Sunday, September 9, 2012

SSL Offloading with mod_jk part 6

Document  Version 1.0
   Copyright © 2012-2013 beijing.beijing.012@gmail.com

Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip



Configure Tomcat to accept SSL handling of mod_jk


We will now configure "SSL Termination" for "TestWebSec20" application.
We need to: 

1. Generate a self-signed SSL certificate.
   This includes creating a ".key" file, a ".csr" file and ".crt file".
2. Configure Apache virtual host i.e. host "ahaha.com" to use SSL
3. Configure Tomcat to accept SSL handling of Apache and mod_jk.


6.1 Generate a self-signed SSL certificate

The following link is the best Tutorial I have ever found for creating self-signed SSL certificate:
http://www.akadia.com/services/ssh_test_certificate.html

Please follow the link to create 3 files in following folders:
  • "/etc/apache2/ssl.key/ahaha.com.key", here "ahaha.com.key" is the key file name. 
  • "/etc/apache2/ssl.csr/ahaha.com.csr",  here "ahaha.com.csr" is the csr file name.
"/etc/apache2/ssl.crt/ahaha.com.crt",   here "ahaha.com.crt" is the crt file name.

6.2 Configure Apache virtual host for SSL

Configure Apache virtual host for "ahaha.com" to use SSL.
Add a "vhost-ssl.conf" file to Apache's "vhost.d" folder, and add following content to the file:


####START vhost-ssl.conf
NameVirtualHost *:443
<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost *:443>
#  General setup for the virtual host
DocumentRoot "/srv/www/vhosts/ahaha.com"
ServerName www.ahaha.com
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#  SSL protocols
#  Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3

#   SSL Cipher Suite:
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH

#   Server Certificate:
SSLCertificateFile /etc/apache2/ssl.crt/ahaha.com.crt

#   Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl.key/ahaha.com.key

CustomLog /var/log/apache2/ssl_request_log   ssl_combined
       JkMountCopy On
       JkMount / worker1
       JkMount /* worker1

</VirtualHost>                                  

</IfDefine>
</IfDefine>
####END vhost-ssl.conf


With this vhost configuration for SSL, a SSL request to "ahahacom" will be first processed by mod_jk. mod_jk will take care of the SSL communication:

  •    providing client with the corresponding SSL certifiacte 
  •    do the SSL hand shake
  •   do encryption and decryption
  •   and forward it to Tomcat

The communication between mod_jk and Tomcat are in "plain" text,  NO SSL.  


6.3 Configure Tomcat  to accept SSL handling of mod_jk.

With the SSL configuration in "vhost-ssl.conf", mod_jk will take care of the SSL conmunication to browser, and forward client request to Tomcat. Tomcat need to be configured to believe the request from mod_jk is "secured".

Remembe in part5, we configured tomcat for a "ajp connector". 

...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
...


To make Tomcat accept mod_jk SSL handling is easy, we just need to change the redirectPort of the above ajp connector to 433:


...
<Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
...


No restart Apache and Tomcat. Try accessing "secure/HalloSec" again:
http://ahaha.com/TestWebSec20/secure/HalloSec

Your browser will be redirected to HTPPS, and now the server certificate is shown  corectly, and SSL port is not shown any more:




part1 part2 part3 part4 part5

7 comments:

  1. Good tutorial.

    What about configuring a Glassfish as the backend?

    ReplyDelete
  2. Its all about configuring "ajp" for the underlying backend server. The following link may help:
    http://weblogs.java.net/blog/amyroh/archive/2012/02/15/running-glassfish-312-apache-http-server

    ReplyDelete
  3. Just asked two questions:
    Are you sure that mod_jk will take care of the SSL communication,not mod_ssl? Actually I don't agree with you. what's the evidence?

    How does Tomcat know https has been already offloaded?
    just change to 443? If we use 8443 or other ports, will tomcat still process requests by SSL?

    ReplyDelete
  4. @Jason,

    You could actually find answer to your question in the post:
    With the SSL configuration in "vhost-ssl.conf", mod_jk will take care of the SSL conmunication to browser, and forward client request to Tomcat. Tomcat need to be configured to believe the request from mod_jk is "secured".

    Remembe in part5, we configured tomcat for a "ajp connector".

    ...

    ...


    To make Tomcat accept mod_jk SSL handling is easy, we just need to change the redirectPort of the above ajp connector to 433:


    ...

    ...

    ReplyDelete
  5. @ D. WilfredoFebruary
    Then you need to configure Glass Fish for AJP connector...

    ReplyDelete
  6. @Jason,
    when you see in your browser, at left of address bar, the SSL Cert, then you could be sure SSL is activated! When you again remove the ssl serts in Tomcat, you will see , ssl still works. So who handles ssl for you, when not Apache?

    ReplyDelete
  7. There are a lot of people who may wonder why they need to get Cheapest SSL Certificates Provider for their websites. If you are one of those people then this is the perfect article for you. The first thing you should know is the SSL is the backbone of security on the internet and will help protect sensitive information as it is transmitted around the world.

    ReplyDelete