Apache 2 and Tomcat 4, SSL servlets

I'm upgrading a server, I have Apache 2 and Tomcat 4.1.31 set up and
serving SSL (and non-SSL) using the URL's:

https://www.mydomain.com:8443/servlets/myservlet

works great. What I need to do is get rid of the port number from the
URL, so I can reach the same servlet with

https://www.mydomain.com/servlets/myservlet

I beleive this is connector related? I can't figure out what I need to
do to configure this correctly. I need to run all servlets over SSL,
none over a non-SSL connection.

I have mod_jk2.so compiled and in the modules directory with all the
other mods.. This is running on linux, Fedora Core 3.

On 2004-12-07, (E-Mail Removed) <(E-Mail Removed)> wrote:
<zap>
> I beleive this is connector related?
<zap>
> I have mod_jk2.so compiled
<zap>

And your question exactly is?

Davide

--
When I first started working with sendmail, I was convinced that the
cf file had been created by someone bashing their head on the keyboard.
After a week, I realised this was, indeed, almost certainly the case
--Unknown

(E-Mail Removed) said:
>I'm upgrading a server, I have Apache 2 and Tomcat 4.1.31 set up and
>serving SSL (and non-SSL) using the URL's:
>
>https://www.mydomain.com:8443/servlets/myservlet

Which program it is that is listening at 8443 - Apache or Tomcat?
Could be either, but my guess is it is Tomcat.

>works great. What I need to do is get rid of the port number from the
>URL, so I can reach the same servlet with
>
>https://www.mydomain.com/servlets/myservlet

Ok. For this to happen, the connection has to use the default https port,
which is 443. So, a program on your server must be listening on that port,
instead of the 8443.

However, listening on a port numbered below 1024 requires root
permissions, and I wouldn't be too happy running Tomcat as root.
I'd rather prefer to run Apache so that it starts up as root and
can bind its listening socket to 443, and then handles the rest
of processing as non-root. This Apache then needs to be able to
somehow forward the requests to the Tomcat. Additionally, it'd
make sense to restrict the Tomcat so that all accesses to Tomcat
must be done through the Apache.

The best way for Apache to forward requests to Tomcat is to use
mod_jk connector (or mod_jk2, but mod_jk2 development has been
cancelled, in favor of mod_jk).

>I have mod_jk2.so compiled and in the modules directory with all the
>other mods.. This is running on linux, Fedora Core 3.

Ok;
- configure your Apache to handle SSL requests at port 443
- configure mod_jk(2) to forward the required queries to Tomcat
- note that mod_jk and mod_jk2 configurations are completely different;
read documentation for the correct one
- configure Tomcat to listen only at the AJP connector port, and even
there only at localhost address
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

The question is: Is this an issue with mod_jk2? I want to use Apache
as a front end and have it pass off the request to tomcat. If I
understand correctly, I don't even want Tomcat running on 8080 or 8443
at all, the connector should communicate directly with Tomcat, is this
correct? This is my first Tomcat install, and the learning curve is
HUGE!

On 2004-12-07, (E-Mail Removed) <(E-Mail Removed)> wrote:
> I want to use Apache
> as a front end and have it pass off the request to tomcat.

Then you have to configure correctly mod_jk, nothing more.

> understand correctly, I don't even want Tomcat running on 8080 or 8443

No, you need tomcat running, and tomcat WILL open and listen on one of
the two port or both, depending on his configuration.

> the connector should communicate directly with Tomcat, is this
> correct?

Yes, but usually the connector uses another port on his own, something
like 8009 or so.

Davide

--
"Our business model works even if all internet software is free.
How does Netscape's business model look? -- not so good."
-- Bill Gates

Thank you, you got me pointed in the right direction and I figured it
out fairly quickly! I now have Apache communicating ONLY thru jk2, the
8080 and 8443 ports are now closed. I only have one more small
problem:

http://www.mydomain.com/servlets/myservlet and
https://www.mydomain.com/servlets/myservlet

both work. I need to force certain servlets to use SSL, ie the http://
request should return some type of error, or maybe redirect them to the
https:// URL.. I dont care if ALL servlets are forced to run over SSL,
or if I need to specify each one separately. Thanx again,

On 2004-12-07, (E-Mail Removed) <(E-Mail Removed)> wrote:
> both work. I need to force certain servlets to use SSL, ie the http://
> request should return some type of error, or maybe redirect them to the
> https://

You could add a RedirectPermanent /servlet https:.... in the
VirtualHost serving the http part, or use the <Location> directive in
there to force only some 'locations' (files or directory) trought the
ssl. See the documentation of Apache.

Davide

--
Windows 95 never has bugs. It just develops random features.

(E-Mail Removed) said:
>Thank you, you got me pointed in the right direction and I figured it
>out fairly quickly! I now have Apache communicating ONLY thru jk2, the
>8080 and 8443 ports are now closed.

Good!

>I only have one more small problem:
>
>http://www.mydomain.com/servlets/myservlet and
>https://www.mydomain.com/servlets/myservlet
>
>both work. I need to force certain servlets to use SSL, ie the http://
>request should return some type of error, or maybe redirect them to the
>https:// URL.. I dont care if ALL servlets are forced to run over SSL,
>or if I need to specify each one separately. Thanx again,

If you don't want to provide anything from your server through
plaintext HTTP, just disable the non-SSL HTTP at Apache level.

Then to more fine-grained security: You can configure Tomcat
to require use of SSL for some resources, by configuring the
web.xml of your application. Here, I pretty much copy from
http://www.jguru.com/faq/view.jsp?EID=1082914 , but I'm
trying to expand on that a little bit.

The basic element for configuring URL security requirements in
web.xml is the <security-constraint> block; example:

<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

The above will require use of SSL throughout the application.

You can have multiple <security-constraint> blocks within your
application (though I didn't read enough to find out how conflicts
are handled). Each <security-constraint> must contain one or more
<web-resource-collection>s, containing one or more <url-pattern>s
each. There can be zero or one <user-data-constraint>s, containing
exactly one <transport-guarantee> block. Allowed data within
<transport-guarantee> is one of NONE, INTEGRAL, or CONFIDENTIAL
(where INTEGRAL doesn't make much sense).

For reference on web.xml, see the Java servlet specification at
http://jcp.org/aboutJava/communitypr...154/index.html
Among others, this'll tell the correct order of elements in
web.xml -- the diagrams starting at chapter SRV.13.4 are just
wonderful.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)