Apache Tomcat SSL Port Foward

Table Of Content:

1) Apache Web Server Installation:

2) SSL Certification installation

3) Port Forward Setup in Apache(Mod JK Conf)

4) Apache – SSL Virtual Host Conf

5) Tomcat URL Redirection

Apache Web Server Installation:

root ~$ apt-get install apache2

This command will install apache webserver in local system with default configuration. After installation completed, service will be automatically started in port 80.

root ~$ /etc/init.d/apache2 status

To view the apache webserver status.

Installing and configuring mod_jk

root ~$ apt-get install libapache2-mod-jk

This command will install lib of mod-jk in apache webserver.

SSL Certification installation:

We have installed and configured letsencrypt ssl certificate in local system.

Installed by Network Team.

Letsencrypt configuration file location

~# /etc/letsencrypt

By default ‘options-ssl-apache.conf’ file will be created in /etc/letsencrypt. If not, we can create manually under the location ‘ /etc/letsencrypt ‘.

options-ssl-apache.conf

—————————-

————————————————————————————————————————

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

---

Port Forward Setup in Apache :

I assume already compiere with tomcat setup completed.

Now apache running on port 80 and tomcat running on port 7085( refer below server.xml file). We are going to forward the incoming request on port 80 to tomcat running on port 7085.

My tomcat Server.xml file as follows

———–

<!– A “Connector” represents an endpoint by which requests are received

and responses are returned. Documentation at :

Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)

Java AJP Connector: /docs/config/ajp.html

APR (HTTP/AJP) Connector: /docs/apr.html

Define a non-SSL HTTP/1.1 Connector on port 8080

–>

<Connector port=”7085″

protocol=”HTTP/1.1″

connectionTimeout=”20000″

maxHttpHeaderSize=”7192″

maxThreads=”150″

minSpareThreads=”25″

maxSpareThreads=”75″

enableLookups=”false”

redirectPort=”6434″

acceptCount=”100″

disableUploadTimeout=”true” />

<!– A “Connector” using the shared thread pool–>

<!–

<Connector executor=”tomcatThreadPool”

port=”8080″ protocol=”HTTP/1.1″

connectionTimeout=”20000″

redirectPort=”8443″ />

–>

<!– Define a SSL HTTP/1.1 Connector on port 8443

This connector uses the JSSE configuration, when using APR, the

connector should be using the OpenSSL style configuration

described in the APR documentation –>

<Connector port=”6434″

maxHttpHeaderSize=”7192″

maxThreads=”150″

minSpareThreads=”25″

maxSpareThreads=”75″

enableLookups=”false”

disableUploadTimeout=”true”

acceptCount=”100″

scheme=”https”

secure=”true”

clientAuth=”false”

SSLEnabled=”true”

keystoreFile=”/home/oracle/cpcapp2/Compiere2/keystore/myKeystore”

keystorePass=”myPassword”

sslProtocol=”TLS” />

<!– Define an AJP 1.3 Connector on port 8009 –>

<Connector port=”7009″ enableLookups=”false” protocol=”AJP/1.3″ redirectPort=”6434″ />

—–

Now we will create our workers.properties file for Apache

root ~# nano /etc/apache2/workers.properties

Paste the below text in workers.properties

# Define 1 real worker using ajp13 
worker.list=worker1 
# Set properties for worker (ajp13) 
worker.worker1.type=ajp13 
worker.worker1.host=localhost
worker.worker1.port=7009

In my tomcat, i have used port 7009 for AJP connector. So i used that port in workers.properties file.

Configure Apache to use worker file, for that edit jk.conf file in Apache2

Disable the jk.conf file by using below command

root ~# a2dismod jk

root ~# nano /etc/apache2/mods-available/jk.conf

change the JkWorkersFile property to

/etc/apache2/workers.properties

Before:

<IfModule jk_module>

# We need a workers file exactly once

# and in the global server

JkWorkersFile /var/log/apache2/workers.properties

After:

<IfModule jk_module>

# We need a workers file exactly once

# and in the global server

JkWorkersFile /etc/apache2/workers.properties

Enable the jk.conf file by using below command

root ~# a2enmod jk

Apache – SSL Virtual Host Conf:

sites-available:

If default SSL(default-ssl.conf) enabled, disable it.

Create new file for SSL configuration. I have created new file cpc_ssl.conf under ‘sites-available’ (/etc/apache2/sites-available).

In this file i have mentioned the workers.properties and ssl installed location.

Content as follows

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName http://www.my.local.in

ServerAdmin mohanpalanichamy@sample.com

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

#Redirect permanent / https://0.0.0.0/

<Directory “/var/www/html”>

# AuthType Basic

# AuthName “Restricted Content”

# AuthUserFile /etc/apache2/.htpasswd

# Require valid-user

# CheckSpelling On

# CheckCaseOnly On

</Directory>

# Mount your applications

JkMount /* worker1

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/my.local.in/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/my.local.in/privkey.pem

#SSLCertificateChainFile /etc/letsencrypt/live/my.local.in/chain.pem

</VirtualHost>

Enable the cpc_ssl.conf file by using below command

root ~# a2ensites cpc_ssl

Restart the apache server.

root ~# /etc/init.d/apache2 restart

Verify the URL in browser

URL – https://my.local.in/apps/Compiere.html

It should load the home page.

Tomcat URL Redirection:

Instead of entering full path(https://my.local.in/apps/Compiere.html) in browser, will configure tomcat to redirect request from domain url to home page.

For that, Go to the file path ..\apache-tomcat-7.0.x\webapps\ROOT\index.jsp

Add the below lines of code at the top of the index.jsp

<% response.sendRedirect(“https://my.local.in/apps/Compiere.html “);%>

<% response.sendRedirect(“http://yourRedirectionURL “);%>

Please note that in jsp file you need to start the above line with <% and end with %>

Now in browser if you enter https://my.local.in it will be automatically redirected to https:///my.local.in/apps/Compiere.html.

Do Virtual Private Networks Run Over Satellite Internet? & VPN Tunneling:

VPN and satellite Internet technologies were not designed to work together. These two technical limitations of satellite Internet greatly affect the performance of a VPN:

* Virtual private networks require a high-bandwidth, low-latency network to function efficiently. Satellite Internet services, on the other hand, normally suffer very high latencies due to the long distance satellite signals must travel.
* Satellite Internet also tends to support low upstream bandwidth. Specifically, satellite bandwidth for uploads is comparable to that of dial-up Internet services. VPNs demand high bandwidth for both uploads and downloads.

Despite these limitations, it is technically possible to use most VPN solutions with most satellite Internet services. The following caveats apply:

1. Overall performance of a VPN connection over satellite will be poor. VPN over satellite often performs at the speed of a dial-up Internet connection.

2. Satellite providers generally do not offer technical support or service guarantees to VPN users.

3. Satellite providers commonly deploy a performance boosting technique called “IP spoofing” as part of their service. This IP spoofing interferes with the ability to establish VPN connections. For VPNs to work with satellite Internet, the provider must have some provision to bypass IP spoofing for VPN connections.

4. The same compatiblity issues between VPNs and personal firewalls, and VPNs and Internet connection sharing software, apply for satellite as with other types of Internet service.

To determine if a given VPN client or protocol will work with a given satellite service, consult the satellite provider. While they may not offer technical support, providers usually list general compatibility information about VPNs on their Web sites. Note that limitations can vary depending on the package subscribed to. “Business” or “telecommuter” services, for example, tend to offer more VPN support than “residential” services.

VPN Tunneling:

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.

Types of VPN Tunneling:

VPN supports two types of tunneling – voluntary and compulsory. Both types of tunneling are commonly used.

In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN Tunneling Protocols:

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP):

Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.

Definition: PPTP is a network protocol used in the implementation of Virtual Private Networks (VPN). RFC 2637 is the PPTP technical specification.

PPTP works on a client server model. PPTP clients are included by default in Microsoft Windows and also available for both Linux and Mac OS X. Newer VPN technologies like L2TP and IPsec may replace PPTP someday, but PPTP remains a popular network protocol especially on Windows computers.

PPTP technology extends the Point to Point Protocol (PPP) standard for traditional dial-up networking. PPTP operates at Layer 2 of the OSI model. As a network protocol, PPTP is best suited for the remote access applications of VPNs, but it also supports LAN internetworking.

Layer Two Tunneling Protocol (L2TP):

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create a new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model — thus the origin of its name.

Internet Protocol Security (IPsec):

IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution or simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.

What Are the Key VPN Security Technologies?

Virtual private networks (VPNs) are generally considered to have very strong protection for data communications.

So-called secure VPNs provide both network authentication and encryption. Secure VPNs are most commonly implemented using IPsec or SSL.

IPsec:

Definition: IPsec is a technology standard for implementing security features in Internet Protocol (IP) networking. IPsec network protocols support encryption and authentication. IPsec is most commonly used in so-called “tunnel mode” with a Virtual Private Network (VPN). However, IPsec also supports a “transport mode” for direct connection between two computers.

Technically, IPsec functions at the network layer (Layer 3) of the OSI model. IPsec is supported in Microsoft Windows (Win2000 and newer versions) as well as most forms of Linux / Unix.

SSL – Secure Sockets Layer:

Definition: SSL security technology helps to improve the safety of Internet communications. SSL is a standard for encrypted client/server communication between network devices.

A network protocol, SSL runs on top of TCP/IP. SSL utilizes several standard network security techniques including public keys, symmetric keys, and certificates. Web sites commonly use SSL to guard private information such as credit card numbers.

Using IPsec for VPN Security:

IPsec has been the traditional choice for implementing VPN security on corporate networks. Enterprise-class network appliances from companies like Cisco and Juniper implement the essential VPN server functions in hardware. Corresponding VPN client software is then used to log on to the network. IPsec operates at the layer 3 (the Network layer) of the OSI model.

Using SSL for VPN Security:

SSL VPNs are an alternative to IPsec that rely on a Web browser instead of custom VPN clients to log on to the private network. By utilizing the SSL network protocols built into standard Web browsers and Web servers, SSL VPNs are intended to be cheaper to set up and maintain than IPsec VPNs. Additionally, SSL operates at a higher level than IPsec, giving administrators more options to control access to network resources. However, configuring SSL VPNs to interface with resources not normally accessed from a Web browser can be difficult.

Wi-Fi vs VPN Security:

Some organizations use an IPsec (or sometimes SSL) VPN to protect a Wi-Fi local area network. In fact, Wi-Fi security protocols like WPA2 and WPA-AES are designed to support the necessary authentication and encryption without the need for any VPN support.