This week's book giveaway is in the Java 9 forum.
We're giving away four copies of Java 9 Modularity: Patterns and Practices for Developing Maintainable Applications and have Sander Mak & Paul Bakker on-line!
See this thread for details.
Win a copy of Java 9 Modularity: Patterns and Practices for Developing Maintainable Applications this week in the Java 9 forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Unable to configure self certificated Https with Apache Web Server and Tomcat8 on Ubuntu VM in Azure  RSS feed

 
Ginny Harvey
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I have an application running on an Ubuntu 16.04 VM running Tomcat in Azure. The application uses MySQL.

I am trying to implement https using self certification.

- I followed the tutorial:

https://www.digitalocean.com/community/tutorials/how-to-encrypt-tomcat-8-connections-with-apache-or-nginx-on-ubuntu-16-04

selecting the Apache option, and installing Apache web server according to Step 1 in the 'this guide' link in the tutorial.

- I set the ServerName in the apache2.conf file is set to the ip of the server.

- I have Tomcat manager installed.

- The only connector defined in the Tomcat8 server.xml file is:

  <connector port="80" protocol="HTTP/1.1"
     connectionTimeout="20000"
     URIEncoding="UTF-8"
     redirectPort=8443" />

- authbind is set to True

- Ports 80 and 443 is enabled in the Azure VM firewall

- In a accordance with the tutorial I set up the 'ufw' rules, although this could be disabled.

In accordance with the tutorial I then tried to navigate to the http://server_ip, but the Tomcat 'It works' page was displayed rather than the suggested 'Apache2 Ubuntu default page'. Assuming that this was to do with having Tomcat manager installed I blindly carried on with the installation...

- I followed the 'self-signed SSL guide for Apache' in the tutorial, setting ServerName to IP address.

- Trying to navigate to https://server_ip I get the error 'Site can't be reached - The connection was reset' as in the attached screen shot.

Carrying on the tutorial to restrict access to Tomcat installation ....

- Modified server.xml to:

  <connector port="80" protocol="HTTP/1.1"
     connectionTimeout="20000"
     URIEncoding="UTF-8"
     address="127.0.0.1"
     redirectPort=8443" />

  <connector port="8009" protocol="AJP/1.3"
     connectionTimeout="20000"
     address="127.0.0.1"
     redirectPort=8443" />

Now I get the error message 'Site can't be reached - The connection was reset' when trying to access the site with http or https.

Please, can anyone help, I have spent two days trying to resolve this problem.

Thank you!
Connection-reset.PNG
[Thumbnail for Connection-reset.PNG]
 
Tim Holloway
Bartender
Posts: 18774
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK. I think I got that. What you are actually trying to do is use Apache httpd server ("Apache" for short - not to be confused with Apache Tomcat) as a reverse proxy for Tomcat. This is a very common thing to do. For one thing, Tomcat should not be run with any Connector ports numbered less than 4096 for security reasons. For another, the Apache (or Nginx) proxy has the ability to server not only Tomcat, but non-J2EE webapps such as Wordpress (which is written in PHP, not Java).

Only one process can own a specific TCP/IP address/port at a time. So Apache is using port 80 and therefore Tomcat cannot (even if it wasn't a violation of the rule I just mentioned). What you actually have to do is configure an Apache proxy module to forward requests that come in on port 80 for Tomcat over to Tomcat. That is usually done using either mod_jk or mod_proxy. I prefer mod_proxy, but mod_jk is popular. In either case, the Apache proxy module forwards traffic to the Tomcat proxy port (8009, by default). The proxied traffic doesn't use ports 8080 and 8443 (unless you do weird overrides, anyway!)

HTTPS traffic coming in on port 443 is also proxied to Tomcat by Apache. In this case, Apache handles the decryption (SSL) and the actual traffic forwarded via port 8009 to Tomcat is not encrypted (although it is encoded).

So Tomcat doesn't need its own cert, keystore, and https port setup when being proxied. Something that took me years to discover, I'm sad to say. Everybody else took it for granted.
 
Ginny Harvey
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Tim for your post.

You have filled in a number of gaps in my understanding, and I am going to have to work through it all to try and clarify things in my mind - I am only able to try things out in the evenings.

I think that what should be happening is that requests pass through the open Azure firewall on port 443. They are passed to Apache on 443 which does the handshake and decryption. Here my understanding gets a bit flaky. There is a reverse proxy and a ip virtual host involved in passing the request on to Tomcat on port 8009. I don't quite get the configuration of those.

I think from what you have said, that Tomcat cannot communicate on port 80 if Apache is doing so, and therefore I should remove the port 80 connector in Tomcat server.xml.

Another thing I don't quite understand, is that having installed Apache, in accordance with the tutorial, and before installing mod_jk and virtual hosts, when navigating to http://server_ip, I was still served the default Tomcat page rather than the default Apache page. Might that be because the Tomcat port 80 connector is still there?

Thank you again for your help.
 
Tim Holloway
Bartender
Posts: 18774
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In most cases, if you start a multi-port server such as Apache or Tomcat and one of the ports is already in use, the server will start up, but simply not be able to listen on the pre-empted port. That's why if you start Tomcat on port 80 and then start Apache, you'll get the Tomcat page. However that also tells me that you're running Tomcat on an administrative account, which is a security risk, since Tomcat should not be able to open port 80 on a regular user account. The recommended way to set up is to create a Tomcat userid and run Tomcat under that ID instead of under an admin ID. And yes, change the http port back to port 8080.

Apache is the reverse proxy. You can either configure an apache virtual host or use the apache primary host listening on port 443 with SSL configured. That host (virtual or not) would then contain the configuration for mod_jk that tells Apache to forward the SSL traffic to the Tomcat server's JK port (8009). If Tomcat is on the same machine, then its host address would of course be localhost: 127.0.0.1:8009. For mod_jk, that would be part of the "worker" definitions. For mod_proxy, there would be ProxyPass directives.
 
Ginny Harvey
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

Thank you again for your post, I have not been ignoring it. I have not yet had the chance to revisit this task, as we have a team of student developers completing a sprint, and I have not wanted to risk interfering with their deployments and testing. Their internships will end soon and I will be able to have another go.

Thank you again.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!