Document Version 1.0
Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip
Now, we will try to front Tomcat with Apache and mod_jk. The target OS is Linux -OpenSuse12.1. The procedure might be slightly different between different Linux systems.
4.1 Install Apache2
Normmally Apache2 is included in OpenSuse12.1 package. If Apache is installed , there will be an apache2 folder under "etc":
/etc/apache2/
When you can't find this folder, just try to install Apache2 and mod_jk with "Yast".
After installation, start apache2:
# ./apache2 start
Now when you type following URL in brower input "http://localhost", you will land on the apache2 default page.
Just now we have also installed mod_jk ( Yast, search mod_jk, and install). But mod_jk is not loaded by apache via default.
4.2 Configure Apache to load/use mod_jk
Configuration of Apache to use mod_jk, three things need to be done:
1. Add a file "mod_jk. conf" to Apache. This will load mod_jk module and specify "worker.properties" file for mod_jk
2. Add a "worker.properties" file to configure mod_jk workers
3. Add vritual host which will use mod_jk
4.2.1 mod_jk.conf
Create a "mod_jk.conf" file in folder "/etc/apache2/conf.d/".
You could also name the file "sample.sss.conf", but important is, the file name must have ".conf" at the end, and the is put in "conf.d" folder. In this way, the file will be found and loaded by apache.
Content of the "mod_jk.conf" file:
#### START mod_jk.conf
# mod_jk configuration for Apache
# Load mod_jk module
LoadModule jk_module /usr/lib/apache2/mod_jk.so
# Tell Apache where to find workers.properties. We assume Tomcat runs on a differerent machine than # Apache. and put workers.properties file near to apache
JkWorkersFile /etc/apache2/conf.d/workers.properties
# mod_jk log configuration
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel debug
jkLogStampFormat "[%a %b %H:%M:%S %Y]"
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%W %V %T"
# Send everything for context /TestWebSec20 to worker ajp13
JkMount /TestWebSec20 worker1
JkMount /TestWebSec20/* worker1
# Send everything for context /sampple to worker ajp13
#JkMount /sample worker1
#JkMound /sample/* worker1
##### END mod_jk.conf
1. LoadModule tells Apache to load mod_jk module.
2. JkWorkersFile specifies the worker file location. Workers file tells mod_jk, where to find the real
application (i.e. ip and port of the Server / application).
3. JkMount, have 2 entries, one with another without "*"
4.2.2 workers.properties file
Create a "workers.properties" file in conf.d folder with following content:
# Define a worker named "worker1"
# Several worker names are separated by ","
worker.list=worker1
# Set properties for worker1 to use ajp13 protocol and run on port 8009
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.socket_timeout=300
##### END works.properties
1. We just configured one worker. In case of more workers, worker names are separated by ",".
For example:
worker.list=worker1, worker2
2. Workers are configured to use / communicate to certain host and port using "ajp" protocol.
When a request comes to apache /mod_jk via http or https, mod_jk will redirect the request NOT to
HTTP or HTTPS ports, but to AJP ports.(We will configure Tomcat to use AJP connector).
4.2.3 Create virtual host and configure the virtual host to use mod_jk
Assume we will configure a new virtual host "ahahacom", two steps are needed:
Step 1.
Add virtual host to "hosts" file. Edit "hosts" file under "/etc/", add following lines:
127.0.0.1 ahaha.com www.ahaha.com
Step 2.
Create a vhost.conf file under "/etc/apache2/vhost.d/" with following content
#### STAART vhost.conf
<VirtualHost *:80>
ServerAdmin info@ahaha.com
ServerName ahaha.com
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot /srv/www/vhosts/ahaha.com
# if not specified, the global error log is used
ErrorLog /var/log/apache2/ahaha.com_error.log
CustomLog /var/log/apache2/ahaha.com_access.log combined
JkMount / worker1
JkMount /* worker1
</VirtualHost>
#### END vhost.conf
With vhost configured, the "TestWebSec20" web application could be accessed "later" using following URL:
http://www.ahaha.com/TestWebSec20
Now restart apache:
./apache2 restart
Try accessing the "http://www.ahaha.com/TestWebSec20/HalloNormal" with your browser.
The browser will show an error "Service Temporarily Unavailable"
Check the mod_jk error log we just configured "
/var/log/apache2/ahaha.com_error.log"
You will see a new error log entry like this:
[Mon Sep 03 20:36:32 2012] [error] [client 127.0.0.1] (2)No such file or directory: cannot access type map file: HTTP_SERVICE_UNAVAILABLE.html.var
When you see this error, your virtual host configuration and mod_jk configuration at Apache/mod_jk side are correct!
This above error says that mod_jk can not find the worker, i.e. it can not find the Tomcat server. Remember, mod_jk tries to talk to Tomcat with "ajp" protocol, to certain host name and port (as configured in "workers.properties"), so the question is now, does Tomcat know about the "ajp" thing?
No not yet!
Configure Tomcat to communicate with mod_jk, using AJP
SSL Offloading with mod_jk part 5
part1 part2 part3 part6
No comments:
Post a Comment