Apache2 https to Tomcat8 https 8443 connector?


#1

Hello,
My Stack: Ubuntu 16.04, Apache2, Tomcat8 (running Geoserver as my ‘app’)

I installed letsencrypt on my Apache2 server using certbot and selected to have only SSL connections. I have setup the Sites-Available/
I have been able to redirect traffic to my Tomcat8 AppServer (https to http) and send back the url as https in the browser url.
I am trying to configure Tomcat_8:883 to accept the letsencrypt cert so I can have
Apache2(https) to Tomcat8(https) on to my ‘App’ using my Certs. ( unless that is the wrong way to go )
How do I configure the Connector?

My Apache2 Conf
<VirtualHost *:443>
ProxyRequests Off
ProxyPreserveHost On
ServerName myserver.com
ServerAlias www.myserver.com
DocumentRoot /var/www/mwam
#Here to the root of the Tomcat8 ROOT page
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
RedirectMatch ^/$ https://myservercom
#Adding Geoserver
ProxyPass /geoserver http://127.0.0.1:8080/geoserver
ProxyPassReverse /geoserver http://127.0.0.1:8080/geoserver
RedirectMatch ^/$ https://myserver.com/geoserver
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

           Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.myserver.com
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/myserver.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myserver/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

My Tomcat8 Connector Ports

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

Andy


#2

Are you sure you want to? If you are proxying back on the loopback interface (127.0.0.1), there doesn’t seem to be any real benefit and it will come with the overhead of double TLS handshakes.

Anyway, Tomcat requires certificates and private keys to be packed up in either a Java keystore or a pfx archive. You can read how to do that, and how to configure the Tomcat connector here: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

Those instructions are also shown in a Let’s Encrypt specific way in this post: Using let’s encrypt with tomcat


#3

Thanks for the response. “Are you sure you want to ?”… I cannot answer that as I am pretty ignorant, just starting out. I have a site that I had up but it wasnt https.

I will go through the two suggestions you sent and will let you know my results. Thanks again for the response.

Andy


#4

The reasoning behind not configuring HTTPS for Tomcat is that it doesn’t have any substantial security benefit in a localhost reverse proxy setup such as yours. You have an opportunity to simplify things.

You can have HTTPS all the way up to Apache, and then use ordinary HTTP between Apache and Tomcat, and this would be sufficiently secure (and indistinguishable from having HTTPS all the way).

[Internet] <-----HTTPS/443-----> ( [Apache] <-----HTTP/8080------> [Tomcat] )

This is the most common pattern in your scenario.


#5

Hello, are you sure this can work? I have been trying to do something similar, I have my apache2 as a reverse proxy but when I set the files created with certbot, the page doesn’t open, it shows an error of invalid certificate


#6

@tesla, it can definitely work—it’s a very common configuration!

How are you configuring your Apache server?


#7

Thank you @schoen, I’m doing this:

<VirtualHost *:80>

ProxyPreserveHost On
ProxyRequests     Off

# Servers to proxy the connection, or;
# List of application servers:
# Usage:
# ProxyPass / http://[IP Addr.]:[port]/
# ProxyPassReverse / http://[IP Addr.]:[port]/
# Example:

ProxyPass / http://MYIP:8080/
ProxyPassReverse / http://MYIP:8080/

ServerName mydomain.com

<VirtualHost *:443>

SSLEngine On

# Set the path to SSL certificate
# Usage: SSLCertificateFile /path/to/cert.pem
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem


# Servers to proxy the connection, or;
# List of application servers:
# Usage:
# ProxyPass / http://[IP Addr.]:[port]/
# ProxyPassReverse / http://[IP Addr.]:[port]/
# Example: 
ProxyPass / http://MYIP:8080/
ProxyPassReverse / http://MYIP:8080/

# Or, balance the load:
# ProxyPass / balancer://balancer_cluster_name

#8

What’s your domain name? What error do you see in your browser?


#9

Currently I’m not using the https, I comented the instruction to continue the development, I also have to say that I’m using CloudFlare as my DNS and I have a permanent redirection to the folder that represents my Tomcat deployment. Let me add again the configuration I made and I will post the error


#10

Wow, Thanks for the assistance. I have to admit that the issue was not ‘LetsEncrypt’ or the config files. My instance of Geoserver did not have a base url setup correctly to work with the reverse proxy. However, thanks this is a pretty cool group.

Andy


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.