We want to front-end our Tomcat instance with an Apache instance (running on the same machine) that will be serving everything on HTTPS and connect Apache to Tomcat using AJP. When using AJP, do we need to do anything to make sure that the connection between Apache and Tomcat is secure? (We dont want passwords to be sniffable on the network between Apache and Tomcat). The O/S is Red Hat Enterprise Linux 6.3
You are saying
Tomcat instance with an Apache instance (running on the same machine)
and later you are saying
We dont want passwords to be sniffable on the network between Apache and Tomcat
This just contradicts each other.
EDIT: AJP is not designed to be secure, if you need security, use mod_proxy_http and proxy over https, or create SSH tunnel. Needless to say, you will have to pay for this overhead.
When using AJP you cannot do anything to ensure it is secure. It isn't. There is no SSL version. You would have to use HTTPS. AJP is designed for the usual case where HTTPD and Tomcat are in the same private LAN and security isn't an issue.
Related
Setting up a public Wildfly (9.0.2.Final) server, I'm figuring out the
alternatives for doing this with or without Apache as a front towards
Internet. I'd prefer to use Apache as this solves other problems for
me.
I should say: I need to use SSL for securing the data traffic.
I've set up SSL for both Wildfly and Apache.
Looking through blogs and tutorials, I haven't found an alternative
that performs SSL between Apache and Wildfly. That would seem to be a
preferred choice for me, where there one.
I've tried and configured
Configuring Apache using mod_proxy_ajp. This prohibits me from
using SSL between Apache and Wildfly but allow me to close the
firewall for 8080 and 8443.
Configuring Apache using mod_proxy_http. This gets me the
Exception of no secure port to forward to on the Wildfly side
which seems not to have any solution.
Open up the Wildfly ports 8080 and 8443 and letting requsts go
directly to a publicly exposed Wildfly, ehich I hear is not
recommended.
Since all three alternatives have their drawbacks, I got to ask: How are people usually doing this?
As it is done with Apache and mod_jk to access applications without the need to type the port numbers, but i want to do it with Glassfish. Ff possible how to do it?
No it is not possible because it doesn't make sense. Glassfish is an application server and not intended for use as a reverse proxy. There are other tools which perfectly fit for this job, like Apache, Nginx or Squid.
without the need to type the port numbers, but i want to do it with
Glassfish
For applications running on Glassfish, you can do this by changing the port of the specific http-listener to 80 (HTTP) or 443 (HTTPS).
See also:
How can I use Glassfish under Linux as a reverse-proxy?
I'd like to know if is a good decision to configure tomcat through port 80 (in apache with virtual-hosts ).
I need to setup a tomcat service in the same server I have apache, plus I need to use Tomcat through port 80.
Is this right? or is best to use them in separated servers?
That's OK. But sometimes tomcat is deployed with Apache. The Apache is a front-end server to balance load. And many tomcats are as back-end servers.
We have a security requirement to configure SSL between tomcat and apache http server. I am using mod_jk for connection between httpd and tomcat servers.
I couldn't find the correct document which explains my situation. If anyone knows, pl. help me.
Short answer, you need to use the HTTP protocol instead of AJP.
HTTP supports encrypted communications (i.e. HTTPS), but AJP does not. If you want to stick with AJP, you'd need to use encryption at a lower level, like a VPN or encrypted tunnel, and then route your AJP traffic over the encrypted network.
If you switch to HTTP, you can use HTTPD, mod_proxy and mod_ssl to encrypt connections between HTTPD & Tomcat. The standard documentation on this is pretty good.
http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine
I am getting started now on adding SSL login pages to my webapp. I am using apache mod_proxy to proxy tomcat.
Some tutorials showed that I need to get an SSL certificate for apache and proxy my login pages to tomcat on port 8443.
Is port 8443 automatically an encrypted SSL port for tomcat? Do I need both an apache certificate and a tomcat certificate?
Andy
As far as the browser is concerned, Apache Httpd will "terminate" the SSL/TLS connection to your web server. Whether the content it serves is in fact coming from Tomcat doesn't matter to the browser. The browser will only see as far as Apache Httpd in that scenario. If it is set up with a certificate recognised by the browser, this is sufficient.
In addition to this, you may want to encrypt the connection between Apache Httpd and Tomcat. This is only really useful if you don't trust the network between the two (rarely useful on the same host, for example). I don't think mod_proxy_ajp supports SSL/TLS, but mod_proxy_http does, in which case you need to configure the SSLProxy* directives (see introduction): Apache Httpd will be a client in that respect, and Tomcat will need to be configured with a certificate in this case.
If you don't need to encrypt the link between Apache Httpd and Tomcat, the easiest is probably to use mod_proxy_http as a reverse proxy to the plain HTTP port of Tomcat (and make sure that port can't be accessed externally, via a firewall for example).