{"id":1624,"date":"2012-10-28T10:21:33","date_gmt":"2012-10-28T02:21:33","guid":{"rendered":"http:\/\/rmohan.com\/?p=1624"},"modified":"2012-10-28T11:04:49","modified_gmt":"2012-10-28T03:04:49","slug":"1624","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1624","title":{"rendered":"Securing Tomcat with Apache Web Server mod_proxy"},"content":{"rendered":"<h3>Securing Tomcat with Apache Web Server mod_proxy<\/h3>\n<div>\u00a0<\/div>\n<p>I wanted to enable SSL encryption to allow secure channels (https) to our tomcat server. There were 2 obvious ways to do this:<\/p>\n<ol>\n<li>Secure Tomcat directly<\/li>\n<li>Secure an Apache web server front-end that controls access to tomcat<\/li>\n<\/ol>\n<p><strong>Secure Tomcat directly<\/strong><\/p>\n<p>Securing tomcat directly is fairly straight-forward and is the easiest. But it does have some drawbacks. The major drawback for me was restricting access to other webapps running within the tomcat container. I had about 5 different webapps running, but I only wanted one to be publicly available. Now some will argue that you can restrict access by enforcing rules within the firewall, but I found that to be clunky. If you&#8217;re interested in going this route, here is a link describing how to enable security for tomcat directly:<br \/> <a href=\"http:\/\/tomcat.apache.org\/tomcat-5.5-doc\/ssl-howto.html\">http:\/\/tomcat.apache.org\/tomcat-5.5-doc\/ssl-howto.html<\/a><\/p>\n<p><strong>Secure an Apache web server front-end<\/strong><\/p>\n<p><strong>\u00a0<\/strong>I prefer using Apache web server as the front-end for many reasons which has been discussed to death. I&#8217;ll note some of the more important reasons:<\/p>\n<ul>\n<li>Apache can server static content much faster<\/li>\n<li>Apache can run as a load balancer in front of a cluster of tomcat instances<\/li>\n<li>Apache can handle SSL encryption for a cluster of tomcat instances<\/li>\n<li>Apache has several modules that can easily be plugged in<\/li>\n<\/ul>\n<p>For more reasons have a look at this article: <a href=\"http:\/\/wiki.apache.org\/tomcat\/FAQ\/Connectors\">http:\/\/wiki.apache.org\/tomcat\/FAQ\/Connectors<\/a><\/p>\n<p>In this instance I will be using Apache&#8217;s <strong>mod_proxy<\/strong> module to redirect traffic to the tomcat server and use Apache to provide the SSL encryption.<\/p>\n<p>To get an idea of how it works see the diagram below:<\/p>\n<div><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2012\/10\/securing-tomcat-with-apache-web-server.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1626\" title=\"securing-tomcat-with-apache-web-server\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2012\/10\/securing-tomcat-with-apache-web-server.png\" alt=\"\" width=\"1067\" height=\"739\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/securing-tomcat-with-apache-web-server.png 1067w, https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/securing-tomcat-with-apache-web-server-300x207.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/securing-tomcat-with-apache-web-server-1024x709.png 1024w\" sizes=\"(max-width: 1067px) 100vw, 1067px\" \/><\/a><\/div>\n<p>When a user visits our website using the default web port of <strong>80<\/strong>, Apache will redirect the traffic to Tomcat on port <strong>8080<\/strong>. Similarly, when browser is communicating on port <strong>443<\/strong> (https), apache will enable encryption and redirect traffic to tomcat on port <strong>8443<\/strong>.<\/p>\n<p>In my setup of Apache, I have 2 main configuration files:<\/p>\n<ol>\n<li>httpd.conf<\/li>\n<li>ssl.conf<\/li>\n<\/ol>\n<p><strong>httpd.conf<\/strong> contains the configuration for handling traffic running on port 80:<\/p>\n<pre><code> Listen 80 ProxyRequests Off ProxyPreserveHost on &lt;VirtualHost _default_:80&gt; ServerName your_company_domain_name ProxyPass \/app http:\/\/localhost:8080\/app ProxyPassReverse \/app http:\/\/localhost:8080\/app RewriteEngine On RewriteRule ^(.*)\/login$ https:\/\/%{SERVER_NAME}$1\/login [L,R] &lt;\/VirtualHost&gt; <\/code><\/pre>\n<p>The <strong>ProxyPass<\/strong> and <strong>ProxyPassReverse<\/strong> is responsible for the redirection.<br \/> The <strong>RewriteEngine<\/strong> and <strong>RewriteRule<\/strong> is responsible for redirecting\u00a0 any requrests for the login page on port 80 to the secure channel running on port 443.<\/p>\n<p><strong>ssl.conf<\/strong> contains the configuration for handling traffic running on port 443:<\/p>\n<pre><code>Listen 443 &lt;VirtualHost _default_:443&gt; SSLEngine on SSLProxyEngine on SSLCertificateFile \/etc\/pki\/tls\/certs\/your_company_certificate.pem SSLCertificateKeyFile \/etc\/pki\/tls\/certs\/your_company_private_key.pem ServerName your_company_domain_name ProxyPass \/app http:\/\/localhost:8443\/app ProxyPassReverse \/app http:\/\/localhost:8443\/app &lt;\/VirtualHost&gt; <\/code><\/pre>\n<p>The <strong>SSLCertificateFile<\/strong> and <strong>SSLCertificateKeyFile<\/strong> are responsible for enabling encryption and requires the private key as well as the certificate file provided by your certificate authority.<br \/> Just as before, the lines <strong>ProxyPass<\/strong> and <strong>ProxyPassReverse<\/strong> are responsible for the redirection of traffic from port 443 to tomcat on port 8443.<\/p>\n<p><strong>server.xml<\/strong> contains the tomcat configuration details<\/p>\n<pre><code>Server.xml &lt;Connector port=\"8080\" maxHttpHeaderSize=\"8192\" maxThreads=\"150\" minSpareThreads=\"25\" maxSpareThreads=\"75\" enableLookups=\"true\" redirectPort=\"443\" acceptCount=\"100\" connectionTimeout=\"20000\" disableUploadTimeout=\"true\"\/&gt; &lt;Connector port=\"8443\" maxHttpHeaderSize=\"8192\" maxThreads=\"150\" minSpareThreads=\"25\" maxSpareThreads=\"75\" enableLookups=\"true\" acceptCount=\"100\" connectionTimeout=\"20000\" disableUploadTimeout=\"true\" scheme=\"https\" secure=\"true\" SSLEnabled=\"false\" proxyPort=\"443\" proxyName=\"your_company_domain_name\" \/&gt; <\/code><\/pre>\n<p><strong>Importing certficates into keystore<\/strong><\/p>\n<p>keytool -import -alias auscert -keystore -trustcacerts -file <strong><br \/><\/strong><\/p>\n<p><strong>Extracting existing certificates and private keys from a keystore to be used in Apache in PEM format<\/strong><\/p>\n<p>Originally, I had setup encryption witin Tomcat rather than apache. When I wanted to\u00a0 migrate the control of security from Tomcat to Apache, I was faced with the issue that each Tomcat and Apache expected the certificates in different formats. After much researching I found a tool that was helpful in extracting the private key and the certificate out of the keystore into the PEM format expected by Apache. The opensource tool can be downloaded here: <a href=\"http:\/\/sourceforge.net\/projects\/portecle\">http:\/\/sourceforge.net\/projects\/portecle<\/a><br \/>\u00a0 <a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2012\/10\/index.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1627\" title=\"index\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2012\/10\/index.png\" alt=\"\" width=\"616\" height=\"519\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/index.png 616w, https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/index-300x252.png 300w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><\/a><\/p>\n<p>To extract the private key from JKS keystore, use this:<br \/> <a href=\"http:\/\/www.softpedia.com\/get\/Security\/Security-Related\/KeyTool-IUI.shtml\">http:\/\/www.softpedia.com\/get\/Security\/Security-Related\/KeyTool-IUI.shtml<\/a><br \/> Select Export -&gt; Keystore&#8217;s entry -&gt; Private key<br \/> When identifying the Target files, remember to choose &#8216;<strong>PEM<\/strong>&#8216; <br \/> And the rest is self explantory<br \/> <a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2012\/10\/index2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1628\" title=\"index2\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2012\/10\/index2.png\" alt=\"\" width=\"1016\" height=\"861\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/index2.png 1016w, https:\/\/mohan.sg\/wp-content\/uploads\/2012\/10\/index2-300x254.png 300w\" sizes=\"(max-width: 1016px) 100vw, 1016px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securing Tomcat with Apache Web Server mod_proxy <\/p>\n<p>I wanted to enable SSL encryption to allow secure channels (https) to our tomcat server. There were 2 obvious ways to do this:<\/p>\n<p> Secure Tomcat directly Secure an Apache web server front-end that controls access to tomcat <\/p>\n<p>Secure Tomcat directly<\/p>\n<p>Securing tomcat directly is fairly straight-forward and is [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1624"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1624"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1624\/revisions"}],"predecessor-version":[{"id":1631,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1624\/revisions\/1631"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}