tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: I want to redirect the https traffic of apache to tomcat. Such that we can configure SSL certificate on each tomcat instance.
Date Sat, 21 Sep 2013 12:14:55 GMT
venkateswara Rao Akkireddy wrote:
> Hi All
> 
> Hope every one is doing good!
> 
> 
> 
> Aim: I want to redirect the https traffic  of apache to tomcat. Such that
> we can configure SSL certificate on each tomcat instance.
> 
> 
> 
> Please Help me on this ASAP

This is the kind of thing that you should probably avoid, on a help list that is staffed 
by volunteers.

> 
> 
> 
> *1)      **Configuration in  /etc/httpd/conf/httpd.conf*
> 
> 
> 
> Listen 174.132.121.115:80 <http://174.132.121.115/>
> Listen 174.132.121.115:443
> 
> 
> 
> JkWorkersFile "conf/workers.properties"
> 
> JkLogFile "logs/mod_jk.log"
> 
> JkShmFile "/var/log/httpd/mod_jk.shm"
> 
> JkWatchdogInterval 30
> 
> JkLogLevel info
> 
> JkLogLevel debug
> 
> JkExtractSSL On
> 
> JkHTTPSIndicator HTTPS
> 
> 
> 
> <VirtualHost 174.132.121.115:80 <http://174.132.121.115/>>
> 
>     ServerAdmin ramarajud@mmgs.com
> 
>     ServerName 174.132.121.115
> 
>     JkMount / loadbalancer
> 
>     JkMount /* loadbalancer
> 
>     JkMount /status jkstatus
> 
> </VirtualHost>
> 
> 
> 
> <VirtualHost 174.132.121.115:443>
> 
>     ServerName 174.132.121.115
> 
>     JkMount / loadbalancerssl
> 
>     JkMount /* loadbalancerssl
> 
>     SetEnv JkHTTPSIndicator On
> 
>     JkMount /status jkstatus
> 
>     JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> 
> </VirtualHost>
> 
> 
> 
> *2)      **Configuration in /etc/httpd/conf/workers.properties*
> 
> 
> 
> worker.list=loadbalancer,jkstatus,loadbalancerssl
> 
> 
> 
> #Configuration to Show Status of Load balancer
> 
> worker.jkstatus.type=status
> 
> 
> 
> #Trippro BE Load Balancer Nodes
> 
> 
> 
> worker.tpbe1.type=ajp13
> 
> worker.tpbe1.host=174.132.121.115
> 
> worker.tpbe1.port=8023
> 
> worker.tpbe1.lbfactor=1
> 
> worker.tpbe1.socket_timeout=210
> 
> 
> 
> worker.tpbe2.type=ajp13
> 
> worker.tpbe2.host=174.132.121.115
> 
> worker.tpbe2.port=8028
> 
> worker.tpbe2.lbfactor=1
> 
> worker.tpbe2.socket_timeout=210
> 
> 
> 
> worker.tpbe1ssl.type=ajp13
> 
> worker.tpbe1ssl.host=174.132.121.115
> 
> worker.tpbe1ssl.port=8022
> 
> worker.tpbe1ssl.lbfactor=1
> 
> worker.tpbe1ssl.socket_timeout=210
> 
> 
> 
> worker.tpbe2ssl.type=ajp13
> 
> worker.tpbe2ssl.host=174.132.121.115
> 
> worker.tpbe2ssl.port=8027
> 
> worker.tpbe2ssl.lbfactor=1
> 
> worker.tpbe2ssl.socket_timeout=210
> 
> 
> 
> 3)      Tomcat Configuration
> 
> 
> 
> a)      TBE1 Tomcat Instance Server.xml config
> 
> 
> 
> <!-- Define an AJP 1.3 Connector on port 8023  for http traffic-->
> 
>     <Connector port="8023" address="174.132.121.115" protocol="AJP/1.3"
> redirectPort="8022" />
> 
> 
> 
>     <!-- Define an AJP 1.3 Connector on port 8024  for https traffic-->
> 
>     <Connector port="8022"
> 
>     protocol="AJP/1.3" maxThreads="500"
> 
>     scheme="https" secure="true" SSLEnabled="true"
> 
>     connectionTimeout="60000"
> 
>     proxyPort="443"
> 
>     keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
> keystorePass="Tr!pPro"
> 
>    clientAuth="false" sslProtocol="TLS"/>
> 
> 
> 
> <Engine name="Catalina" defaultHost="TPBE1" jvmRoute="tpbe1">
> 
> 
> 
> b)      TBE2 Tomcat Instance Server.xml config
> 
> 
> 
> <!-- Define an AJP 1.3 Connector on port 8028 for http traffic-->
> 
>     <Connector port="8028" address="174.132.121.115" protocol="AJP/1.3"
> redirectPort="8027" />
> 
> 
> 
>     <!-- Define an AJP 1.3 Connector on port 8024  for https traffic-->
> 
>     <Connector port="8027" address="174.132.121.115"
> 
>     protocol="AJP/1.3" maxThreads="500"
> 
>     scheme="https" secure="true" SSLEnabled="true"
> 
>     connectionTimeout="60000"
> 
>     proxyPort="443"
> 
>     keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
> keystorePass="Tr!pPro"
> 
>    clientAuth="false" sslProtocol="TLS"/>
> 
> 
> 
> <Engine name="Catalina" defaultHost="TPBE2" jvmRoute="tpbe2">

One thing that you should know : the AJP protocol does not support SSL/HTTPS.
In other words, the communication between mod_jk and Tomcat is not encrypted. It is NOT 
SSL or HTTPS, it is AJP, and there is no AJPS.
What AJP /can/ do, is to "transport" some information from httpd to Tomcat, about the 
original browser-to-httpd HTTPS communication. That is the point of the Jk "HTTPS" and 
"SSL" options, but nothing else.

Graphically :

(browser) <-- HTTPS --> (httpd + mod_jk) <-- AJP --> (Tomcat + AJP Connector)
                (1)                           (2)

(1) can be encrypted
(2) cannot be encrypted (*), but can "transport" HTTPS headers information from (1)

(*) except if you set up some kind of "SSL tunnel" there, but that would be outside of 
httpd and Tomcat.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message