You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com> on 2020/08/14 22:45:42 UTC
Tomcat behind httpd, with Let's Encrypt and Certbot
Now (as John Cleese would say) for something completely different.
I've got my indpendent Tomcat and httpd servers on the development box
(the Amazon Linux "Not 2" instance) successfully obtaining, using and (I
hope) auto-renewing a Let's Encrypt cert via Lego. (I'll know more on
September 6th: the cron log shows it ran this past Sunday, but the
auto-update script skips the actual renewal if it's not the first Sunday
of the month.)
But now, I have a situation in which I *do* want Tomcat running behind
httpd, on an Amazon Linux 2 instance that's already obtaining a Let's
Encrypt cert via certbot. But the last time I experimented with this one
(several months ago, like the one I finally got working with Lego), I
had a fair amount of trouble getting it even partially functional, and
something I did badly screwed up the auto-renewal, which we didn't find
out about until the cert expired on us.
Here is the (actual names and IP addresses redacted) httpd conf file I
added, to provide the virtual host for the new subdomain. It makes no
difference to me whether browser requests sent to port 80 get redirected
to https or not; the important part is that (1) Certbot and Let's
Encrypt can see and do what they need to, (2) users can reach all webapp
contexts on the Tomcat server, including ROOT, and (3) only the
specified IP addresses can see manager and host-manager.
Is there anything obvious that I'm doing wrong?
<VirtualHost *:80>
ServerName xyweb.frobozz.com
DocumentRoot /var/www/html/test
ServerAdmin info@frobozz.com
<Directory /var/www/html/test>
AllowOverride All
</Directory>
# RewriteEngine on
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName xyweb.frobozz.com
DocumentRoot /var/www/html/test
ServerAdmin info@frobozz.com
<Location /manager>
Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
</Location>
<Location /host-manager>
Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
</location>
ProxyPass "/" "http://127.0.0.1:8080/"
ProxyPassReverse "/" "http://127.0.0.1:8080/"
ProxyRequests Off
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/fizmo.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fizmo.com/privkey.pem
</VirtualHost>
</IfModule>
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
Well, today, I brought the Tomcat server back up, and put the Virtual
Host back into conf.d, and it worked.
Then I learned that my whole silly-go-round of a few months ago, trying
to add the new subdomain to the existing certs, was completely
unnecessary, that each subdomain's virtual host could point to its own
cert file, and I also learned about "certbot renew --force-renewal" to
test whether renewal would actually work (it does).
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 8/17/20 03:50, Mark Thomas wrote:
> On 16/08/2020 18:00, James H. H. Lampert wrote:
>> Permit me to clarify:
>>
>> 1. The existing httpd server on this box, and its certbot setup
>> may be extended/expanded, but not otherwise disturbed.
>>
>> 2. Running Tomcat independently of httpd on this box is not an
>> option, because *both* are to be visible to the outside world on
>> port 443 of the same IP address. Doing so was not merely "an
>> option," but *mandatory* on the other box, which has Tomcat and
>> httpd on separate ports.
>>
>> 3. At this point, the concern is making certain that the httpd
>> virtual host for the new subdomain provides for the needs of both
>> Certbot and Tomcat. Then, I can worry about adding the new
>> subdomain to Certbot.
>
> First of all, to confirm I am reading the config correctly:
>
> - httpd redirects all http requests to https - anything proxied to
> Tomcat MUST have been received by httpd over https
>
> Given you don't mind whether proxying to Tomcat is over http or
> https, I recommend http and an http connector in Tomcat with the
> following settings:
>
> SSLEnabled="false", secure="true", scheme="https"
This is the right sauce for telling Tomcat that the request is secure
yet not encrypted, but that the reverse-proxy is handling the
encryption (which is why it's "secure").
But I wouldn't recommend this unless you are sure it will be on the
same box. If you decide to separate httpd from Tomcat on another
server, I'd recommend encrypting the connection between them. For
that, there is no need for a cert from a known CA: you can be your own
CA. Just mint your own cert which is valid however long you want,
install it in Tomcat, and make sure that httpd trusts it.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl88W6QACgkQHPApP6U8
pFjBRw/8C7VHEDxmbo2dvKnIA6/AIYu1NnrEdVYvVlBBDGYYcL35EJ5MgQFnkbEt
uXAfRE7YIBkePuC1/C4Z+4TQzYqws7GTmqsKxjrc4qwLx/nmBgNm4UumMMQI2lJT
htFbsNOJCshHw+260EQGSnF0qkSH+OU+Tg8oCLoJN8CpNHP7ND/rjJyEkKv0gfnq
vhY6BXEc1CLXtqNBAjRke2g6p3Z2xJhpVLkTauZ067wvOWbFq3SjapVK4fq1iFEO
4m6W7SURtKgZmflqtq8LDlHgmix63O61LldC1CunZObKW9FLxxqRCMRUmhKStDJw
+pmkjh11mtyILHhphuIjdKSdYsRere9JM0ewQ54JaAF2q7S5FXd1DPg328OfwnTh
tac0lBeRXxEzZyxxcT3bpIZpket6W0tqfD1Tn56++vEnzGKvfsb+px0oAufEab1p
HjmSmC823ixb0RSVP9V6DS9XapG6JoPnvnp10ekdlKF2XJ2uMB6j1+9oMy0pR/Rn
Q4faxJhm9dnuPSYdSeY9HXWdOUD3I1zudasJUhCMmwa9dc3VWmbxsn2F0/xxLTvF
FNbABkAnGo2rJ+dVqnyPtE2zQgRBZUVHuuGLxQFUsrB5bxnXnkTwD8pKBf8W64J+
L111/xdcZdYCCn1LY45uN7cnpsE+3TUtvzyovhhR2F0NCzVP3/o=
=oAo4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
Posted by Mark Thomas <ma...@apache.org>.
On 16/08/2020 18:00, James H. H. Lampert wrote:
> Permit me to clarify:
>
> 1. The existing httpd server on this box, and its certbot setup may be
> extended/expanded, but not otherwise disturbed.
>
> 2. Running Tomcat independently of httpd on this box is not an option,
> because *both* are to be visible to the outside world on port 443 of the
> same IP address. Doing so was not merely "an option," but *mandatory* on
> the other box, which has Tomcat and httpd on separate ports.
>
> 3. At this point, the concern is making certain that the httpd virtual
> host for the new subdomain provides for the needs of both Certbot and
> Tomcat. Then, I can worry about adding the new subdomain to Certbot.
First of all, to confirm I am reading the config correctly:
- httpd redirects all http requests to https
- anything proxied to Tomcat MUST have been received by httpd over https
Given you don't mind whether proxying to Tomcat is over http or https, I
recommend http and an http connector in Tomcat with the following settings:
SSLEnabled="false", secure="true", scheme="https"
I'd be wary of directory traversal issues with the IP controls on
Manager and Host Manager access in httpd. There are some edge cases
where the Servlet spec's view on matching URIs to targets and the HTTP
spec's view are not entirely consistent. This has been known to expose
directory traversal issues. I'd recommend using the RemoteIpValve to
expose the original IP to Tomcat and then perform the IP filtering in
Tomcat. Whether you keep the filtering in httpd (pro of early rejection
vs con of having to keep configs in sync) is up to you.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
Permit me to clarify:
1. The existing httpd server on this box, and its certbot setup may be
extended/expanded, but not otherwise disturbed.
2. Running Tomcat independently of httpd on this box is not an option,
because *both* are to be visible to the outside world on port 443 of the
same IP address. Doing so was not merely "an option," but *mandatory* on
the other box, which has Tomcat and httpd on separate ports.
3. At this point, the concern is making certain that the httpd virtual
host for the new subdomain provides for the needs of both Certbot and
Tomcat. Then, I can worry about adding the new subdomain to Certbot.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org