venkateswara Rao Akkireddy wrote:
Hi All
Hope every one is doing good!
Aim: I want to redirect the https traffic of apache to tomcat. Such that
we can configure SSL certificate on each tomcat instance.
Please Help me on this ASAP
This is the kind of thing that you should probably avoid, on a help list that is staffed
by volunteers.
*1) **Configuration in /etc/httpd/conf/httpd.conf*
Listen 174.132.121.115:80 <http://174.132.121.115/>
Listen 174.132.121.115:443
JkWorkersFile "conf/workers.properties"
JkLogFile "logs/mod_jk.log"
JkShmFile "/var/log/httpd/mod_jk.shm"
JkWatchdogInterval 30
JkLogLevel info
JkLogLevel debug
JkExtractSSL On
JkHTTPSIndicator HTTPS
<VirtualHost 174.132.121.115:80 <http://174.132.121.115/>>
ServerAdmin ramara...@mmgs.com
ServerName 174.132.121.115
JkMount / loadbalancer
JkMount /* loadbalancer
JkMount /status jkstatus
</VirtualHost>
<VirtualHost 174.132.121.115:443>
ServerName 174.132.121.115
JkMount / loadbalancerssl
JkMount /* loadbalancerssl
SetEnv JkHTTPSIndicator On
JkMount /status jkstatus
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
</VirtualHost>
*2) **Configuration in /etc/httpd/conf/workers.properties*
worker.list=loadbalancer,jkstatus,loadbalancerssl
#Configuration to Show Status of Load balancer
worker.jkstatus.type=status
#Trippro BE Load Balancer Nodes
worker.tpbe1.type=ajp13
worker.tpbe1.host=174.132.121.115
worker.tpbe1.port=8023
worker.tpbe1.lbfactor=1
worker.tpbe1.socket_timeout=210
worker.tpbe2.type=ajp13
worker.tpbe2.host=174.132.121.115
worker.tpbe2.port=8028
worker.tpbe2.lbfactor=1
worker.tpbe2.socket_timeout=210
worker.tpbe1ssl.type=ajp13
worker.tpbe1ssl.host=174.132.121.115
worker.tpbe1ssl.port=8022
worker.tpbe1ssl.lbfactor=1
worker.tpbe1ssl.socket_timeout=210
worker.tpbe2ssl.type=ajp13
worker.tpbe2ssl.host=174.132.121.115
worker.tpbe2ssl.port=8027
worker.tpbe2ssl.lbfactor=1
worker.tpbe2ssl.socket_timeout=210
3) Tomcat Configuration
a) TBE1 Tomcat Instance Server.xml config
<!-- Define an AJP 1.3 Connector on port 8023 for http traffic-->
<Connector port="8023" address="174.132.121.115" protocol="AJP/1.3"
redirectPort="8022" />
<!-- Define an AJP 1.3 Connector on port 8024 for https traffic-->
<Connector port="8022"
protocol="AJP/1.3" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
connectionTimeout="60000"
proxyPort="443"
keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
keystorePass="Tr!pPro"
clientAuth="false" sslProtocol="TLS"/>
<Engine name="Catalina" defaultHost="TPBE1" jvmRoute="tpbe1">
b) TBE2 Tomcat Instance Server.xml config
<!-- Define an AJP 1.3 Connector on port 8028 for http traffic-->
<Connector port="8028" address="174.132.121.115" protocol="AJP/1.3"
redirectPort="8027" />
<!-- Define an AJP 1.3 Connector on port 8024 for https traffic-->
<Connector port="8027" address="174.132.121.115"
protocol="AJP/1.3" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
connectionTimeout="60000"
proxyPort="443"
keystoreFile="/opt/certificates/star-trippro/trippro.keystore"
keystorePass="Tr!pPro"
clientAuth="false" sslProtocol="TLS"/>
<Engine name="Catalina" defaultHost="TPBE2" jvmRoute="tpbe2">
One thing that you should know : the AJP protocol does not support SSL/HTTPS.
In other words, the communication between mod_jk and Tomcat is not encrypted. It is NOT
SSL or HTTPS, it is AJP, and there is no AJPS.
What AJP /can/ do, is to "transport" some information from httpd to Tomcat, about the
original browser-to-httpd HTTPS communication. That is the point of the Jk "HTTPS" and
"SSL" options, but nothing else.
Graphically :
(browser) <-- HTTPS --> (httpd + mod_jk) <-- AJP --> (Tomcat + AJP Connector)
(1) (2)
(1) can be encrypted
(2) cannot be encrypted (*), but can "transport" HTTPS headers information from
(1)
(*) except if you set up some kind of "SSL tunnel" there, but that would be outside of
httpd and Tomcat.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
