Apache 2 and Tomcat 4, SSL servlets

Discussion in 'Linux Networking' started by mfreak1171, Dec 7, 2004.

  1. mfreak1171

    mfreak1171 Guest

    I'm upgrading a server, I have Apache 2 and Tomcat 4.1.31 set up and
    serving SSL (and non-SSL) using the URL's:

    https://www.mydomain.com:8443/servlets/myservlet

    works great. What I need to do is get rid of the port number from the
    URL, so I can reach the same servlet with

    https://www.mydomain.com/servlets/myservlet

    I beleive this is connector related? I can't figure out what I need to
    do to configure this correctly. I need to run all servlets over SSL,
    none over a non-SSL connection.

    I have mod_jk2.so compiled and in the modules directory with all the
    other mods.. This is running on linux, Fedora Core 3.
     
    mfreak1171, Dec 7, 2004
    #1
    1. Advertisements

  2. <zap>

    And your question exactly is?

    Davide
     
    Davide Bianchi, Dec 7, 2004
    #2
    1. Advertisements

  3. mfreak1171

    Juha Laiho Guest

    said:
    Which program it is that is listening at 8443 - Apache or Tomcat?
    Could be either, but my guess is it is Tomcat.
    Ok. For this to happen, the connection has to use the default https port,
    which is 443. So, a program on your server must be listening on that port,
    instead of the 8443.

    However, listening on a port numbered below 1024 requires root
    permissions, and I wouldn't be too happy running Tomcat as root.
    I'd rather prefer to run Apache so that it starts up as root and
    can bind its listening socket to 443, and then handles the rest
    of processing as non-root. This Apache then needs to be able to
    somehow forward the requests to the Tomcat. Additionally, it'd
    make sense to restrict the Tomcat so that all accesses to Tomcat
    must be done through the Apache.

    The best way for Apache to forward requests to Tomcat is to use
    mod_jk connector (or mod_jk2, but mod_jk2 development has been
    cancelled, in favor of mod_jk).
    Ok;
    - configure your Apache to handle SSL requests at port 443
    - configure mod_jk(2) to forward the required queries to Tomcat
    - note that mod_jk and mod_jk2 configurations are completely different;
    read documentation for the correct one
    - configure Tomcat to listen only at the AJP connector port, and even
    there only at localhost address
     
    Juha Laiho, Dec 7, 2004
    #3
  4. mfreak1171

    mfreak1171 Guest

    The question is: Is this an issue with mod_jk2? I want to use Apache
    as a front end and have it pass off the request to tomcat. If I
    understand correctly, I don't even want Tomcat running on 8080 or 8443
    at all, the connector should communicate directly with Tomcat, is this
    correct? This is my first Tomcat install, and the learning curve is
    HUGE!
     
    mfreak1171, Dec 7, 2004
    #4
  5. Then you have to configure correctly mod_jk, nothing more.
    No, you need tomcat running, and tomcat WILL open and listen on one of
    the two port or both, depending on his configuration.
    Yes, but usually the connector uses another port on his own, something
    like 8009 or so.

    Davide
     
    Davide Bianchi, Dec 7, 2004
    #5
  6. mfreak1171

    mfreak1171 Guest

    Thank you, you got me pointed in the right direction and I figured it
    out fairly quickly! I now have Apache communicating ONLY thru jk2, the
    8080 and 8443 ports are now closed. I only have one more small
    problem:

    http://www.mydomain.com/servlets/myservlet and
    https://www.mydomain.com/servlets/myservlet

    both work. I need to force certain servlets to use SSL, ie the http://
    request should return some type of error, or maybe redirect them to the
    https:// URL.. I dont care if ALL servlets are forced to run over SSL,
    or if I need to specify each one separately. Thanx again,
     
    mfreak1171, Dec 7, 2004
    #6
  7. You could add a RedirectPermanent /servlet https:.... in the
    VirtualHost serving the http part, or use the <Location> directive in
    there to force only some 'locations' (files or directory) trought the
    ssl. See the documentation of Apache.

    Davide
     
    Davide Bianchi, Dec 8, 2004
    #7
  8. mfreak1171

    Juha Laiho Guest

    said:
    If you don't want to provide anything from your server through
    plaintext HTTP, just disable the non-SSL HTTP at Apache level.

    Then to more fine-grained security: You can configure Tomcat
    to require use of SSL for some resources, by configuring the
    web.xml of your application. Here, I pretty much copy from
    http://www.jguru.com/faq/view.jsp?EID=1082914 , but I'm
    trying to expand on that a little bit.

    The basic element for configuring URL security requirements in
    web.xml is the <security-constraint> block; example:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Entire Application</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

    The above will require use of SSL throughout the application.

    You can have multiple <security-constraint> blocks within your
    application (though I didn't read enough to find out how conflicts
    are handled). Each <security-constraint> must contain one or more
    <web-resource-collection>s, containing one or more <url-pattern>s
    each. There can be zero or one <user-data-constraint>s, containing
    exactly one <transport-guarantee> block. Allowed data within
    <transport-guarantee> is one of NONE, INTEGRAL, or CONFIDENTIAL
    (where INTEGRAL doesn't make much sense).

    For reference on web.xml, see the Java servlet specification at
    http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html
    Among others, this'll tell the correct order of elements in
    web.xml -- the diagrams starting at chapter SRV.13.4 are just
    wonderful.
     
    Juha Laiho, Dec 8, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.