Document Version 1.0
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip
We will now configure "SSL Termination" for "TestWebSec20" application.
We need to:
1. Generate a self-signed SSL certificate.
This includes creating a ".key" file, a ".csr" file and ".crt file".
2. Configure Apache virtual host i.e. host "ahaha.com" to use SSL
3. Configure Tomcat to accept SSL handling of Apache and mod_jk.
6.1 Generate a self-signed SSL certificate
The following link is the best Tutorial I have ever found for creating self-signed SSL certificate:
Please follow the link to create 3 files in following folders:
- "/etc/apache2/ssl.key/ahaha.com.key", here "ahaha.com.key" is the key file name.
- "/etc/apache2/ssl.csr/ahaha.com.csr", here "ahaha.com.csr" is the csr file name.
6.2 Configure Apache virtual host for SSL
Configure Apache virtual host for "ahaha.com" to use SSL.
Add a "vhost-ssl.conf" file to Apache's "vhost.d" folder, and add following content to the file:
With this vhost configuration for SSL, a SSL request to "ahahacom" will be first processed by mod_jk. mod_jk will take care of the SSL communication:
- providing client with the corresponding SSL certifiacte
- do the SSL hand shake
- do encryption and decryption
- and forward it to Tomcat
The communication between mod_jk and Tomcat are in "plain" text, NO SSL.
6.3 Configure Tomcat to accept SSL handling of mod_jk.
With the SSL configuration in "vhost-ssl.conf", mod_jk will take care of the SSL conmunication to browser, and forward client request to Tomcat. Tomcat need to be configured to believe the request from mod_jk is "secured".
Remembe in part5, we configured tomcat for a "ajp connector".
To make Tomcat accept mod_jk SSL handling is easy, we just need to change the redirectPort of the above ajp connector to 433:
No restart Apache and Tomcat. Try accessing "secure/HalloSec" again:
Your browser will be redirected to HTPPS, and now the server certificate is shown corectly, and SSL port is not shown any more:
part1 part2 part3 part4 part5