomcat's port is normally 8080, if you have not changed it. So please try the IP with the port: 192.168.56.10:8080
This defines the port, where the server listens:
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
I have multiple Tomcat servers. In each tomcat I am loading all images. I want to move the images from Tomcat to Apache and access the images from there.
My question is: is there any configuration to get the images in a Java web application from Apache instead of Tomcat?
I don't think so - images are shown by resolving their URL, and in most cases it is relative to the current page.
But you can use mod_proxy (or mod_jk) to use all your tomcats through Apache.
Hide your tomcat servers behind an apache server and then you can do something like this:
<VirtualHost www.example.com:80>
ServerName www.example.com
DocumentRoot /var/www/html
ProxyPass /img !
ProxyPass / ajp://localhost:1234/
</VirtualHost>
Apache will serve /img from /var/www/html/img and other requests will be sent to tomcat. This configuration needs mod_proxy_ajp apache module to be active. Tomcat must listen to AJP requests on the given port, use:
<Connector port="1234" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" URIEncoding="UTF-8" />
And configure tomcat to serve www.example.com or the default virtual host.
<Host
name="www.example.com"
appBase="/path/to/tomcat/apps/www.example.com"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false"
/>
or
<Host
name="localhost"
appBase="/path/to/tomcat/apps/www.example.com"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false"
/>
Deploy your webapp to /path/to/tomcat/apps/www.example.com/ as ROOT.war, this should be enough to have the whole setup up and running.