stackoom
  简体   繁体   中英

Is this a false SSL connection between Apache + Tomcat?

 原文  2014-08-12 07:05:56       java/ apache/ tomcat/ ssl/ https

Question

I was looking over this guide to setup tomcat + apache with SSL: http://www.mulesoft.com/tcat/tomcat-ssl

Under section, "When To Use SSL With Tomcat" it says:

"...In other words, if you're fronting Tomcat with a web server and using it only as an application server or Tomcat servlet container, in most cases you should let the web server function as a proxy for all SSL requests"

Since I already have a webserver set up with SSL, I decided to be lazy. I installed tomcat with default settings, and started it up. In my httpd.conf, I redirected all 80 traffic to 443, and then proxypass and proxypassreverse to ajp://hostname.com:8009. I restarted httpd and it "appears" to redirect to tomcat server over ssl. Is this completely broken or did I actually manage to do what I intended on first go? Any test suggestions are much appreciated. 

<VirtualHost *:80>
        ServerName hostname_DNS_alias.com
        Redirect / https://hostname_DNS_alias.com
</VirtualHost>

<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/pki/tls/certs/thecrt.crt
        SSLCertificateKeyFile /etc/pki/tls/private/thekey.key
        SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
        ServerName hostname_DNS_alias.com
        DocumentRoot /var/www/html

        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass          /    ajp://hostname.com:8009/
        ProxyPassReverse   /    ajp://hostname.com:8009/
</VirtualHost>

1 answers

solution1
 0  2014-08-12 19:37:38

I think you've got it, but you can look at the access logs on HTTPD & Tomcat to confirm the request is being proxied. You should see an access log entry on both systems.

A couple quick notes...

  • As mentioned in the comment, you can remove the HTTP connector from Tomcat. It's not a must though. Sometimes it nice to keep open for testing purposes (ie you can hit the server directly) or if you want to run the Manager app on it. If you do keep it around, especially if you use it to run the Manager app, you should probably restrict access to it. Two easy ways to do that are by setting the address attribute on the HTTP connector to localhost or by configuring a RemoteAddressFilter .

  • Keep in mind that the AJP connection from your HTTPD server to Tomcat is not encrypted (SSL is terminated at HTTPD), so you want to make sure that traffic never goes over an insecure network (like the Internet).

  • Since you already have HTTPD in the mix, you can also use it to serve up your static files. If you deploy them to your document root, you can then add a "ProxyPass !" directive to exclude that path from being proxied to Tomcat. This will offer slightly less latency on the request as HTTPD does need to get the static file from Tomcat.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Connection between Apache Httpd and Eclipse Tomcat (Windows 7) SSL sharing between Apache and Apache tomcat with standard port Apache & TomCat & SSL - App Not Working Configured SSL on Apache Tomcat 7.0.47 Tomcat “Connection Reset” SSL error Apache Tomcat/7.0.35 SSL Certificate Install Apache Tomcat for Windows SSL Implementation not working Moving ssl handling from Tomcat to Apache? Has anything crucial changed regarding SSL in Tomcat between Tomcat 8 and Tomcat 9? Configured SSL on Tomcat 8 and Connection Times Out
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM