这是Apache + Tomcat之间的错误SSL连接吗?
[英]Is this a false SSL connection between Apache + Tomcat?
问题描述
I was looking over this guide to setup tomcat + apache with SSL: http://www.mulesoft.com/tcat/tomcat-ssl 
我正在查看本指南,使用SSL设置tomcat + apache: http : //www.mulesoft.com/tcat/tomcat-ssl
Under section, "When To Use SSL With Tomcat" it says: 在“何时使用SSL与Tomcat”一节下,它说:
"...In other words, if you're fronting Tomcat with a web server and using it only as an application server or Tomcat servlet container, in most cases you should let the web server function as a proxy for all SSL requests" “...换句话说,如果您使用Web服务器将Tomcat作为应用程序服务器或Tomcat servlet容器使用它,那么在大多数情况下,您应该让Web服务器充当所有SSL请求的代理”
Since I already have a webserver set up with SSL, I decided to be lazy. 由于我已经使用SSL设置了网络服务器,因此我决定保持懒惰。 I installed tomcat with default settings, and started it up. 我用默认设置安装了tomcat,并启动了它。 In my httpd.conf, I redirected all 80 traffic to 443, and then proxypass and proxypassreverse to ajp://hostname.com:8009. 在我的httpd.conf中,我将所有80个流量重定向到443,然后将proxypass和proxypassreverse重定向到ajp://hostname.com:8009。 I restarted httpd and it "appears" to redirect to tomcat server over ssl. 我重新启动了httpd,它“似乎”通过ssl重定向到tomcat服务器。 Is this completely broken or did I actually manage to do what I intended on first go? 这完全被打破了还是我真的设法做了我想要的第一次去? Any test suggestions are much appreciated. 任何测试建议都非常感谢。
<VirtualHost *:80>
ServerName hostname_DNS_alias.com
Redirect / https://hostname_DNS_alias.com
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/thecrt.crt
SSLCertificateKeyFile /etc/pki/tls/private/thekey.key
SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
ServerName hostname_DNS_alias.com
DocumentRoot /var/www/html
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://hostname.com:8009/
ProxyPassReverse / ajp://hostname.com:8009/
</VirtualHost>
1 个解决方案
解决方案1
0 2014-08-12 19:37:38
I think you've got it, but you can look at the access logs on HTTPD & Tomcat to confirm the request is being proxied. 我想你已经知道了,但你可以查看HTTPD和Tomcat上的访问日志来确认请求被代理。 You should see an access log entry on both systems. 您应该在两个系统上都看到访问日志条目。
A couple quick notes... 几个快速笔记......
As mentioned in the comment, you can remove the HTTP connector from Tomcat.
如注释中所述,您可以从Tomcat中删除HTTP连接器。 It's not a must though. 但这不是必须的。 Sometimes it nice to keep open for testing purposes (ie you can hit the server directly) or if you want to run the Manager app on it. 有时为了测试目的而保持开放是很好的(即你可以直接点击服务器)或者如果你想在其上运行管理器应用程序。 If you do keep it around, especially if you use it to run the Manager app, you should probably restrict access to it. 如果您确实保留它,特别是如果您使用它来运行Manager应用程序,您应该限制对它的访问。 Two easy ways to do that are by setting the addressattribute on the HTTP connector tolocalhostor by configuring a RemoteAddressFilter .两种简单的方法是将HTTP连接器上的address属性设置为localhost或者配置RemoteAddressFilter 。Keep in mind that the AJP connection from your HTTPD server to Tomcat is not encrypted (SSL is terminated at HTTPD), so you want to make sure that traffic never goes over an insecure network (like the Internet).
请记住,从HTTPD服务器到Tomcat的AJP连接未加密(SSL在HTTPD处终止),因此您要确保流量永远不会通过不安全的网络(如Internet)。 Since you already have HTTPD in the mix, you can also use it to serve up your static files.
由于您已经在混合中使用了HTTPD,因此您也可以使用它来提供静态文件。 If you deploy them to your document root, you can then add a "ProxyPass !" 如果将它们部署到文档根目录,则可以添加“ProxyPass!”。 directive to exclude that path from being proxied to Tomcat. 指令将该路径排除在代理之外的Tomcat。 This will offer slightly less latency on the request as HTTPD does need to get the static file from Tomcat. 这将在请求上提供稍微减少的延迟,因为HTTPD确实需要从Tomcat获取静态文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.