tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Fisher <dfis...@jmlafferty.com>
Subject Re: Broken tomcat 6.0 config after SSL install.
Date Sat, 26 Mar 2011 18:45:54 GMT

>> Taking the whole of the message above, it would look as if the new guy
>> wasn't too sure about how to set up SVN & SSL under Tomcat, and chose to set
>> it up on a front-end Apache instead. (Which, in the principle, is also how I
>> would set it up, since I have no idea if there exists an SVN-capable webapp
>> for Tomcat).
>> 
>> The fact that you are seeing JSP pages "raw" probably means that he set
>> things up so that Apache can bypass Tomcat, and serve the JSP pages directly
>> from the Tomcat webapps directories (which is not good).
>> 
>> The way in which this kind of setup is normally done, is ascii-graphically
>> as follows :
>> 
>> browser <--(1)--> Apache + connector <--(2)--> Tomcat
>> 
>> and usually in such a case, you would arrange for only the connection (1) to
>> be HTTPS (in other words, one would "terminate SSL" at the Apache level),
>> and have the conversation between Apache and Tomcat (2) remain unencrypted
>> (particularly if they are on the same server).
>> 
>> For the "connector" at the Apache level, there exists several possibilities
>> :
>> 1) mod_jk (at the Apache level), talking to a <Connector
>> ..protocol="AJP/1.3"> on the Tomcat side

>> b) mod_proxy & mod_proxy_ajp at the Apache level, also talking to a
>> <Connector ..protocol="AJP/1.3"> on the Tomcat side
>> c) mod_proxy & mod_proxy_http at the Apache level, talking to a <Connector
>> ..protocol="HTTP/1.1"> on the Tomcat side

ProxyPass and ProxyPassReverse also work.

>> 
>> Then, you have to configure Apache and its connector properly, so that it
>> will :
>> - process locally what is not destined to Tomcat (such as probably the SVN
>> bit)
>> - pass-through (or rather proxy) to Tomcat what belongs to Tomcat (such as
>> requests for JSP pages)

Yup.

>> The proper way to do that depends on the connector which is used.
>> So you would first need to find out which that is.  Any "Proxy..."
>> statements in the Apache configuration ?

...

>> Hope that helps a bit to clarify what is going on.
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> Thanks for all the good suggestions thus far.
> 
> Going forward, we will implement the connector approach.  But for now,
> we just want to get 'back' to the previous configuration where tomcat
> was handling it's requests just fine.  Svn can wait.
> 
> We don't have any specific proxies and I don't think there are any
> proxy statements in the config files.
> 
> For our main flow of requests, tomcat was listening on a custom port,
> which was (or should have been) totally unrelated to the https port.
> 
> I've just been trying to get the config back to where it was, but have
> been unsuccessful.  Stopping apache results in no web processing.  How
> can I get tomcat to be THE web server again?

Why? You can easily get this done, you are closer than you think. I'll show you how we do
it.

We are on Solaris 10, Tomcat 6.0.29 and the latest HTTPD 2.2 package.

We actually have the 3 different tomcats behind httpd on this server - confluence, jira, and
our own admin webapps.

The svn+ssh is configured as a separate virtual host as is our admin webapps.
SVN also has viewvc setup and the svn is password protected.
There are also apache hosted directories.

Here is a good part of our config with domain names changed:

Here is the admin site's conf/server.xml:

     <Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
               enableLookups="false" disableUploadTimeout="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               URIEncoding="UTF-8" keystorePass="xxxxxx" keystoreFile="/my/servers.jks" />


   <Engine name="Catalina" defaultHost="localhost">
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                 allow="10.10.*.*,127.0.0.1"/>
        <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
                   directory="logs"  prefix="access_local." suffix=".log"
                 pattern="common" resolveHosts="false"/>
      </Host>
      <Host name="admin.x.com" appBase="webapps-admin" 
                  unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve"
                      prefix="access_public." suffix=".log" pattern="common"/>
      </Host>
    </Engine>

Here is the httpd.conf

NameVirtualHost *:80
NameVirtualHost *:443
SSLProtocol -ALL +SSLv2 +SSLv3
<VirtualHost _default_:80>
    Redirect permanent / https://ops.x.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName ops.x.com
    Redirect permanent / https://ops.x.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName ops.x.com
    SSLEngine On
    SSLProxyEngine On
    SSLCertificateFile /opt/pkg/etc/httpd/server.crt
    SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key
    SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt

    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

    ProxyRequests       Off
    ProxyPreserveHost On
    ProxyPass /jira/secure/popups/colorpicker.jsp !
    ProxyPass /jira/secure/popups/grouppicker.jsp !
    ProxyPass /jira/secure/popups/userpicker.jsp !
    ProxyPass           /jira       https://localhost:8446/jira
    ProxyPassReverse    /jira       https://localhost:8446/jira
    ProxyPass           /confluence       https://localhost:8444/confluence
    ProxyPassReverse    /confluence       https://localhost:8444/confluence

    <Location /index.html > 
        AuthType Digest
        AuthName "Web Users"
        AuthDigestDomain /
        AuthUserFile /opt/pkg/etc/httpd/davusers.digest
        Require valid-user
        SSLRequireSSL
    </Location>

    <Location /weblogs > 
        AuthType Digest
        AuthName "Web Users"
        AuthDigestDomain /weblogs
        AuthUserFile /opt/pkg/etc/httpd/davusers.digest
        Require valid-user
        SSLRequireSSL
    </Location>

</VirtualHost>
<VirtualHost *:80>
    ServerName admin.x.com
    Redirect permanent / https://admin.x.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName admin.x.com

    SSLEngine On
    SSLProxyEngine On
    SSLCertificateFile /opt/pkg/etc/httpd/server.crt
    SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key
    SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt

    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

    ProxyRequests     Off
    ProxyPreserveHost On
    ProxyPass           /      https://localhost:8445/
    ProxyPassReverse    /      https://localhost:8445/

</VirtualHost>
<VirtualHost *:80>
    ServerName svn.x.com
    Redirect permanent / https://svn.x.com/
</VirtualHost>
<VirtualHost *:443>
    #Alias /svn /export/repos
    #DocumentRoot /export/repos 
    Servername svn.x.com
    ServerAlias svn
    CustomLog       /opt/pkg/var/log/httpd/svn_access_log combined
    ErrorLog        /opt/pkg/var/log/httpd/svn_error_log

    SSLEngine On
    SSLCertificateFile /opt/pkg/etc/httpd/server.crt
    SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key
    SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt
    <Location /repos > 
        DAV svn
        # any "/svn/foo" URL will be mapped to a repository /export/repos/foo
        SVNPath /path/to/repos/
        SVNAutoversioning on
        AuthType Digest
        AuthName "Web Users"
        AuthDigestDomain /repos
        AuthUserFile /opt/pkg/etc/httpd/davusers.digest
        AuthGroupFile /opt/pkg/etc/httpd/groups.db
        Require valid-user
        Require group repos
        Satisfy All
        SSLRequireSSL
    </Location>
    Alias /favicon.ico /opt/pkg/share/httpd/htdocs/subversion_logo.ico

    ScriptAlias /viewvc /usr/local/viewvc/bin/cgi/viewvc.cgi
    <Location /viewvc > 
        AuthType Digest
        AuthName "Web Users"
        DirectorySlash On
        AuthDigestDomain /viewvc
        AuthUserFile /opt/pkg/etc/httpd/davusers.digest
        Require valid-user
        SSLRequireSSL
    </Location>
    <Location /viewvc/repos > 
        AuthType Digest
        AuthName "Web Users"
        AuthDigestDomain /viewvc
        AuthUserFile /opt/pkg/etc/httpd/davusers.digest
        AuthGroupFile /opt/pkg/etc/httpd/groups.db
        Require valid-user
        Require group repos
        Satisfy All
        SSLRequireSSL
    </Location>
</VirtualHost>

Good luck.

Regards,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message