Document Version 1.0
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip
Now, we will try to front Tomcat with Apache and mod_jk. The target OS is Linux -OpenSuse12.1. The procedure might be slightly different between different Linux systems.
4.1 Install Apache2
Normmally Apache2 is included in OpenSuse12.1 package. If Apache is installed , there will be an apache2 folder under "etc":
When you can't find this folder, just try to install Apache2 and mod_jk with "Yast".
After installation, start apache2:
Now when you type following URL in brower input "http://localhost", you will land on the apache2 default page.
Just now we have also installed mod_jk ( Yast, search mod_jk, and install). But mod_jk is not loaded by apache via default.
4.2 Configure Apache to load/use mod_jk
Configuration of Apache to use mod_jk, three things need to be done:
1. Add a file "mod_jk. conf" to Apache. This will load mod_jk module and specify "worker.properties" file for mod_jk
2. Add a "worker.properties" file to configure mod_jk workers
3. Add vritual host which will use mod_jk
Create a "mod_jk.conf" file in folder "/etc/apache2/conf.d/".
You could also name the file "sample.sss.conf", but important is, the file name must have ".conf" at the end, and the is put in "conf.d" folder. In this way, the file will be found and loaded by apache.
Content of the "mod_jk.conf" file:
1. LoadModule tells Apache to load mod_jk module.
2. JkWorkersFile specifies the worker file location. Workers file tells mod_jk, where to find the real
application (i.e. ip and port of the Server / application).
3. JkMount, have 2 entries, one with another without "*"
4.2.2 workers.properties file
Create a "workers.properties" file in conf.d folder with following content:
1. We just configured one worker. In case of more workers, worker names are separated by ",".
2. Workers are configured to use / communicate to certain host and port using "ajp" protocol.
When a request comes to apache /mod_jk via http or https, mod_jk will redirect the request NOT to
HTTP or HTTPS ports, but to AJP ports.(We will configure Tomcat to use AJP connector).
4.2.3 Create virtual host and configure the virtual host to use mod_jk
Assume we will configure a new virtual host "ahahacom", two steps are needed:
Add virtual host to "hosts" file. Edit "hosts" file under "/etc/", add following lines:
127.0.0.1 ahaha.com www.ahaha.com
Create a vhost.conf file under "/etc/apache2/vhost.d/" with following content
With vhost configured, the "TestWebSec20" web application could be accessed "later" using following URL:
Now restart apache:
Try accessing the "http://www.ahaha.com/TestWebSec20/HalloNormal" with your browser.
The browser will show an error "Service Temporarily Unavailable"
Check the mod_jk error log we just configured "
You will see a new error log entry like this:
When you see this error, your virtual host configuration and mod_jk configuration at Apache/mod_jk side are correct!
This above error says that mod_jk can not find the worker, i.e. it can not find the Tomcat server. Remember, mod_jk tries to talk to Tomcat with "ajp" protocol, to certain host name and port (as configured in "workers.properties"), so the question is now, does Tomcat know about the "ajp" thing?
No not yet!
Configure Tomcat to communicate with mod_jk, using AJP
SSL Offloading with mod_jk part 5
part1 part2 part3 part6