tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Mohrig <andreas.moh...@cadooz.de>
Subject RE: SSL Connection Tomcat and Apache
Date Tue, 13 Aug 2002 17:03:37 GMT
Please correct my typo: It has to be "ssh" instead of "ssl" (of course) in
the command used to start the secure shell!!!

And one mor thought: I have no idea how this might affect performance.

-----

I think the setup within apache's httpd.conf will enable encryption between
the client browsers and the webserver only, but not between apache and
tomcat. You might use ssh to do that, since you can build an "encrypted
tunnel" to forward the connections to a remote port.

Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine
was on ip 192.168.0.2. Further suppose your ajp connector is configured to
use port 8009. You could start a port forwarding tunnel on your apache
machine with

ssh -L 8009:192.168.0.2:8009 someuser@192.168.0.2

Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via
the encrypted connection established by ssh. Of course this requires ssh to
be installed on both machines, i.e. the server component on the
tomcat-machine and the client component on the apache-machine. (You could do
it the other way around using the -R switch). Note that the connection will
only be forwarded if it is coming from the local machine (i.e. the
apache-machine in this example), unless you also state "-g" to enable other
machines to connect. (You might wish to read up on this in a suitable ssh
documentation).

You would then have to modify back your workers.properties file to look
something like this (on the apache machine):

# Definition for Ajp13 worker
#
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13

Note that it is "localhost" again instead of 192.168.0.2 (the ip of the
tomcat-machine).

I have not tested this procedure, and have not given it much thought if this
will cause additional security problems. I have also not explored in which
way the ssh connection has to be set up to be available to apache (I would
presume you would have to do it using "nohup ssh -L 8009:192.168.0.2:8009
someuser@192.168.0.2 &" just before starting apache, but that could cause
problems with the password you would have to enter, and may force you to use
client authentication with public/private keys instead). 

The best solution of course would be to place your tomcat worker-machines
physically behind your apache webserver, using a second network interface
card on the apache machine and a switch/hub to connect it to potentially
quite a lot of tomcat-machines, which would not be reachable by any other
machines if you set up the apache-machine correctly.

Please let me (let us all) know if you manage to successfully set up such a
configuration using ssh.

greetings

Andreas Mohrig

-----Original Message-----
From: Turner, John [mailto:JTurner@AAS.com]
Sent: Tuesday, August 13, 2002 5:49 PM
To: 'Tomcat Users List'
Subject: RE: SSL Connection Tomcat and Apache



Thanks for your post with the configuration in it...SSL between apache and
tomcat is something I have been wanting to research for awhile now, and your
info will make it easier to do that.

That said, I'm curious to know how you are verifying that SSL is working
between apache and tomcat on different machines.  How do you know the
datastream is truly encrypted?  I'm not questioning your setup, I'm asking
how I will know the same thing for sure once I set it up myself.  Having SSL
setup on both machines is no guarantee that the datastream is encrypted. 

John Turner
jturner@NOSPAM.aas.com

-----Original Message-----
From: Pooleery, Manoj [mailto:Pooleery@Synygy.com]
Sent: Tuesday, August 13, 2002 11:27 AM
To: 'Tomcat Users List'
Subject: RE: SSL Connection Tomcat and Apache


i have it working on different machines.  Tomcat on one machine and apache
on another.  SSL will work irrespective of the machines, as long as both of
the machines can see each other.(i mean on the same network).

-----Original Message-----
From: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com]
Sent: Monday, August 12, 2002 4:38 PM
To: 'Tomcat Users List'
Subject: RE: SSL Connection Tomcat and Apache


What about the transmittions between Apache and Tomcat? I realize if they
are on the same machine it isn't a problem, but what about if it is on a
different machine? 

This is all for the intranet.

-----Original Message-----
From: Pooleery, Manoj [mailto:Pooleery@Synygy.com]
Sent: Monday, August 12, 2002 3:33 PM
To: 'Tomcat Users List'
Subject: RE: SSL Connection Tomcat and Apache


In the httpd.conf file of apache, you can implement the virtual host
directive for SSL.  The port used is 443.  You have to have an entry like
this - 

##
## SSL Virtual Host Context
##

<VirtualHost <server_name>:443>

	#  General setup for the virtual host
	DocumentRoot "C:/Apache/htdocs"
	ServerName <server_name>
	ServerAdmin webmaster@localhost
	ErrorLog logs/ssl/error.log
	TransferLog logs/ssl/access.log

	SSLCertificateFile "<certificate_location>/<certificate_name>"
	SSLCertificateKeyFile "<certificate_key_location>/<certificate_key>"
</VirtualHost>                                  

you have to generate a CSR file(instructions for creating a CSR can be found
at http://www.verisign.com/support/csr/apache/v01.html).  Once you create a
CSR, you can send it to any of the certificate issuing authorities(verisign,
thawte etc) and once you get a certificate, you make the above changes in
the httpd.conf.

Thanks
Manoj.

-----Original Message-----
From: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com]
Sent: Monday, August 12, 2002 4:21 PM
To: 'tomcat-user@jakarta.apache.org'
Subject: SSL Connection Tomcat and Apache


I have Apache and Tomcat working together, but now I am curious on security.
How I do implement SSL on that connection?

Mike Wills
IT Corporate Support
Taylor Corporation
mnwills@taylorcorp.com
Phone: (507) 386-3187


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message