Sit amet felis. Mauris semper,

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in quam. Etiam augue pede, molestie eget, ...

Category name clash

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in quam. Etiam augue pede, molestie eget, rhoncus at, convallis ut, eros. Aliquam pharetra. Nulla in tellus eget odio sagittis blandit. ...

Test with enclosures

Here's an mp3 file that was uploaded as an attachment: Juan Manuel Fangio by Yue And here's a link to an external mp3 file: Acclimate by General Fuzz Both are CC licensed. Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, ...

Block quotes

Some block quote tests: Here's a one line quote. This part isn't quoted. Here's a much longer quote: Lorem ipsum dolor sit amet, consectetuer adipiscing elit. In dapibus. In pretium pede. Donec molestie facilisis ante. Ut a turpis ut ipsum pellentesque tincidunt. Morbi blandit sapien in mauris. Nulla lectus lorem, varius aliquet, ...

Contributor post, approved

I'm just a lowly contributor. My posts must be approved by the editor.Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in quam. Etiam augue pede, molestie eget, rhoncus at, convallis ut, eros. Aliquam pharetra. Nulla in tellus eget odio sagittis blandit. Maecenas at ...

Posted by The Java Monkey - - 12 comments



For the last 8 years or so, I have almost exclusively developed applications that run on Tomcat. Whether it be JSP applications, servlet based SOAP/XML services, Struts, Faces, or Axis 2 web services - Tomcat has always been involved. As such, many, many times over that period, I have also been asked to setup servers in the work environment, or hosted servers for clients, or install complete systems onto developer machines and laptops.

Tomcat is easy to setup. However, Tomcat on its own does often not provide everything that is needed for a production environment. Tomcat is wonderful at running Java servlet based applications. When a client needs to have multiple Tomcats on one server/environment, all going through the same external port and all using the same SSL certificate, the excellent Apache HTTP Server is also needed. Every single time I need to set up a secure Apache proxy, that redirects to internal Tomcats based on the context of an incoming request, I have to spend ages playing around with conf files to get it to work. I can never remember quite how to do it.

This blog is a guide to setting up Apache as a secured, external, proxy to multiple internal Tomcats, where Tomcat resolution is managed via the context names in the URL. The advantages of this approach are that you do not need domain names for your forwarding, you only need one SSL certificate for the server, and you only need one external port (443) opened on your server.

The architecture is pretty simple, and is illustrated in the following diagram (drawn in the NetBeans UML editor which is handy but has been hit with the ugly stick):



Installing Apache 2.2

Apache 2.2 is available from the Apache Software Foundation, here. Download the Win 32 binary, with Open SSL support included. Note that this guide will work for non Win servers also, however, the initial install on those boxes can be tough, so I'm not wasting time here explaining it.

Run the installer, setup your domain and server name details. You will be wanting to configure Apache to install as a Windows service so that it is always available. Once it is installed, open up a web browser and go to http://localhost - you will see the welcome screen containing the text "It works!".

Lock it down!

The version of Apache downloaded above contains all that is necessary to secure it to run over SSL/HTTPS. Open a command prompt and go to the Apache bin folder C:\Program Files\Apache Software Foundation\Apache2.2\bin. Enter the following command to generate a self-signed certificate:



OPENSSL.exe req -new -x509 -nodes -extensions v3_req
-days 365 -config ..\conf\openssl.cnf -out ..\conf\server.crt
-keyout ..\conf\server.key

The common name is your domain name (e.g. www.google.com), if you have one. This will generate a key file, server.key, and a certificate file, server.crt. The certificate is for external applications to send encrypted traffic to the Apache server. The key is what the Apache server uses to decrypt that traffic.

Configuring Apache Httpd

Now that the SSL parts are generated, the final step is to configure the Apache server to be secure and to act as a proxy to our Tomcat(s). The file conf\httpd.conf contains most of the configuration for the Apache server.

The following changes need to be applied to it:

  1. Uncomment the proxy_module, proxy_http_module and ssl_module modules.
  2. Uncomment the include statement for conf/extra/httpd-ssl.conf.
  3. Edit conf/extra/httpd-ssl.conf and include lines similar to the following before the closing VirtualHost tag:



  ProxyPass /context-name-1 http://localhost:8080/context-name-1
ProxyPassReverse /context-name-1 http://localhost:8080/context-name-1

ProxyPass /context-name-2 http://localhost:8080/context-name-2
ProxyPassReverse /context-name-2 http://localhost:8080/context-name-2

ProxyPass /context-name-3 http://localhost:8081/context-name-3
ProxyPassReverse /context-name-3 http://localhost:8081/context-name-3

These setup the name based proxy - so anything coming into the server with a context name of context-name-1 will go to the Tomcat on port 8080 and to the webapp named context-name-1.

Note that the above setup will also have setup an unsecured Apache listener on port 80 also - this can be turned off if all traffic is going to port 443.

Now go to the tray icons on your desktop, open the Apache Service Monitor, and hit restart. Its done!

If you get any errors, simply check the log files under the logs folder (error.log).

Tomcat Proxy Settings

If you are serving up a service then you are all done. If you are also or only serving web pages, then you need to also tell your Tomcat the domain details and that it is a proxy server. If you don't, you will find that all the links on your rendered JSP pages actually contain the local tomcat protocol (HTTP), host (localhost) and port (e.g. 8080), instead of your secured domain.

Luckily, Tomcat supports this through its Connector element (which is found in conf/server.xml in your Tomcat CATALINA_BASE folder). Set the following parameters to similar values to match your domain or external IP address (if you have no domain):

  1. secure = false

  2. scheme = https

  3. proxyName = www.mydomain.com

  4. proxyPort = 443


This will force Tomcat to translate all the link addresses to match your domain details. Note that secure is set to false, because the Tomcat is not handling SSL. However, the scheme must be set to HTTPS so that all the links on your pages contain that as their protocol.

Enjoy!

12 Responses so far.

  1. WoW... you are awesome ..... I have been working on this concept for 15 days .. searched varioud articles.. documentation .... forums and so on .. for sharing the SSL ... u r d only one who have the idea ..... awesome ..u r a life saver ...

    Thanks

    Krishna Reddivari

  2. Btw .. adding to my above notes.. I made it work in LINUX - Cent OS 5.2.

    I can publish my steps for you .. if you need it ..

    Highly Appreciated.

    Krishna Reddivari

  3. Anonymous says:

    Thx you so much!!! I was struggling with tomcat context conf....

  4. This has been a lifesaver for me. Saved me so much time and effort - its now working - im well chuffed

    Bookmarked!

  5. Anonymous says:

    This is great. However, I was wondering if anyone has done this on Ubuntu. Can you please post linux steps?

    Thanks.

  6. EV SSL says:

    application server using a different protocol, or an application server with just rudimentary HTTP.

  7. Hi nice post i have used apache for more than one year but never thought about this.its really useful.I used it both on linux as well as windows

  8. Gian says:

    You sir are the best!

    Thank you very much for this article. You´ve just nailed it.

    Works like a charm.

  9. I read your article and get very important information in addition if you have any query you can click here.
    Rapid Library UK proxy

Leave a Reply

Recent Posts