RE: Tomcat connector settings

[Michael Fox <Fo...@jhmi.edu>]

Chris,

I ultimately want to have a Tomcat application protected  by our university's system for authentication, which is SiteMinder.  They have told me that they can't protect Tomcat directly, but if user communications can be passed through a web server then they can protect the server with SiteMinder.  I have a working Tomcat application if I uncomment the non-SSL HTTP/1.1 protocol in the Tomcat, but I believe I need all communication to pass through the Apache web server.  Let me know if you need more information and, if so, what that would be.

Thanks,
Mike

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Friday, April 29, 2016 9:14 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat connector settings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

On 4/29/16 4:25 PM, Michael Fox wrote:
> I have an Apache web server(2.4.6) which is accessible at http or 
> https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
> application available at DNS_hostname:8080/app_name.
> 
> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
> enabled HTTP/2 in the Tomcat server.xml, using the certificate key 
> file and certificate where generated using the openssl (1.0.2g) 
> commands and used on the Apache web server.
> 
> The Apache ssl.conf file is set to listen on port 8443 for https, and 
> the only virtual host is set for IP_address:8443 and servername set to 
> DNS_hostname
> 
> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host is set to DNS_hostname and worker.worker1.port is 
> set to 8443.
> 
> Netstat -tamp shows httpd listening on port 8443 and java listening on 
> port 8009.
> 
> Are these settings proper and correct?

It doesn't look like it.

> What should the URL look like in order to access the Tomcat 
> application via Apache?

That depends upon what you are actually trying to do.

> Any help and/or guidance would most appreciated.

You have an HTTPS server listening on port 443 (httpd).
You have mod_jk (workers.properties) configured to connect to
host:8443 (which is the same host listening for HTTPS requests on port
8443) using AJP13 (not HTTP). So, if a client makes a call to host:8443, mod_jk will proxy the request through to host:8443. If the protocol were correct (it isn't), you'd have an infinite loop of request s.

Can you explain what you are actually trying to do and maybe we can help ?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlckBuQACgkQ9CaO5/Lv0PCD7ACeK1EIVKHIImbX0XFqGgZrrnbe
Ng8Ani4YEpoSQO5ySueAGuTg+UrdAAYP
=3AaB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat connector settings

[Michael Fox <Fo...@jhmi.edu>]

Chris,

Thanks for all your patience and help!  It's working.

Regards,
Mike

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Thursday, May 5, 2016 4:50 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat connector settings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

On 5/5/16 3:28 PM, Michael Fox wrote:
> Please confirm that to configure the passthrough with an external 
> HTTPS and an internal HTTP, I would set Apache to listen to SSL on 
> port 8443 and Tomcat on port 8080, with a line inside the Virtual Host 
> directive of
> 
> ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse 
> /myapp http://DNS_hostname:8080/myapp

If DNS_hostname is the hostname of your Tomcat server, then yes, this is correct. If the web server and Tomcat are on the same host, then you can use "localhost" which should speed things up.

I'm guessing that the powers-that-be are using the web server elsewhere, so they'll have to use the IP address (or hostname) of wherever Tomcat is running in the URLs above.

Note that there is no requirement to use port 8080 -- you can use anything you'd like -- but 8080 is somewhat traditional and also happens to be the default configuration shipped with Tomcat.

> In the Tomcat server.xml file, inside the Host directive, I will place 
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> />

Good.

> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host should be set to DNS_hostname and 
> worker.worker1.port is set to 8080.

Nope. You don't need a workers.properties file at all. That's for us you want to use mod_jk and the AJP13 protocol as a proxying protocol.
Since you are using HTTP, you don't need any of that stuff.

(At worst, it will be confusing, since Tomcat will be listening on
:8080 for HTTP connections, not AJP13 connections.)

> With this setup, the URL for accessing the Tomcat application via the 
> Apache server would be https://DNS_hostname/myapp

If Tomcat is on DNS_hostname, then this is probably wrong. If DNS_hostname points to the host where the reverse-proxy (web server) is, then you are correct.

Here's the ASCII-art picture:

Client --- HTTPS:443 ---> web server --- HTTP:8080 --> Tomcat

If you wanted to use AJP13 with mod_jk (or mod_proxy_ajp), it would look like this:

Client --- HTTPS:443 ---> web server --- AJP13:8009 --> Tomcat

(8009 is the default port setting for AJP13 in a Tomcat configuration.)

- From the client perspective, the URL should be https://publichostname/myapp. From the web server's perspective, the URL should be http://tomcat.internal.hostname:8080/myapp

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcrsg8ACgkQ9CaO5/Lv0PBXzQCfaL/Dy/GqKA/7t0WSex8ZzPb8
iaAAn2TwoF3N89NHiEQEimZ+VjDA4Y4+
=DMoV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector settings

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

On 5/5/16 3:28 PM, Michael Fox wrote:
> Please confirm that to configure the passthrough with an external 
> HTTPS and an internal HTTP, I would set Apache to listen to SSL on 
> port 8443 and Tomcat on port 8080, with a line inside the Virtual 
> Host directive of
> 
> ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse
> /myapp http://DNS_hostname:8080/myapp

If DNS_hostname is the hostname of your Tomcat server, then yes, this
is correct. If the web server and Tomcat are on the same host, then
you can use "localhost" which should speed things up.

I'm guessing that the powers-that-be are using the web server
elsewhere, so they'll have to use the IP address (or hostname) of
wherever Tomcat is running in the URLs above.

Note that there is no requirement to use port 8080 -- you can use
anything you'd like -- but 8080 is somewhat traditional and also
happens to be the default configuration shipped with Tomcat.

> In the Tomcat server.xml file, inside the Host directive, I will 
> place <Valve className="org.apache.catalina.valves.RemoteIpValve"
> />

Good.

> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host should be set to DNS_hostname and
> worker.worker1.port is set to 8080.

Nope. You don't need a workers.properties file at all. That's for us
you want to use mod_jk and the AJP13 protocol as a proxying protocol.
Since you are using HTTP, you don't need any of that stuff.

(At worst, it will be confusing, since Tomcat will be listening on
:8080 for HTTP connections, not AJP13 connections.)

> With this setup, the URL for accessing the Tomcat application via
> the Apache server would be https://DNS_hostname/myapp

If Tomcat is on DNS_hostname, then this is probably wrong. If
DNS_hostname points to the host where the reverse-proxy (web server)
is, then you are correct.

Here's the ASCII-art picture:

Client --- HTTPS:443 ---> web server --- HTTP:8080 --> Tomcat

If you wanted to use AJP13 with mod_jk (or mod_proxy_ajp), it would
look like this:

Client --- HTTPS:443 ---> web server --- AJP13:8009 --> Tomcat

(8009 is the default port setting for AJP13 in a Tomcat configuration.)

- From the client perspective, the URL should be
https://publichostname/myapp. From the web server's perspective, the
URL should be http://tomcat.internal.hostname:8080/myapp

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcrsg8ACgkQ9CaO5/Lv0PBXzQCfaL/Dy/GqKA/7t0WSex8ZzPb8
iaAAn2TwoF3N89NHiEQEimZ+VjDA4Y4+
=DMoV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat connector settings

[Michael Fox <Fo...@jhmi.edu>]

Chris,

Thanks for your explanations and help!

Please confirm that to configure the passthrough with an external HTTPS and an internal HTTP, I would set Apache to listen to SSL on port 8443 and Tomcat on port 8080, with a line inside the Virtual Host directive of

ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse /myapp http://DNS_hostname:8080/myapp


In the Tomcat server.xml file, inside the Host directive, I will place
<Valve className="org.apache.catalina.valves.RemoteIpValve" />

In the file /etc/httpd/conf/workers.properties, worker.worker1.host should be set to DNS_hostname and worker.worker1.port is set to 8080.


With this setup, the URL for accessing the Tomcat application via the Apache server would be
https://DNS_hostname/myapp

Best,
Mike

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Wednesday, May 4, 2016 12:50 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat connector settings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

On 5/2/16 10:20 AM, Michael Fox wrote:
> I ultimately want to have a Tomcat application protected  by our 
> university's system for authentication, which is SiteMinder.  They 
> have told me that they can't protect Tomcat directly, but if user 
> communications can be passed through a web server then they can 
> protect the server with SiteMinder.

No problem.

> I have a working Tomcat application if I uncomment the non-SSL
> HTTP/1.1 protocol in the Tomcat, but I believe I need all 
> communication to pass through the Apache web server.  Let me know if 
> you need more information and, if so, what that would be.

You can use HTTP, HTTPS, or AJP as the communication mechanism between the web server and Tomcat.

AJP works great with Apache httpd, but may be more complicated to get set up with other web servers. HTTP is, by definition, always supported. You want them to set up the web server as a "reverse-proxy", and just give them the URL of your base application.
The configuration in httpd for using HTTP as the protocol is fairly
simple:

ProxyPass /myapp http://internal.ip:8080/myapp ProxyPassReverse /myapp http://internal.ip:8080/myapp

You'll want to enable the standard HTTP connector (it was enabled by
default) and if you aren't using AJP (like you are NOT in this example), then you'll want to enable the RemoteIPValve:
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Val
ve

That "valve" takes information from the HTTP headers coming from the web server and makes sure that things like the base URL match what the client is seeing from the outside world (e.g. they won't see URLs for http://internal.ip:8080/etc.).

On the web server, you can use whatever protocol you want for your clients. HTTPS is a good choice. Using HTTPS on the web server has no impact on whether or not you want to use HTTP or HTTPS internally on your private network. If you want to use HTTPS internally (also not a bad idea, especially if you don't 100% trust everyone who has access to your network), change the httpd configuration to this:

ProxyPass /myapp http://internal.ip:8443/myapp ProxyPassReverse /myapp http://internal.ip:8443/myapp

You will, of course, have to configure a secure <Connector> on port
8443 for that purpose, including a TLS certificate, etc. If you always expect to use a secure connection, then disable the non-secure
<Connector>: anyone coming to your web site using cleartext HTTP can be redirected by the web server to HTTPS so Tomcat itself only has to be providing an HTTPS connection.

Hope that helps,
- -chris

> -----Original Message----- From: Christopher Schultz 
> [mailto:chris@christopherschultz.net] Sent: Friday, April 29, 2016
> 9:14 PM To: Tomcat Users List <us...@tomcat.apache.org> Subject:
> Re: Tomcat connector settings
> 
> Michael,
> 
> On 4/29/16 4:25 PM, Michael Fox wrote:
>> I have an Apache web server(2.4.6) which is accessible at http or  
>> https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
>> application available at DNS_hostname:8080/app_name.
> 
>> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
>> enabled HTTP/2 in the Tomcat server.xml, using the certificate key 
>> file and certificate where generated using the openssl
>> (1.0.2g) commands and used on the Apache web server.
> 
>> The Apache ssl.conf file is set to listen on port 8443 for https, and 
>> the only virtual host is set for IP_address:8443 and servername set 
>> to DNS_hostname
> 
>> In the file /etc/httpd/conf/workers.properties,
>> worker.worker1.host is set to DNS_hostname and worker.worker1.port is 
>> set to 8443.
> 
>> Netstat -tamp shows httpd listening on port 8443 and java listening 
>> on port 8009.
> 
>> Are these settings proper and correct?
> 
> It doesn't look like it.
> 
>> What should the URL look like in order to access the Tomcat 
>> application via Apache?
> 
> That depends upon what you are actually trying to do.
> 
>> Any help and/or guidance would most appreciated.
> 
> You have an HTTPS server listening on port 443 (httpd). You have 
> mod_jk (workers.properties) configured to connect to host:8443 (which 
> is the same host listening for HTTPS requests on port 8443) using 
> AJP13 (not HTTP). So, if a client makes a call to host:8443, mod_jk 
> will proxy the request through to host:8443. If the protocol were 
> correct (it isn't), you'd have an infinite loop of request s.
> 
> Can you explain what you are actually trying to do and maybe we can 
> help ?
> 
> -chris
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcqKEEACgkQ9CaO5/Lv0PDR0wCfU89GE1W6btEaUtHH2NJhm501
TlgAmQF9MCA6mpjiFr9Mo1EB1Bsn1p+n
=6mLT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector settings

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

On 5/2/16 10:20 AM, Michael Fox wrote:
> I ultimately want to have a Tomcat application protected  by our 
> university's system for authentication, which is SiteMinder.  They 
> have told me that they can't protect Tomcat directly, but if user 
> communications can be passed through a web server then they can 
> protect the server with SiteMinder.

No problem.

> I have a working Tomcat application if I uncomment the non-SSL 
> HTTP/1.1 protocol in the Tomcat, but I believe I need all 
> communication to pass through the Apache web server.  Let me know
> if you need more information and, if so, what that would be.

You can use HTTP, HTTPS, or AJP as the communication mechanism between
the web server and Tomcat.

AJP works great with Apache httpd, but may be more complicated to get
set up with other web servers. HTTP is, by definition, always
supported. You want them to set up the web server as a
"reverse-proxy", and just give them the URL of your base application.
The configuration in httpd for using HTTP as the protocol is fairly
simple:

ProxyPass /myapp http://internal.ip:8080/myapp
ProxyPassReverse /myapp http://internal.ip:8080/myapp

You'll want to enable the standard HTTP connector (it was enabled by
default) and if you aren't using AJP (like you are NOT in this
example), then you'll want to enable the RemoteIPValve:
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Val
ve

That "valve" takes information from the HTTP headers coming from the
web server and makes sure that things like the base URL match what the
client is seeing from the outside world (e.g. they won't see URLs for
http://internal.ip:8080/etc.).

On the web server, you can use whatever protocol you want for your
clients. HTTPS is a good choice. Using HTTPS on the web server has no
impact on whether or not you want to use HTTP or HTTPS internally on
your private network. If you want to use HTTPS internally (also not a
bad idea, especially if you don't 100% trust everyone who has access
to your network), change the httpd configuration to this:

ProxyPass /myapp http://internal.ip:8443/myapp
ProxyPassReverse /myapp http://internal.ip:8443/myapp

You will, of course, have to configure a secure <Connector> on port
8443 for that purpose, including a TLS certificate, etc. If you always
expect to use a secure connection, then disable the non-secure
<Connector>: anyone coming to your web site using cleartext HTTP can
be redirected by the web server to HTTPS so Tomcat itself only has to
be providing an HTTPS connection.

Hope that helps,
- -chris

> -----Original Message----- From: Christopher Schultz 
> [mailto:chris@christopherschultz.net] Sent: Friday, April 29, 2016 
> 9:14 PM To: Tomcat Users List <us...@tomcat.apache.org> Subject:
> Re: Tomcat connector settings
> 
> Michael,
> 
> On 4/29/16 4:25 PM, Michael Fox wrote:
>> I have an Apache web server(2.4.6) which is accessible at http or
>>  https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
>> application available at DNS_hostname:8080/app_name.
> 
>> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
>> enabled HTTP/2 in the Tomcat server.xml, using the certificate
>> key file and certificate where generated using the openssl
>> (1.0.2g) commands and used on the Apache web server.
> 
>> The Apache ssl.conf file is set to listen on port 8443 for
>> https, and the only virtual host is set for IP_address:8443 and
>> servername set to DNS_hostname
> 
>> In the file /etc/httpd/conf/workers.properties,
>> worker.worker1.host is set to DNS_hostname and
>> worker.worker1.port is set to 8443.
> 
>> Netstat -tamp shows httpd listening on port 8443 and java
>> listening on port 8009.
> 
>> Are these settings proper and correct?
> 
> It doesn't look like it.
> 
>> What should the URL look like in order to access the Tomcat 
>> application via Apache?
> 
> That depends upon what you are actually trying to do.
> 
>> Any help and/or guidance would most appreciated.
> 
> You have an HTTPS server listening on port 443 (httpd). You have 
> mod_jk (workers.properties) configured to connect to host:8443
> (which is the same host listening for HTTPS requests on port 8443)
> using AJP13 (not HTTP). So, if a client makes a call to host:8443,
> mod_jk will proxy the request through to host:8443. If the protocol
> were correct (it isn't), you'd have an infinite loop of request s.
> 
> Can you explain what you are actually trying to do and maybe we
> can help ?
> 
> -chris
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcqKEEACgkQ9CaO5/Lv0PDR0wCfU89GE1W6btEaUtHH2NJhm501
TlgAmQF9MCA6mpjiFr9Mo1EB1Bsn1p+n
=6mLT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org