Sunday, September 9, 2012

SSL Offloading with mod_jk part 4

Document  Version 1.0
  Copyright © 2012-2013 beijing.beijing.012@gmail.com

Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip



Fronting Tomcat with Apache and mod_jk

Now, we will  try to front Tomcat with Apache and mod_jk. The target OS is Linux -OpenSuse12.1. The procedure might be slightly different between different Linux systems.


4.1 Install Apache2

Normmally Apache2 is included in OpenSuse12.1 package. If Apache is installed , there will be an apache2 folder under "etc":
/etc/apache2/

When you can't find this folder, just try to install Apache2 and mod_jk with "Yast".
After installation, start apache2:


#  cd /etc/init.d
# ./apache2 start

Now when you type following URL in brower input "http://localhost", you will land on  the apache2 default page.

Just now we have also installed mod_jk ( Yast, search mod_jk, and install). But mod_jk is not loaded by apache via default. 


4.2 Configure Apache to load/use mod_jk

Configuration of Apache to use mod_jk, three things need to be done:

1.  Add a file "mod_jk. conf" to Apache. This will load mod_jk module and specify "worker.properties" file for mod_jk
2.  Add a "worker.properties" file to configure mod_jk workers
3.  Add vritual host which will use mod_jk


4.2.1 mod_jk.conf

Create a "mod_jk.conf" file in folder "/etc/apache2/conf.d/".
You could also name the file "sample.sss.conf", but important is, the file name must have ".conf" at the end, and the is put in "conf.d" folder. In this way, the file will be found and loaded by apache.

Content of the "mod_jk.conf" file:



#### START mod_jk.conf
# mod_jk configuration for Apache
# Load mod_jk module
LoadModule jk_module /usr/lib/apache2/mod_jk.so

# Tell Apache where to find workers.properties. We assume Tomcat runs on a differerent machine than # Apache. and put workers.properties file near to apache
JkWorkersFile /etc/apache2/conf.d/workers.properties

# mod_jk log configuration
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel debug
jkLogStampFormat "[%a %b %H:%M:%S %Y]"

# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

# JkRequestLogFormat set the request format
JkRequestLogFormat "%W %V %T"

# Send everything for context /TestWebSec20 to worker ajp13
JkMount /TestWebSec20 worker1
JkMount /TestWebSec20/* worker1

# Send everything for context /sampple to worker ajp13
#JkMount /sample worker1
#JkMound /sample/* worker1

##### END mod_jk.conf




Explanation to the "mod_jk.conf" file

1. LoadModule tells Apache to load  mod_jk module.
2. JkWorkersFile specifies the worker file location. Workers file tells mod_jk, where to find the real 
    application (i.e. ip and port of the Server / application). 
3. JkMount, have 2 entries, one with another without "*"


4.2.2 workers.properties file

Create a "workers.properties" file in conf.d folder with following content:



##### SATART works.properties
# Define a worker named "worker1"
# Several worker names are separated by ","
worker.list=worker1

# Set properties for worker1 to use ajp13 protocol and run on port 8009
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.socket_timeout=300

##### END works.properties




Explanation to the workers.properties file:

1. We just configured one worker. In case of more workers, worker names are separated by ",". 
   For example: 
   worker.list=worker1, worker2
 2. Workers are configured to use / communicate to certain host and port using "ajp" protocol.
     When a request comes to apache /mod_jk  via http or https, mod_jk will redirect the request  NOT to   
     HTTP or HTTPS ports, but to AJP ports.(We will configure Tomcat to use AJP connector).



4.2.3 Create virtual host and configure the virtual host to use mod_jk

Assume we will configure a new virtual host "ahahacom", two steps are needed:

   Step 1
    Add virtual host to "hosts" file. Edit "hosts" file under "/etc/", add following lines:
   127.0.0.1  ahaha.com www.ahaha.com

   Step 2
   Create a vhost.conf file under "/etc/apache2/vhost.d/" with following content



#### STAART vhost.conf
   <VirtualHost *:80>    
         ServerAdmin info@ahaha.com
         ServerName ahaha.com

        # DocumentRoot: The directory out of which you will serve your
        # documents. By default, all requests are taken from this directory, but
        # symbolic links and aliases may be used to point to other locations.
        DocumentRoot /srv/www/vhosts/ahaha.com

        # if not specified, the global error log is used
        ErrorLog /var/log/apache2/ahaha.com_error.log
        CustomLog /var/log/apache2/ahaha.com_access.log combined

        JkMount / worker1
        JkMount /* worker1  
   </VirtualHost>  
   #### END vhost.conf



With vhost configured, the "TestWebSec20" web application could be accessed "later" using following URL:

http://www.ahaha.com/TestWebSec20 

Now restart apache:

./apache2 restart

Try accessing the "http://www.ahaha.com/TestWebSec20/HalloNormal" with your browser.

The browser will show an error "Service Temporarily Unavailable"

Check the mod_jk error log we just configured "
/var/log/apache2/ahaha.com_error.log"

You will see a new error log entry like this:





[Mon Sep 03 20:36:32 2012] [error] [client 127.0.0.1] (2)No such file or directory: cannot access type map file: HTTP_SERVICE_UNAVAILABLE.html.var 




When you see this error, your virtual host configuration and  mod_jk configuration at Apache/mod_jk side are correct!

This above error says that mod_jk can not find the worker, i.e. it can not find the Tomcat server. Remember, mod_jk tries to talk to Tomcat with "ajp" protocol, to certain host name and port (as configured in "workers.properties"), so the question is now, does Tomcat know about the "ajp" thing? 
No not yet!

Configure Tomcat to communicate with mod_jk, using AJP
SSL Offloading with mod_jk part 5
part1 part2 part3 part6

No comments:

Post a Comment