We want to use Apache as our reverse proxy to a collection of app servers. We plan to se a CA-signed SSL certificate on the Apache instance but wanted to use self-signed certificates on the app server instances (so that the Apache to app sever connection also was encrypted). We dont want to install a CA-signed SSL certificate on the app server instances if we dont have to.
Will Apache allow this configuration of having self-signed certificates on the app server instances?
If you have a large collection of app servers, it would probably make more sense to have your own internal CA, instead of having to manage each self-signed certificate one by one.
If you want to the connections between an Apache Httpd reverse proxy and its worker nodes to use HTTPS, you can configure the certificates trusted by Apache Httpd using the SSLProxy* directives of mod_ssl (as documented in the introduction of the mod_proxy documentation), in particular SSLProxyCACertificateFile.
You'll need to use mod_proxy_http for this, since AJP connections are not made over SSL/TLS.
Related
I have SSL wildcard certificate.
I have tomcat as well as apache server running on my machine.
Currently ssl has been applied on tomcat but apache being my wrapper server needs ssl certificate too.
Both apache and tomcat are on same machine.
Can I use same wildcard for both of them ?
Yes, you can use same Wildcard SSL certificate (but for only one domain such as *.domain.com) for both tomcat and Apache server. Even you can use the same wildcard SSL certificate for different server too.
If I got a signed certificate from letsencrypt.org and baked it into my nginx web server, does that mean I still need to configure express.js to use https?
As in nginx serves me a secure webpage, and I see the https lock on the top left, but do I need to do any extra configuration with express at all??
No node/express does not need to handle ssl - you can have a separate service for node/express and have nginx act as a reverse proxy and do ssl offloading.
Under this configuration, browsers will first hit your nginx web server over HTTPS, nginx will handle the ssl decryption and forward the decrypted HTTP request to your node process.
Your node process doesn't have to know HTTPS is happening at all.
Digital Ocean really has the best docs for setting this up on linux with systemd.
The first link is a clear tutorial on setting up a an nginx reverse proxy to node
The second link shows configuring SSL in nginx w/ a simple reverse proxy (in this specific example - its not a node server on the receiving end but the concepts are the same) to accomplish the SSL termination
I am getting started now on adding SSL login pages to my webapp. I am using apache mod_proxy to proxy tomcat.
Some tutorials showed that I need to get an SSL certificate for apache and proxy my login pages to tomcat on port 8443.
Is port 8443 automatically an encrypted SSL port for tomcat? Do I need both an apache certificate and a tomcat certificate?
Andy
As far as the browser is concerned, Apache Httpd will "terminate" the SSL/TLS connection to your web server. Whether the content it serves is in fact coming from Tomcat doesn't matter to the browser. The browser will only see as far as Apache Httpd in that scenario. If it is set up with a certificate recognised by the browser, this is sufficient.
In addition to this, you may want to encrypt the connection between Apache Httpd and Tomcat. This is only really useful if you don't trust the network between the two (rarely useful on the same host, for example). I don't think mod_proxy_ajp supports SSL/TLS, but mod_proxy_http does, in which case you need to configure the SSLProxy* directives (see introduction): Apache Httpd will be a client in that respect, and Tomcat will need to be configured with a certificate in this case.
If you don't need to encrypt the link between Apache Httpd and Tomcat, the easiest is probably to use mod_proxy_http as a reverse proxy to the plain HTTP port of Tomcat (and make sure that port can't be accessed externally, via a firewall for example).
Let's say I have
example.com
and I would like a client certificate authentication on
example.com/admin
Is this possible?
Perhaps by configuring your (Apache or Lighttpd) web server to act as an HTTP[S] proxy (to another HTTPS server doing the certificate (but I am not sure).
While not entirely programming related. I recently purchased a SSL certificate, and during the configuration I need to generate as CSR.
I am running Tomcat behind Apache via mod_jk. I see two options for generating the CSR one for Apache and one for Java based servers. My question is which do i use? At the moment the site needing the SSL is configured to have all requests forwared straight to Tomcat for processing. This however may change to only certain pages. Does it make a difference?
Thanks in advance.
If you are going to use mod_jk then the SSL cert should be generated for apache. mod_jk connects to tomcat over the APR protocol (default 8009) so all SSL handling is done by Apache. This works nice since, in the future, you may only want to proxy dynamic content with mod_jk, assigning the cert to Apache will allow you to proxy static content using HTTPS.
Fyi, the thread you referenced only discussed whether you had to generate the keypair and cert request on the same machine and is not related to running tomcat + apache + SSL. That thread is not relevant to your question.