You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by venkateswara Rao Akkireddy <ve...@gmail.com> on 2013/09/20 17:39:15 UTC
I want to redirect the https traffic of apache to tomcat. Such that
we can configure SSL certificate on each tomcat instance.
Hi All
Hope every one is doing good!
Aim: I want to redirect the https traffic of apache to tomcat. Such that
we can configure SSL certificate on each tomcat instance.
Please Help me on this ASAP
*1) **Configuration in /etc/httpd/conf/httpd.conf*
Listen 174.132.121.115:80 <http://174.132.121.115/>
Listen 174.132.121.115:443
JkWorkersFile "conf/workers.properties"
JkLogFile "logs/mod_jk.log"
JkShmFile "/var/log/httpd/mod_jk.shm"
JkWatchdogInterval 30
JkLogLevel info
JkLogLevel debug
JkExtractSSL On
JkHTTPSIndicator HTTPS
<VirtualHost 174.132.121.115:80 <http://174.132.121.115/>>
ServerAdmin ramarajud@mmgs.com
ServerName 174.132.121.115
JkMount / loadbalancer
JkMount /* loadbalancer
JkMount /status jkstatus
</VirtualHost>
<VirtualHost 174.132.121.115:443>
ServerName 174.132.121.115
JkMount / loadbalancerssl
JkMount /* loadbalancerssl
SetEnv JkHTTPSIndicator On
JkMount /status jkstatus
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
</VirtualHost>
*2) **Configuration in /etc/httpd/conf/workers.properties*
worker.list=loadbalancer,jkstatus,loadbalancerssl
#Configuration to Show Status of Load balancer
worker.jkstatus.type=status
#Trippro BE Load Balancer Nodes
worker.tpbe1.type=ajp13
worker.tpbe1.host=174.132.121.115
worker.tpbe1.port=8023
worker.tpbe1.lbfactor=1
worker.tpbe1.socket_timeout=210
worker.tpbe2.type=ajp13
worker.tpbe2.host=174.132.121.115
worker.tpbe2.port=8028
worker.tpbe2.lbfactor=1
worker.tpbe2.socket_timeout=210
worker.tpbe1ssl.type=ajp13
worker.tpbe1ssl.host=174.132.121.115
worker.tpbe1ssl.port=8022
worker.tpbe1ssl.lbfactor=1
worker.tpbe1ssl.socket_timeout=210
worker.tpbe2ssl.type=ajp13
worker.tpbe2ssl.host=174.132.121.115
worker.tpbe2ssl.port=8027
worker.tpbe2ssl.lbfactor=1
worker.tpbe2ssl.socket_timeout=210
3) Tomcat Configuration
a) TBE1 Tomcat Instance Server.xml config
<!-- Define an AJP 1.3 Connector on port 8023 for http traffic-->
<Connector port="8023" address="174.132.121.115" protocol="AJP/1.3"
redirectPort="8022" />
<!-- Define an AJP 1.3 Connector on port 8024 for https traffic-->
<Connector port="8022"
protocol="AJP/1.3" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
connectionTimeout="60000"
proxyPort="443"
keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
keystorePass="Tr!pPro"
clientAuth="false" sslProtocol="TLS"/>
<Engine name="Catalina" defaultHost="TPBE1" jvmRoute="tpbe1">
b) TBE2 Tomcat Instance Server.xml config
<!-- Define an AJP 1.3 Connector on port 8028 for http traffic-->
<Connector port="8028" address="174.132.121.115" protocol="AJP/1.3"
redirectPort="8027" />
<!-- Define an AJP 1.3 Connector on port 8024 for https traffic-->
<Connector port="8027" address="174.132.121.115"
protocol="AJP/1.3" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
connectionTimeout="60000"
proxyPort="443"
keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
keystorePass="Tr!pPro"
clientAuth="false" sslProtocol="TLS"/>
<Engine name="Catalina" defaultHost="TPBE2" jvmRoute="tpbe2">
--
Best Regards
A.Venkateswara Rao
9246665067
Qualcomm INDIA PVT. LTD <http://www.qualcomm.co.in/>
Hyderabad
Re: I want to redirect the https traffic of apache to tomcat. Such
that we can configure SSL certificate on each tomcat instance.
Posted by André Warnier <aw...@ice-sa.com>.
venkateswara Rao Akkireddy wrote:
> Hi All
>
> Hope every one is doing good!
>
>
>
> Aim: I want to redirect the https traffic of apache to tomcat. Such that
> we can configure SSL certificate on each tomcat instance.
>
>
>
> Please Help me on this ASAP
This is the kind of thing that you should probably avoid, on a help list that is staffed
by volunteers.
>
>
>
> *1) **Configuration in /etc/httpd/conf/httpd.conf*
>
>
>
> Listen 174.132.121.115:80 <http://174.132.121.115/>
> Listen 174.132.121.115:443
>
>
>
> JkWorkersFile "conf/workers.properties"
>
> JkLogFile "logs/mod_jk.log"
>
> JkShmFile "/var/log/httpd/mod_jk.shm"
>
> JkWatchdogInterval 30
>
> JkLogLevel info
>
> JkLogLevel debug
>
> JkExtractSSL On
>
> JkHTTPSIndicator HTTPS
>
>
>
> <VirtualHost 174.132.121.115:80 <http://174.132.121.115/>>
>
> ServerAdmin ramarajud@mmgs.com
>
> ServerName 174.132.121.115
>
> JkMount / loadbalancer
>
> JkMount /* loadbalancer
>
> JkMount /status jkstatus
>
> </VirtualHost>
>
>
>
> <VirtualHost 174.132.121.115:443>
>
> ServerName 174.132.121.115
>
> JkMount / loadbalancerssl
>
> JkMount /* loadbalancerssl
>
> SetEnv JkHTTPSIndicator On
>
> JkMount /status jkstatus
>
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
>
> </VirtualHost>
>
>
>
> *2) **Configuration in /etc/httpd/conf/workers.properties*
>
>
>
> worker.list=loadbalancer,jkstatus,loadbalancerssl
>
>
>
> #Configuration to Show Status of Load balancer
>
> worker.jkstatus.type=status
>
>
>
> #Trippro BE Load Balancer Nodes
>
>
>
> worker.tpbe1.type=ajp13
>
> worker.tpbe1.host=174.132.121.115
>
> worker.tpbe1.port=8023
>
> worker.tpbe1.lbfactor=1
>
> worker.tpbe1.socket_timeout=210
>
>
>
> worker.tpbe2.type=ajp13
>
> worker.tpbe2.host=174.132.121.115
>
> worker.tpbe2.port=8028
>
> worker.tpbe2.lbfactor=1
>
> worker.tpbe2.socket_timeout=210
>
>
>
> worker.tpbe1ssl.type=ajp13
>
> worker.tpbe1ssl.host=174.132.121.115
>
> worker.tpbe1ssl.port=8022
>
> worker.tpbe1ssl.lbfactor=1
>
> worker.tpbe1ssl.socket_timeout=210
>
>
>
> worker.tpbe2ssl.type=ajp13
>
> worker.tpbe2ssl.host=174.132.121.115
>
> worker.tpbe2ssl.port=8027
>
> worker.tpbe2ssl.lbfactor=1
>
> worker.tpbe2ssl.socket_timeout=210
>
>
>
> 3) Tomcat Configuration
>
>
>
> a) TBE1 Tomcat Instance Server.xml config
>
>
>
> <!-- Define an AJP 1.3 Connector on port 8023 for http traffic-->
>
> <Connector port="8023" address="174.132.121.115" protocol="AJP/1.3"
> redirectPort="8022" />
>
>
>
> <!-- Define an AJP 1.3 Connector on port 8024 for https traffic-->
>
> <Connector port="8022"
>
> protocol="AJP/1.3" maxThreads="500"
>
> scheme="https" secure="true" SSLEnabled="true"
>
> connectionTimeout="60000"
>
> proxyPort="443"
>
> keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
> keystorePass="Tr!pPro"
>
> clientAuth="false" sslProtocol="TLS"/>
>
>
>
> <Engine name="Catalina" defaultHost="TPBE1" jvmRoute="tpbe1">
>
>
>
> b) TBE2 Tomcat Instance Server.xml config
>
>
>
> <!-- Define an AJP 1.3 Connector on port 8028 for http traffic-->
>
> <Connector port="8028" address="174.132.121.115" protocol="AJP/1.3"
> redirectPort="8027" />
>
>
>
> <!-- Define an AJP 1.3 Connector on port 8024 for https traffic-->
>
> <Connector port="8027" address="174.132.121.115"
>
> protocol="AJP/1.3" maxThreads="500"
>
> scheme="https" secure="true" SSLEnabled="true"
>
> connectionTimeout="60000"
>
> proxyPort="443"
>
> keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
> keystorePass="Tr!pPro"
>
> clientAuth="false" sslProtocol="TLS"/>
>
>
>
> <Engine name="Catalina" defaultHost="TPBE2" jvmRoute="tpbe2">
One thing that you should know : the AJP protocol does not support SSL/HTTPS.
In other words, the communication between mod_jk and Tomcat is not encrypted. It is NOT
SSL or HTTPS, it is AJP, and there is no AJPS.
What AJP /can/ do, is to "transport" some information from httpd to Tomcat, about the
original browser-to-httpd HTTPS communication. That is the point of the Jk "HTTPS" and
"SSL" options, but nothing else.
Graphically :
(browser) <-- HTTPS --> (httpd + mod_jk) <-- AJP --> (Tomcat + AJP Connector)
(1) (2)
(1) can be encrypted
(2) cannot be encrypted (*), but can "transport" HTTPS headers information from (1)
(*) except if you set up some kind of "SSL tunnel" there, but that would be outside of
httpd and Tomcat.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org