stackoom
  简体   繁体   中英

Moving ssl handling from Tomcat to Apache?

 原文  2015-02-27 18:51:29       java/ apache/ tomcat/ ssl/ alfresco

Question

In the organisation I work for we are unable to use Tomcat for SSL, since they have a policy of fronting all authentication by managed Apache instances. In this scenario, mod_ssl is used, in conjunction with mod_jk, with the 'REMOTE_USER' being set to 'SSL_CLIENT_S_DN_CN', per http://httpd.apache.org/docs/trunk/mod/mod_ssl.html .

The web application I am dealing (Alfresco) with was designed with the expectation of SSL on the Tomcat container, with a role mapping happening in Tomcat, but I am not sure how to make it work using mod_ssl instead.

From the web.xml , the settings that I am dealing with are: 

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>SOLR</web-resource-name>
         <url-pattern>/wcs/api/solr/*</url-pattern>
      </web-resource-collection>

      <auth-constraint>
         <role-name>repoclient</role-name>
      </auth-constraint>

      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

   <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>Repository</realm-name>
   </login-config>

   <security-role>
     <role-name>repoclient</role-name>
   </security-role>

Any advice would be appreciated. I have looked around to see if there are any tips on how to deal with this, but I haven't had much luck.

1 answers

solution1
 1  2015-03-01 15:49:05

It is no problem to use apache with mod_jk or mod_proxy_ajp as a terminating SSL endpoint. Alfresco's tomcat has SSL configured to secure communication between the alfresco repository and the Solr search engine, so you shouldn't touch the tomcat config for 8080 or 8443 not to break the communication for Solr (the ssl certificate is used for authentication - so don't touch it as long you know what you're doing).

In tomcat's server.xml add or comment in a ajp connector instead. eg 

    <!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="1.2.3.4" protocol="AJP/1.3" redirectPort="8443" scheme="https" proxyPort="443" secure="true" URIEncoding="UTF-8" maxThreads="500" maxSavePostSize="-1" />

Additionally it is best practice to add a parameter address="localhost" for the 8080 and 8443 conectors to hide the port from outside the server.

Here you find how to configure the apache proxy: https://serverfault.com/questions/472491/how-to-set-up-alfresco-share-behind-apache-reverse-proxy

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to import ssl wildcard cert from Apache to Tomcat Configured SSL on Apache Tomcat 7.0.47 Apache & TomCat & SSL - App Not Working Webserver handling SSL connection for Tomcat Servlet Is this a false SSL connection between Apache + Tomcat? Apache Tomcat/7.0.35 SSL Certificate Install Apache Tomcat for Windows SSL Implementation not working Moving war from windows tomcat to linux tomcat SSL sharing between Apache and Apache tomcat with standard port Apache tomcat error (no from eclipse or xampp tomcat)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM