You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Garret Wilson <ga...@globalmentor.com> on 2019/02/07 16:45:07 UTC
current best practices for Tomcat with SSL on port 443
Hi, everyone. In the computer course I'm writing I'm using Tomcat for
the server. (Students learn how to set up CentOS and everything from
scratch. Currently the course has them using Tomcat running on port
8080.) I'm going back to write the section on security. I want students
to learn to set up their web server to use SSL/TLS on port 443, with
HTTP port 80 redirecting to HTTPS port 443. This should be a very basic,
fundamental configuration, no?
The last time I did this myself was about 10 or 15 years ago, when I
compiled Apache myself and put it in front of Tomcat using whatever
connectors (I'll have to go look at my configuration from back then),
purchasing outrageously priced SSL certificates and installing them
manually. How I'm sure things are greatly improved. Recently I've set up
Apache (I didn't have to compile it) hosting static pages directly, and
using Let's Encrypt (once I figured out what I should be doing) for SSL
was a breeze. It's working nicely. So I assume I'd want to use Let's
Encrypt in whatever solution I prescribe to the students.
So what is the best practice, straightforward, and simple setup for
Tomcat with SSL on port 443 (preferably using Let's Encrypt) with HTTP
port 80 forwarding to HTTPS port 443? Do I still need to stick Apache
(or Nginx?) in front of it? (The last I checked, letting Tomcat use
lower port numbers was a pain, and nobody seemed to know an easy,
straightforward way to do it.)
Maybe this is a better question of Stack Overflow, but since the experts
are here and I'm already on the list, I thought I'd ask. Thanks in
advance! I'm really wanting to learn here.
Best,
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: current best practices for Tomcat with SSL on port 443
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Garret,
On 2/8/19 08:27, Garret Wilson wrote:
> On 2/7/2019 9:54 PM, Christopher Schultz wrote:
>> … I would argue that adding Apache httpd into the mix (where is
>> it not already there) is more complicated than using Let's
>> Encrypt with Tomcat.
>
>
> OK, I guess I didn't figure in the part about adding/configuring
> the connector. But still there are a few things I have doubts
> about, just looking over the document quickly:
>
> * There's still the issue about listening on lower port numbers.
> From the presentation, it looks like I would need to teach myself
> about iptables.
Or use jsvc. Or authbind. There are lots of ways to make
lower-numbered ports work these days. Are the students running their
own servers / VMs / containers / whatever? I mean... not everyone can
have port 80 on the same machine, so...
jsvc is fairly straightforward. catalina.sh supports it pretty much
directly.
> I wonder if students (and I) would find mucking with iptable
> configurations easier than just installing apache using APT and
> editing some XML files. (I don't know; I haven't looked into it
> deeply.) And the presentation tantalizingly mentioned something
> called "jsvc" but didn't provide any further details. I'll have to
> research that. Then I'll search for "jsvc vs iptables", etc. So
> the presentation is a good thing to tell me what to look for.
jsvc is a native wrapper around Tomcat that can elevate privileges,
bind to port 80 (and 443, or whatever you need), then drop privileges.
> * What about forwarding from the non-secure site to the HTTPS
> site? Apache makes that pretty easy; actually it's a little arcane,
> but once you have the virtual host file one wants one can use it as
> a pattern. I'll note that the presentation didn't cover that.
Just put this into your web.xml like always (right?):
<security-constraint>
<web-resource-collection>
<web-resource-name>Whole site</web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Tomcat will handle the redirect if you try to access the application
via a non-secure protocol.
> Or is that something iptables is responsible for, too?
Nope, iptables doesn't re-write protocols. It only re-wires ports. If
you connect to a secure service with a non-secure protocol, the TLS
handshake will fail. At least, on Tomcat it will.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxdwtAACgkQHPApP6U8
pFgPAxAAi8EEFByG47X9hmad00CWNEs2eV/8QMDtWdNtGasDJ95vPxYxRjvE/crZ
WiOSxv6aGBtv2aZ/yOW/PJ+dccb7gup0R2KRL+Z9snjvAD3R6mEIYSx0QZ/bQAz9
qERVd2LV2s22Suea6KU1Dcws9PqLw6l9R+I1FgywqTjvFcKmlG9BeHZetvhjesby
tCoM/plhCCO1Jo48Nyha0ew4s8TPQ0CkAx0i344y/e7K+PFwRpzvhtP+Q8Nje///
lx1Kq29BHshCImeD76/FCjLNQonr/PNDaoqPDnrRqji8Nvks78zAg0ejFSDSKXvg
//fbFNAEpkK+OWkS+2HjyR93DKkHLAnP7nVj2Gcl+5ehqy0tqKL4lZFLbRyNxc81
Wz50G67YgaEFDJzXZwFGn5eTFyiynlu9DmWRKPJB9UpJvWwJe0MVkTxwQ0N9oaYe
++HU9fjSUDAxAm6vcVEReujra7B+6UYOgiafbNjGAcgXp4du3pt5cnHvuPJzFfU4
EXDgLAsdoKOIm55AUUwXNIAnKPTsXjzOSuVp0SPXjwXaAz21Uxw7cWBbAKeznKDV
gIaKfBw40FwyZaKQxzb+ag5R+Apm4Zvy8hQq6vVn5CzZcTaTq0ME9zj5pWM6DB1j
dOwZmMvAkg7ZtvGkBv5m+vAakLFrM0Wp4cRyvriB2V6eHSeyQW8=
=WdDP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: current best practices for Tomcat with SSL on port 443
Posted by Garret Wilson <ga...@globalmentor.com>.
On 2/7/2019 9:54 PM, Christopher Schultz wrote:
> …
> I would argue that adding Apache httpd into the mix (where is it not
> already there) is more complicated than using Let's Encrypt with
> Tomcat.
OK, I guess I didn't figure in the part about adding/configuring the
connector. But still there are a few things I have doubts about, just
looking over the document quickly:
* There's still the issue about listening on lower port numbers. From
the presentation, it looks like I would need to teach myself about
iptables. I wonder if students (and I) would find mucking with
iptable configurations easier than just installing apache using APT
and editing some XML files. (I don't know; I haven't looked into it
deeply.) And the presentation tantalizingly mentioned something
called "jsvc" but didn't provide any further details. I'll have to
research that. Then I'll search for "jsvc vs iptables", etc. So the
presentation is a good thing to tell me what to look for.
* What about forwarding from the non-secure site to the HTTPS site?
Apache makes that pretty easy; actually it's a little arcane, but
once you have the virtual host file one wants one can use it as a
pattern. I'll note that the presentation didn't cover that. Or is
that something iptables is responsible for, too?
Cheers,
Garret
Re: current best practices for Tomcat with SSL on port 443
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Garret,
On 2/7/19 12:22, Garret Wilson wrote:
> On 2/7/2019 3:13 PM, Christopher Schultz wrote:
>> … Have a look at this presentation:
>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr
ypt
>>
>>
%20Apache%20Tomcat.pdf
>
> The presentation gets two thumbs up, specifically:
>
> * Great corny grammar ambiguity joke on the title page.
If you come to an upcoming ApacheCon, you can hurl rotten fruit at me
in person!
> * The inferred conclusion of the presentation is: "If I already
> have enough complications in my life and I don't want more, I don't
> want to try to use Let's Encrypt directly with Tomcat (and
> especially not attempt to teach this to students), even if the
> complications can be overcome." :D But it's nice and useful to know
> what I'm avoiding by not going down that road.
When drafting that presentation, I actually configured a production
service running on Tomcat to use LE. It was less painful than I
thought, honestly. (Actually, restarting the connector was a PITA, but
things have improved in Tomcat since I wrote the original draft.)
I would argue that adding Apache httpd into the mix (where is it not
already there) is more complicated than using Let's Encrypt with
Tomcat. Certainly if Apache httpd is already there, it's *way* easier
to just add LE. But part of the reason I presented that material was
so that someone who works on one of the various certbot-type things
would develop a plug-in that makes configuring Tomcat as easy as
configuring httpd.
Romain Manni-Bucau from the TomEE project built a Tomcat component
that does LE for you. It's an inside-out approach, as opposed to an
outside-in approach like I took in my presentation. YMMV. You can find
his project here on GitHub:
https://github.com/rmannibucau/letsencrypt-manager
Good luck, and thanks for using a free and open-source product like
Tomcat in your class. If anyone has any trouble with the documentation
- -- especially a student -- encourage them to figure out what's going
(possibly by posting a message here) and contribute a documentation patc
h.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxcxUgACgkQHPApP6U8
pFhr1Q/7Bs7SmH0xEoN7v/GJyErwvom8TD4GwdhoOtfQmZWrl8C84ByqBCfo1vVw
EV7nvauRchPI6FXz7RobJPcUGUMGvH7srnjsMGA2U+sF3SAUkebK9XXT6jlkeOi6
t3wTi206BCThOZV5D0w7+ouKL5nBUAtZsqFyyD8i/qvfvNg3tFrDqF4cNcZwZLU7
CBfAc33GBuMwF2dlsQL0TvZEphSlZOYweRRVA0TlZXAGnF0VZypjFFvQhvqT105G
kXBrufJg003zBQQJ7NzznYmqz0zvg1wM0CkeEVkFNbYcPiY4QNtXKtU9fNKP6PQx
mla/VODbDuO/BzJfSXj6tHdT8RmVu1Iwp8k7CBFCATi3u2VFrdxoOKBIYumyj2gN
rBJHxtmJkWOdypFz1sHbI89vuxrxpoJ2NmidZ1GyGlbsPoTky4DQYAVX7+b2Nuxi
92F1IPJtswykh1X6eB5Dx76ZiBExysj/DiJRxdmH2Ib6hgZOJHNnspVsb0m5voHH
La3YhokS6YVxLYQRfOC0OorEuwgd3+l8GbI7UpitU9Rb4dZ7fjrQSz9v2Y+KKuk3
/J0q08RQd08GzJfW00YRIjCvRSETyQOqt/Xe6ji7sNFX/6v47ddw5YfvbCLXKOQd
MLeQGbG3z6NnfwyP2d66J9f+vEEiGLeaAQDhTMpkTzDZyd+Qb5g=
=oi/V
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: current best practices for Tomcat with SSL on port 443
Posted by Garret Wilson <ga...@globalmentor.com>.
On 2/7/2019 3:13 PM, Christopher Schultz wrote:
> …
> Have a look at this presentation:
> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt
> %20Apache%20Tomcat.pdf
The presentation gets two thumbs up, specifically:
* Great corny grammar ambiguity joke on the title page.
* The inferred conclusion of the presentation is: "If I already have
enough complications in my life and I don't want more, I don't want
to try to use Let's Encrypt directly with Tomcat (and especially not
attempt to teach this to students), even if the complications can be
overcome." :D But it's nice and useful to know what I'm avoiding by
not going down that road.
Garret
Re: current best practices for Tomcat with SSL on port 443
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Garret,
On 2/7/19 11:45, Garret Wilson wrote:
> Hi, everyone. In the computer course I'm writing I'm using Tomcat
> for the server. (Students learn how to set up CentOS and everything
> from scratch. Currently the course has them using Tomcat running on
> port 8080.) I'm going back to write the section on security. I want
> students to learn to set up their web server to use SSL/TLS on port
> 443, with HTTP port 80 redirecting to HTTPS port 443. This should
> be a very basic, fundamental configuration, no?
>
> The last time I did this myself was about 10 or 15 years ago, when
> I compiled Apache myself and put it in front of Tomcat using
> whatever connectors (I'll have to go look at my configuration from
> back then), purchasing outrageously priced SSL certificates and
> installing them manually. How I'm sure things are greatly improved.
> Recently I've set up Apache (I didn't have to compile it) hosting
> static pages directly, and using Let's Encrypt (once I figured out
> what I should be doing) for SSL was a breeze. It's working nicely.
> So I assume I'd want to use Let's Encrypt in whatever solution I
> prescribe to the students.
>
> So what is the best practice, straightforward, and simple setup
> for Tomcat with SSL on port 443 (preferably using Let's Encrypt)
> with HTTP port 80 forwarding to HTTPS port 443? Do I still need to
> stick Apache (or Nginx?) in front of it? (The last I checked,
> letting Tomcat use lower port numbers was a pain, and nobody seemed
> to know an easy, straightforward way to do it.)
>
> Maybe this is a better question of Stack Overflow, but since the
> experts are here and I'm already on the list, I thought I'd ask.
> Thanks in advance! I'm really wanting to learn here.
Have a look at this presentation:
https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt
%20Apache%20Tomcat.pdf
Definitely post back if you have any questions.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxcZzUACgkQHPApP6U8
pFh2Tg//YcC/8iPC4yDN9zp43XWwmDbCL/eyNv+oU4R3u/UcxrEoTP6QTRXBQrth
sDSwSQ05mrrAM72MhPJuUlcjof0UquHaj/OBBOeQlnw0W9U8gsbX6mWgPMkKNJH7
tNokwTnbLe8xXqmf/xU5OUEW4v/OiSl3MmFt3ZpbB7woKYNkadFCueU+xIpIz+OJ
QGPWM9kLg5dyOkfHHpi+gIzEqsFVvF4eceHQhqSqx+QiVw4nky5kh/fNstxEF/cD
NFBmR2tQIiHwv8CywOC9ngHABnCflzShPD5kg6S1WwiC9cvwNmEleOokqnHryali
MAmqGZNo17eYqvACP1S8ZDpfDduVsV3+wPQToNgYhRQHSl461dRr8Iq8HMa67q6D
4tgTUmN0V7gkKhTU9CI6YLHOzXan9QKan29sX6rj9O2oXBqkkGDgk4T9E6M3PUbE
tbzq07UMv/LLqr5wiyTfnfX9KLbgAVvuZLbCAe1Px7A8LDFDQUntwF7/4dG2IaII
556RCR7Rws0Gq2y6iV/HoEKtvAnErQaMDPHQiNkx7rVaXVU6npe6/1mtCpJbVduQ
TshL7JQtWXiYdsSooRIiTglNT5WNmGBniy+LgT7JupJJABYj8OKP42X3ucEfracE
LoL0/A2kiMj6NJATTruEkVAtX+PR5S0/x512jaHetDxd4Dov0Oc=
=SaZ9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: current best practices for Tomcat with SSL on port 443
Posted by John Larsen <jo...@javapipe.com>.
You can use apache with mod_jk and then just setup the ssl through apache
and tomcat will use the 443 port through apache.
If you want to use letencrypt you need to add JkUnMount for /.well-known/*
directory so that when you run lets encrypt it can create and get to this
directory through apache.
John
On Thu, Feb 7, 2019 at 9:45 AM Garret Wilson <ga...@globalmentor.com>
wrote:
> Hi, everyone. In the computer course I'm writing I'm using Tomcat for
> the server. (Students learn how to set up CentOS and everything from
> scratch. Currently the course has them using Tomcat running on port
> 8080.) I'm going back to write the section on security. I want students
> to learn to set up their web server to use SSL/TLS on port 443, with
> HTTP port 80 redirecting to HTTPS port 443. This should be a very basic,
> fundamental configuration, no?
>
> The last time I did this myself was about 10 or 15 years ago, when I
> compiled Apache myself and put it in front of Tomcat using whatever
> connectors (I'll have to go look at my configuration from back then),
> purchasing outrageously priced SSL certificates and installing them
> manually. How I'm sure things are greatly improved. Recently I've set up
> Apache (I didn't have to compile it) hosting static pages directly, and
> using Let's Encrypt (once I figured out what I should be doing) for SSL
> was a breeze. It's working nicely. So I assume I'd want to use Let's
> Encrypt in whatever solution I prescribe to the students.
>
> So what is the best practice, straightforward, and simple setup for
> Tomcat with SSL on port 443 (preferably using Let's Encrypt) with HTTP
> port 80 forwarding to HTTPS port 443? Do I still need to stick Apache
> (or Nginx?) in front of it? (The last I checked, letting Tomcat use
> lower port numbers was a pain, and nobody seemed to know an easy,
> straightforward way to do it.)
>
> Maybe this is a better question of Stack Overflow, but since the experts
> are here and I'm already on the list, I thought I'd ask. Thanks in
> advance! I'm really wanting to learn here.
>
> Best,
>
> Garret
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>