I'm running an application on Tomcat7 with Apache Portable Runtime, I bought an SSL certificate and configured it correctly - when I try to connect through the ip:port combination, it connects fine but warns me the certificate is issued to the domain name, not the IP.
The VPS I'm on doesn't have SELinux (and there's an issue installing), which is AFAIK required to have SSL be configured in apache, so I want to just route the requests to Tomcat, which does it on its end.
I configured apache to proxy the connections, first with port 80 that works perfectly:
NameVirtualHost www.mysite.com:80
<VirtualHost www.mysite.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName http://www.mysite.com
ServerAlias http://www.mysite.com
ProxyPass / http://localhost:8180/MYSITE/
ProxyPassReverse / http://localhost:8180/MYSITE/
ProxyPassReverseCookiePath /MYSITE/ /
</VirtualHost>
And then with the SSL port that doesn't want to work for some reason:
NameVirtualHost www.mysite.com:443
<VirtualHost www.mysite.com:443>
SSLProxyEngine On
ProxyPreserveHost On
ProxyRequests Off
ServerName https://www.mysite.com
ServerAlias https://www.mysite.com
ProxyPass / https://localhost:8443/MYSITE/
ProxyPassReverse / https://localhost:8443/MYSITE/
ProxyPassReverseCookiePath /MYSITE/ /
CacheDisable *
</VirtualHost>
EDIT:
I added the
RequestHeader set Front-End-Https "On"
directive to the VirtualHost www.mysite.com:443, as per: http://www.gossamer-threads.com/lists/apache/users/396577
Here is the Tomcat APR Connector as configured in Tomcat's server.xml -
<Connector port="8443" maxHttpHeaderSize="16500"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="x509-cert-path"
SSLCertificateKeyFile="key-file-path"
/>
There were no errors/warnings enabling the virtual hosts and restarting apache. When I try to https, this is what I see in FFox:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
And in Chromium:
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Apache's error.log shows this warning message:
[warn] [client 216.58.38.90] proxy: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be www.mysite.com for uri /
I've spent days trying to configure it, and would be very grateful if someone explained what's going on and how to fix it.
Many thanks.
Victor.
You don't need the 8443 HTTPS connector in Tomcat. Apache HTTPD should terminate the SSL connection, and speak plaintext to Tomcat, via ProxyPass / http://localhost:8080/MYSITE/. You just need a plaintext HTTP connector with port=8080, and address=127.0.0.1 so no outsiders can get at it.
Better still, dont' have any HTTP connectors in Tomcat, just an AJP connector, address=127.0.0.1 still, and use mod_proxy_ajp in Apache.
Related
I have a Spring Boot Application that has been set up with SSL handling. I was using iptables rerouting to route all port 80 traffic to the spring boot port 8080 and all 443 traffic to spring boot 8443.
Spring Boot was then redirecting any http traffic to https (443). Everything was working fine.
Now I want to run an Apache2 server and use it to redirect the traffic to Spring Boot instead of using straight up iptables rerouting.
I've creating the following conf file for the site:
<VirtualHost *:80>
ServerAdmin mail#gmail.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ErrorLog ${APACHE_LOG_DIR}/site/error.log
CustomLog ${APACHE_LOG_DIR}/site/access.log combined
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin mail#gmail.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
ErrorLog ${APACHE_LOG_DIR}/site/error.log
CustomLog ${APACHE_LOG_DIR}/site/access.log combined
</VirtualHost>
But it doesn't seem to be working. I get "This site can’t provide a secure connection". Although redirection from http to https (set up in spring boot) does seem to be working.
Most of the things I found on google show how to configure spring boot behind Apache2, with Apache2 handling ssl. How do I set it up so that it's spring boot that handles the ssl, and Apache just basically does the port mapping. Or would it be less pain to set up Apache to handle ssl?
Looks like what I want is "Pass through SSL proxying" which Apache2 doesn't support.
From looking around Nginx does support something like this: https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru
But even then there are extra complications because this makes it difficult for the server to figure out which host the request is being sent to, as it can't decrypt the encrypted requests
The point of setting up a web server in front of Spring Boot, was to host multiple sites on this server, so I think I'll just set up Apache2 to termnate SSL.
Good day,
I have a Apache server (10.8.111.67), I configure it to ProxyPass to my app server http port (10.8.1.63), its work. The thing I do in httpd.conf is just as follow:
ProxyPass "/mfp" "http://10.8.1.63:9080/mfp"
ProxyPassReverse "/mfp" "http://10.8.1.63:9080/mfp"
However, I should proxy pass to https url instead of http.
I google around, found that I need to configure something in the ssl.conf, the following is what I plan to do:
<VirtualHost 10.8.111.67:80>
SSLEngine on
SSLCertificateFile ???
SSLCertificateKeyFile ???
ProxyPass "/mfp" "http://10.8.1.63:9080/mfp"
ProxyPassReverse "/mfp" "http://10.8.1.63:9080/mfp"
</VirtualHost>
I am not sure that what cert actually I should put for SSLCertificateFile, is it cert from app server? I can use openssl command to download it?
And for the SSLCertificateKeyFile, what file I should put inside? private key from app server? May I know how to generate the private key from web server? I run ssh-keygen, I got the id_rsa.pub and id_rsa.
Kindly advise.
Kindly notify me if I am doing something wrong.
You don't need to configure certificates in virtualhost just to proxy to a SSL backend.
To reverse proxy to a SSL backend you just need to make sure mod_ssl is loaded and that you have the directive: SSLProxyEngine on to let the reverse proxy do it to an SSL backend.
Loading certificates in virtualhost is for virtualhosts that will listen to SSL connections, mainly virtualhosts with 443 port.
So based in your description to reverse proxy to the SSL backend, aside from the mod_ssl module loaded what you want is:
<VirtualHost 10.8.111.67:80>
ServerName youshouldefinethisalways.example.com
SSLProxyEngine on
ProxyPass /mfp https://backend-server.example.com/mfp
ProxyPassReverse /mfp https://backend-server.example.com/mfp
</VirtualHost>
I have deployed my Angular2 web application in AWS tomcat server which runs in 8080 port. I have my spring boot backend application deployed in the same tomcat server.
Already mapped my public address with my registered domain in Godaddy.
Now I can access my application appln by http://example.com:8080/my_client
I want to access it directly by http://example.com. dnt want to see 8080 port and appln name in the url.
Already tried with apache proxy config. However not able to get the expected one.
There are 2 options
1) change tomcat port from 8080 to 80 ( not recommended ).
nano tomcat_dir/conf/server.xml
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
2) use apache virtual host config.
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName example.com
ProxyPass http://example.com http://localhost:8080/example
ProxyPassReverse http://example.com http://localhost:8080/example
</VirtualHost>
I have a server hosting multiple websites using Tomcat 7, for example
a.abc.com
b.abc.com
c.def.com
d.def.com
Using tomcat's virtual hosting feature, so they each may belong to different webapps folder.
We're now trying to implement Https to each of the sites. So basically we got 2 wildcard certificates, *.abc.com, and *.def.com
I've been looking for the ways to setup and I found:
This where it taught me how to setup SSL with tomcat
This where it taught me how to setup multiple Host with different SSL pointing at different IP address
Second example is closest to what I need but the problem is all of my virtual hosts are of same IP address, the only difference is on the domain name itself, worse where most of them have a couple different alias even (eg: my d.def.com could have e.ghi.com as one of its alias).
So my question would be, is there anyway I could setup my multiple SSL certificates for all my virtual hosts?
I'm afraid it's not possible to fulfill all your requirements with tomcat:
multiple domains
two SSL certificates
unique IP address
standard SSL port (I have assumed it)
Tomcat SSL Configuration is defined in <Connector> element at config.xml
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Each connector requires a port attribute. See definition in HTTP Connector documentation
The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.
Therefore you can't define two connectors using the same port, and then it is not possible to configure different SSL certificates.
Alternatives
Several IP's: The address attribute configures which address will be used for listening on the specified port. Set an IP per main domain using a SSL certificate and configure a Connector for it
Different ports: 443 for *.abc.com, 444 for *.def.com, and so on
SSL Proxy: Deploy a proxy server like Apache or Nginx in front of tomcat. The proxy only deals with SSL negotiation and virtual hosts. All the traffic is redirected to Tomcat in plain HTTP.
Just as an example using Apache mod_ssl + and the tomcat connector mod_JK your requested configuration is simple
listen 443
<VirtualHost *:443>
ServerName a.abc.com:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile "/home/certs/abc.com.crt"
SSLCertificateKeyFile "/home/certs/abc.com.key"
SSLCertificateChainFile "/home/certs/abc.com.ca-bundle"
SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/logs/error_abc_443.log"
TransferLog "/var/logs/error_abc_443.log"
JkMount /* worker1
</VirtualHost>
<VirtualHost *:443>
ServerName c.def.com:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile "/home/certs/def.com.crt"
SSLCertificateKeyFile "/home/certs/def.com.key"
SSLCertificateChainFile "/home/certs/def.com.ca-bundle"
SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/logs/error_def.log"
TransferLog "/var/logs/error_def.log"
JkMount /* worker2
</VirtualHost>
I have a problem configuring apache tomcat ProxyPass directive for two applications that have two different Context Paths in tomcat. The tomcat is running behind an apache and I use the apache to proxy path the requests to tomcat. In apache I want to access both application via a hostname instead of a context path.
Scenario:
tomcat
https://domain:8443/app1
https://domain:8443/app2
in tomcat the applications have the context path app1 and app2
in apache I want to enable both application as follow:
https://app1.host/
https://app2.host/
In apache I have created a configuration for each domain:
ProxyPass / https://localhost:8443/app1
ProxyPassReverse / https://localhost:/8443/app1
The strange thing is app1 is only available through apache using the context path:
https://app1.host/app1
Is it possible to realize such a setup with apache ProxyPass module?
Thx for your help.
You should be able to achieve the result you want by using virtual hosting. Also it's a good idea to pass the requests to tomcat via the AJP protocol instead of HTTPS. Try adding this to the Apache configuration
NameVirtualHost *:443
<VirtualHost *:443>
ServerName app1.host
ProxyPass / ajp://localhost:8009/app1/
</VirtualHost>
<VirtualHost *:443>
ServerName app2.host
ProxyPass / ajp://localhost:8009/app2/
</VirtualHost>
If you haven't changed the default server settings for Tomcat this should work just as it is. Otherwise make sure to specify the AJP port that is configured in Tomcat's conf/server.xml file. There should be a line similar to this:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Make sure that you have the mod_proxy and mod_proxy_ajp modules loaded in Apache configuration, this may vary depending on your Apache installation. Also remove any previously configured 'ProxyPass / ...' lines as they will interfere with the new configuration. Hope this works for you.
you can try
ProxyPass / https://localhost:8443/app1/
ProxyPassReverse / https://localhost:8443/app1/
with the final /