Apache Tomcat SSL Port Foward

Table Of Content:

1) Apache Web Server Installation:

2) SSL Certification installation

3) Port Forward Setup in Apache(Mod JK Conf)

4) Apache – SSL Virtual Host Conf

5) Tomcat URL Redirection

Apache Web Server Installation:

root ~$ apt-get install apache2

This command will install apache webserver in local system with default configuration. After installation completed, service will be automatically started in port 80.

root ~$ /etc/init.d/apache2 status

To view the apache webserver status.

Installing and configuring mod_jk

root ~$ apt-get install libapache2-mod-jk

This command will install lib of mod-jk in apache webserver.

SSL Certification installation:

We have installed and configured letsencrypt ssl certificate in local system.

Installed by Network Team.

Letsencrypt configuration file location

~# /etc/letsencrypt

By default ‘options-ssl-apache.conf’ file will be created in /etc/letsencrypt. If not, we can create manually under the location ‘ /etc/letsencrypt ‘.

options-ssl-apache.conf

—————————-

————————————————————————————————————————

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

---

Port Forward Setup in Apache :

I assume already compiere with tomcat setup completed.

Now apache running on port 80 and tomcat running on port 7085( refer below server.xml file). We are going to forward the incoming request on port 80 to tomcat running on port 7085.

My tomcat Server.xml file as follows

———–

<!– A “Connector” represents an endpoint by which requests are received

and responses are returned. Documentation at :

Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)

Java AJP Connector: /docs/config/ajp.html

APR (HTTP/AJP) Connector: /docs/apr.html

Define a non-SSL HTTP/1.1 Connector on port 8080

–>

<Connector port=”7085″

protocol=”HTTP/1.1″

connectionTimeout=”20000″

maxHttpHeaderSize=”7192″

maxThreads=”150″

minSpareThreads=”25″

maxSpareThreads=”75″

enableLookups=”false”

redirectPort=”6434″

acceptCount=”100″

disableUploadTimeout=”true” />

<!– A “Connector” using the shared thread pool–>

<!–

<Connector executor=”tomcatThreadPool”

port=”8080″ protocol=”HTTP/1.1″

connectionTimeout=”20000″

redirectPort=”8443″ />

–>

<!– Define a SSL HTTP/1.1 Connector on port 8443

This connector uses the JSSE configuration, when using APR, the

connector should be using the OpenSSL style configuration

described in the APR documentation –>

<Connector port=”6434″

maxHttpHeaderSize=”7192″

maxThreads=”150″

minSpareThreads=”25″

maxSpareThreads=”75″

enableLookups=”false”

disableUploadTimeout=”true”

acceptCount=”100″

scheme=”https”

secure=”true”

clientAuth=”false”

SSLEnabled=”true”

keystoreFile=”/home/oracle/cpcapp2/Compiere2/keystore/myKeystore”

keystorePass=”myPassword”

sslProtocol=”TLS” />

<!– Define an AJP 1.3 Connector on port 8009 –>

<Connector port=”7009″ enableLookups=”false” protocol=”AJP/1.3″ redirectPort=”6434″ />

—–

Now we will create our workers.properties file for Apache

root ~# nano /etc/apache2/workers.properties

Paste the below text in workers.properties

# Define 1 real worker using ajp13 
worker.list=worker1 
# Set properties for worker (ajp13) 
worker.worker1.type=ajp13 
worker.worker1.host=localhost
worker.worker1.port=7009

In my tomcat, i have used port 7009 for AJP connector. So i used that port in workers.properties file.

Configure Apache to use worker file, for that edit jk.conf file in Apache2

Disable the jk.conf file by using below command

root ~# a2dismod jk

root ~# nano /etc/apache2/mods-available/jk.conf

change the JkWorkersFile property to

/etc/apache2/workers.properties

Before:

<IfModule jk_module>

# We need a workers file exactly once

# and in the global server

JkWorkersFile /var/log/apache2/workers.properties

After:

<IfModule jk_module>

# We need a workers file exactly once

# and in the global server

JkWorkersFile /etc/apache2/workers.properties

Enable the jk.conf file by using below command

root ~# a2enmod jk

Apache – SSL Virtual Host Conf:

sites-available:

If default SSL(default-ssl.conf) enabled, disable it.

Create new file for SSL configuration. I have created new file cpc_ssl.conf under ‘sites-available’ (/etc/apache2/sites-available).

In this file i have mentioned the workers.properties and ssl installed location.

Content as follows

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName http://www.my.local.in

ServerAdmin mohanpalanichamy@sample.com

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

#Redirect permanent / https://0.0.0.0/

<Directory “/var/www/html”>

# AuthType Basic

# AuthName “Restricted Content”

# AuthUserFile /etc/apache2/.htpasswd

# Require valid-user

# CheckSpelling On

# CheckCaseOnly On

</Directory>

# Mount your applications

JkMount /* worker1

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/my.local.in/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/my.local.in/privkey.pem

#SSLCertificateChainFile /etc/letsencrypt/live/my.local.in/chain.pem

</VirtualHost>

Enable the cpc_ssl.conf file by using below command

root ~# a2ensites cpc_ssl

Restart the apache server.

root ~# /etc/init.d/apache2 restart

Verify the URL in browser

URL – https://my.local.in/apps/Compiere.html

It should load the home page.

Tomcat URL Redirection:

Instead of entering full path(https://my.local.in/apps/Compiere.html) in browser, will configure tomcat to redirect request from domain url to home page.

For that, Go to the file path ..\apache-tomcat-7.0.x\webapps\ROOT\index.jsp

Add the below lines of code at the top of the index.jsp

<% response.sendRedirect(“https://my.local.in/apps/Compiere.html “);%>

<% response.sendRedirect(“http://yourRedirectionURL “);%>

Please note that in jsp file you need to start the above line with <% and end with %>

Now in browser if you enter https://my.local.in it will be automatically redirected to https:///my.local.in/apps/Compiere.html.

Linux / UNIX: Encrypt Backup Tape Using Tar & OpenSSL

How do I make sure only authorized person access my backups stored on the tape drives (DAT, DLT, LTO-4 etc) under Linux or UNIX operating systems? How do I backup /array22/vol4/home/ to /dev/rmt/5mn or /dev/st0 in encrypted mode?

You can easily encrypt data to tape using combination of tar and openssl commands. The following is software based solution based upon encryption algorithms supported by openssl tool. Encrypted backup should be used when storing sensitive data on removable media or when storing backups on shared NAS / SAN servers or online backup servers. When using encryption the openssl ask for a password before you can create, view, open, or restore the files included in the backup. This is based upon pipes concept.

Backup Data

The following shows an example of writing the contents of “tapetest” to tape:

tar zcvf - /array22/vol4/home | openssl des3 -salt | dd of=/dev/st0

An encryption password would be entered by the administrator or backup operator i.e. the above will encrypt a tape using triple DES in CBC mode using a prompted password. You can put password in script itself:

tar zcvf – /array22/vol4/home | openssl des3 -salt -k “Your-Password-Here” | dd of=/dev/st0

Reading (listing) Files

Type the command as follows:

dd if=/dev/st0 | openssl des3 -d -salt | tar ztvf -

OR

dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar ztvf -

Restore The Data

Use the following command to read and restore data back:

dd if=/dev/st0 | openssl des3 -d -salt | tar xzf -

OR

dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar xzf -

Where,

* dd : Convert and copy a file.
* /dev/st0 : Tape device name.
* openssl : The OpenSSL toolkit command line utility.
* tar : The tar archiving utility.
* des3 : Triple-DES Cipher (Triple DES is the common name for the Triple Data Encryption Algorithm).
* -salt : The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted. (source enc man page)

Hardware vs Software Encryption

The software encryption is different from the hardware encryption. The hadrware based encryption needs additional software+hardware and it use keys (and/or password) to protect data. I suggest you read vendor site such as HP or IBM to get further details on hardware encryption which may or may not be supported by your backup devices.

Share your thoughts by comments!