Apache Tomcat SSL Port Foward

Table Of Content:

1) Apache Web Server Installation:

2) SSL Certification installation

3) Port Forward Setup in Apache(Mod JK Conf)

4) Apache – SSL Virtual Host Conf

5) Tomcat URL Redirection

Apache Web Server Installation:

root ~$ apt-get install apache2

This command will install apache webserver in local system with default configuration. After installation completed, service will be automatically started in port 80.

root ~$ /etc/init.d/apache2 status

To view the apache webserver status.

Installing and configuring mod_jk

root ~$ apt-get install libapache2-mod-jk

This command will install lib of mod-jk in apache webserver.

SSL Certification installation:

We have installed and configured letsencrypt ssl certificate in local system.

Installed by Network Team.

Letsencrypt configuration file location

~# /etc/letsencrypt

By default ‘options-ssl-apache.conf’ file will be created in /etc/letsencrypt. If not, we can create manually under the location ‘ /etc/letsencrypt ‘.

options-ssl-apache.conf

—————————-

————————————————————————————————————————

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

---

Port Forward Setup in Apache :

I assume already compiere with tomcat setup completed.

Now apache running on port 80 and tomcat running on port 7085( refer below server.xml file). We are going to forward the incoming request on port 80 to tomcat running on port 7085.

My tomcat Server.xml file as follows

———–

<!– A “Connector” represents an endpoint by which requests are received

and responses are returned. Documentation at :

Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)

Java AJP Connector: /docs/config/ajp.html

APR (HTTP/AJP) Connector: /docs/apr.html

Define a non-SSL HTTP/1.1 Connector on port 8080

–>

<Connector port=”7085″

protocol=”HTTP/1.1″

connectionTimeout=”20000″

maxHttpHeaderSize=”7192″

maxThreads=”150″

minSpareThreads=”25″

maxSpareThreads=”75″

enableLookups=”false”

redirectPort=”6434″

acceptCount=”100″

disableUploadTimeout=”true” />

<!– A “Connector” using the shared thread pool–>

<!–

<Connector executor=”tomcatThreadPool”

port=”8080″ protocol=”HTTP/1.1″

connectionTimeout=”20000″

redirectPort=”8443″ />

–>

<!– Define a SSL HTTP/1.1 Connector on port 8443

This connector uses the JSSE configuration, when using APR, the

connector should be using the OpenSSL style configuration

described in the APR documentation –>

<Connector port=”6434″

maxHttpHeaderSize=”7192″

maxThreads=”150″

minSpareThreads=”25″

maxSpareThreads=”75″

enableLookups=”false”

disableUploadTimeout=”true”

acceptCount=”100″

scheme=”https”

secure=”true”

clientAuth=”false”

SSLEnabled=”true”

keystoreFile=”/home/oracle/cpcapp2/Compiere2/keystore/myKeystore”

keystorePass=”myPassword”

sslProtocol=”TLS” />

<!– Define an AJP 1.3 Connector on port 8009 –>

<Connector port=”7009″ enableLookups=”false” protocol=”AJP/1.3″ redirectPort=”6434″ />

—–

Now we will create our workers.properties file for Apache

root ~# nano /etc/apache2/workers.properties

Paste the below text in workers.properties

# Define 1 real worker using ajp13 
worker.list=worker1 
# Set properties for worker (ajp13) 
worker.worker1.type=ajp13 
worker.worker1.host=localhost
worker.worker1.port=7009

In my tomcat, i have used port 7009 for AJP connector. So i used that port in workers.properties file.

Configure Apache to use worker file, for that edit jk.conf file in Apache2

Disable the jk.conf file by using below command

root ~# a2dismod jk

root ~# nano /etc/apache2/mods-available/jk.conf

change the JkWorkersFile property to

/etc/apache2/workers.properties

Before:

<IfModule jk_module>

# We need a workers file exactly once

# and in the global server

JkWorkersFile /var/log/apache2/workers.properties

After:

<IfModule jk_module>

# We need a workers file exactly once

# and in the global server

JkWorkersFile /etc/apache2/workers.properties

Enable the jk.conf file by using below command

root ~# a2enmod jk

Apache – SSL Virtual Host Conf:

sites-available:

If default SSL(default-ssl.conf) enabled, disable it.

Create new file for SSL configuration. I have created new file cpc_ssl.conf under ‘sites-available’ (/etc/apache2/sites-available).

In this file i have mentioned the workers.properties and ssl installed location.

Content as follows

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName http://www.my.local.in

ServerAdmin mohanpalanichamy@sample.com

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

#Redirect permanent / https://0.0.0.0/

<Directory “/var/www/html”>

# AuthType Basic

# AuthName “Restricted Content”

# AuthUserFile /etc/apache2/.htpasswd

# Require valid-user

# CheckSpelling On

# CheckCaseOnly On

</Directory>

# Mount your applications

JkMount /* worker1

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/my.local.in/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/my.local.in/privkey.pem

#SSLCertificateChainFile /etc/letsencrypt/live/my.local.in/chain.pem

</VirtualHost>

Enable the cpc_ssl.conf file by using below command

root ~# a2ensites cpc_ssl

Restart the apache server.

root ~# /etc/init.d/apache2 restart

Verify the URL in browser

URL – https://my.local.in/apps/Compiere.html

It should load the home page.

Tomcat URL Redirection:

Instead of entering full path(https://my.local.in/apps/Compiere.html) in browser, will configure tomcat to redirect request from domain url to home page.

For that, Go to the file path ..\apache-tomcat-7.0.x\webapps\ROOT\index.jsp

Add the below lines of code at the top of the index.jsp

<% response.sendRedirect(“https://my.local.in/apps/Compiere.html “);%>

<% response.sendRedirect(“http://yourRedirectionURL “);%>

Please note that in jsp file you need to start the above line with <% and end with %>

Now in browser if you enter https://my.local.in it will be automatically redirected to https:///my.local.in/apps/Compiere.html.