Apache Tomcat SSL Port Foward
Table Of Content:
1) Apache Web Server Installation:
2) SSL Certification installation
3) Port Forward Setup in Apache(Mod JK Conf)
4) Apache – SSL Virtual Host Conf
5) Tomcat URL Redirection
Apache Web Server Installation:
root ~$ apt-get install apache2
This command will install apache webserver in local system with default configuration. After installation completed, service will be automatically started in port 80.
root ~$ /etc/init.d/apache2 status
To view the apache webserver status.
Installing and configuring mod_jk
root ~$ apt-get install libapache2-mod-jk
This command will install lib of mod-jk in apache webserver.
SSL Certification installation:
We have installed and configured letsencrypt ssl certificate in local system.
Installed by Network Team.
Letsencrypt configuration file location
~# /etc/letsencrypt
By default ‘options-ssl-apache.conf’ file will be created in /etc/letsencrypt. If not, we can create manually under the location ‘ /etc/letsencrypt ‘.
options-ssl-apache.conf
—————————-
————————————————————————————————————————
# This file contains important security parameters. If you modify this file # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating # this file. SSLEngine on # Intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common #CustomLog /var/log/apache2/access.log vhost_combined #LogLevel warn #ErrorLog /var/log/apache2/error.log # Always ensure Cookies have "Secure" set (JAH 2012/1) #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
Port Forward Setup in Apache :
I assume already compiere with tomcat setup completed.
Now apache running on port 80 and tomcat running on port 7085( refer below server.xml file). We are going to forward the incoming request on port 80 to tomcat running on port 7085.
My tomcat Server.xml file as follows
———–
<!– A “Connector” represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
–>
<Connector port=”7085″
protocol=”HTTP/1.1″
connectionTimeout=”20000″
maxHttpHeaderSize=”7192″
maxThreads=”150″
minSpareThreads=”25″
maxSpareThreads=”75″
enableLookups=”false”
redirectPort=”6434″
acceptCount=”100″
disableUploadTimeout=”true” />
<!– A “Connector” using the shared thread pool–>
<!–
<Connector executor=”tomcatThreadPool”
port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”8443″ />
–>
<!– Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation –>
<Connector port=”6434″
maxHttpHeaderSize=”7192″
maxThreads=”150″
minSpareThreads=”25″
maxSpareThreads=”75″
enableLookups=”false”
disableUploadTimeout=”true”
acceptCount=”100″
scheme=”https”
secure=”true”
clientAuth=”false”
SSLEnabled=”true”
keystoreFile=”/home/oracle/cpcapp2/Compiere2/keystore/myKeystore”
keystorePass=”myPassword”
sslProtocol=”TLS” />
<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port=”7009″ enableLookups=”false” protocol=”AJP/1.3″ redirectPort=”6434″ />
—–
Now we will create our workers.properties file for Apache
root ~# nano /etc/apache2/workers.properties
Paste the below text in workers.properties
# Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=7009
In my tomcat, i have used port 7009 for AJP connector. So i used that port in workers.properties file.
Configure Apache to use worker file, for that edit jk.conf file in Apache2
Disable the jk.conf file by using below command
root ~# a2dismod jk
root ~# nano /etc/apache2/mods-available/jk.conf
change the JkWorkersFile property to
/etc/apache2/workers.properties
Before:
<IfModule jk_module>
# We need a workers file exactly once
# and in the global server
JkWorkersFile /var/log/apache2/workers.properties
After:
<IfModule jk_module>
# We need a workers file exactly once
# and in the global server
JkWorkersFile /etc/apache2/workers.properties
Enable the jk.conf file by using below command
root ~# a2enmod jk
Apache – SSL Virtual Host Conf:
sites-available:
If default SSL(default-ssl.conf) enabled, disable it.
Create new file for SSL configuration. I have created new file cpc_ssl.conf under ‘sites-available’ (/etc/apache2/sites-available).
In this file i have mentioned the workers.properties and ssl installed location.
Content as follows
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName http://www.my.local.in
ServerAdmin mohanpalanichamy@sample.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Redirect permanent / https://0.0.0.0/
<Directory “/var/www/html”>
# AuthType Basic
# AuthName “Restricted Content”
# AuthUserFile /etc/apache2/.htpasswd
# Require valid-user
# CheckSpelling On
# CheckCaseOnly On
</Directory>
# Mount your applications
JkMount /* worker1
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my.local.in/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.local.in/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/my.local.in/chain.pem
</VirtualHost>
Enable the cpc_ssl.conf file by using below command
root ~# a2ensites cpc_ssl
Restart the apache server.
root ~# /etc/init.d/apache2 restart
Verify the URL in browser
URL – https://my.local.in/apps/Compiere.html
It should load the home page.
Tomcat URL Redirection:
Instead of entering full path(https://my.local.in/apps/Compiere.html) in browser, will configure tomcat to redirect request from domain url to home page.
For that, Go to the file path ..\apache-tomcat-7.0.x\webapps\ROOT\index.jsp
Add the below lines of code at the top of the index.jsp
<% response.sendRedirect(“https://my.local.in/apps/Compiere.html “);%>
<% response.sendRedirect(“http://yourRedirectionURL “);%>
Please note that in jsp file you need to start the above line with <% and end with %>
Now in browser if you enter https://my.local.in it will be automatically redirected to https:///my.local.in/apps/Compiere.html.