Document Version 1.0
Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip
We will now configure "SSL Termination" for "TestWebSec20" application.
We need to:
1. Generate a self-signed SSL certificate.
This includes creating a ".key" file, a ".csr" file and ".crt file".
2. Configure Apache virtual host i.e. host "ahaha.com" to use SSL
3. Configure Tomcat to accept SSL handling of Apache and mod_jk.
6.1 Generate a self-signed SSL certificate
The following link is the best Tutorial I have ever found for creating self-signed SSL certificate:
http://www.akadia.com/services/ssh_test_certificate.html
Please follow the link to create 3 files in following folders:
- "/etc/apache2/ssl.key/ahaha.com.key", here "ahaha.com.key" is the key file name.
- "/etc/apache2/ssl.csr/ahaha.com.csr", here "ahaha.com.csr" is the csr file name.
6.2 Configure Apache virtual host for SSL
Configure Apache virtual host for "ahaha.com" to use SSL.
Add a "vhost-ssl.conf" file to Apache's "vhost.d" folder, and add following content to the file:
####START vhost-ssl.conf
NameVirtualHost *:443
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/www/vhosts/ahaha.com"
ServerName www.ahaha.com
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
# Server Certificate:
SSLCertificateFile /etc/apache2/ssl.crt/ahaha.com.crt
# Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl.key/ahaha.com.key
CustomLog /var/log/apache2/ssl_request_log ssl_combined
JkMountCopy On
JkMount / worker1
JkMount /* worker1
</VirtualHost>
</IfDefine>
</IfDefine>
####END vhost-ssl.conf
NameVirtualHost *:443
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/www/vhosts/ahaha.com"
ServerName www.ahaha.com
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
# Server Certificate:
SSLCertificateFile /etc/apache2/ssl.crt/ahaha.com.crt
# Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl.key/ahaha.com.key
CustomLog /var/log/apache2/ssl_request_log ssl_combined
JkMountCopy On
JkMount / worker1
JkMount /* worker1
</VirtualHost>
</IfDefine>
</IfDefine>
####END vhost-ssl.conf
With this vhost configuration for SSL, a SSL request to "ahahacom" will be first processed by mod_jk. mod_jk will take care of the SSL communication:
- providing client with the corresponding SSL certifiacte
- do the SSL hand shake
- do encryption and decryption
- and forward it to Tomcat
The communication between mod_jk and Tomcat are in "plain" text, NO SSL.
6.3 Configure Tomcat to accept SSL handling of mod_jk.
With the SSL configuration in "vhost-ssl.conf", mod_jk will take care of the SSL conmunication to browser, and forward client request to Tomcat. Tomcat need to be configured to believe the request from mod_jk is "secured".
Remembe in part5, we configured tomcat for a "ajp connector".
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
...
To make Tomcat accept mod_jk SSL handling is easy, we just need to change the redirectPort of the above ajp connector to 433:
<Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
...
No restart Apache and Tomcat. Try accessing "secure/HalloSec" again:
http://ahaha.com/TestWebSec20/secure/HalloSec
Your browser will be redirected to HTPPS, and now the server certificate is shown corectly, and SSL port is not shown any more:
part1 part2 part3 part4 part5
Good tutorial.
ReplyDeleteWhat about configuring a Glassfish as the backend?
Its all about configuring "ajp" for the underlying backend server. The following link may help:
ReplyDeletehttp://weblogs.java.net/blog/amyroh/archive/2012/02/15/running-glassfish-312-apache-http-server
Just asked two questions:
ReplyDeleteAre you sure that mod_jk will take care of the SSL communication,not mod_ssl? Actually I don't agree with you. what's the evidence?
How does Tomcat know https has been already offloaded?
just change to 443? If we use 8443 or other ports, will tomcat still process requests by SSL?
@Jason,
ReplyDeleteYou could actually find answer to your question in the post:
With the SSL configuration in "vhost-ssl.conf", mod_jk will take care of the SSL conmunication to browser, and forward client request to Tomcat. Tomcat need to be configured to believe the request from mod_jk is "secured".
Remembe in part5, we configured tomcat for a "ajp connector".
...
...
To make Tomcat accept mod_jk SSL handling is easy, we just need to change the redirectPort of the above ajp connector to 433:
...
...
@ D. WilfredoFebruary
ReplyDeleteThen you need to configure Glass Fish for AJP connector...
@Jason,
ReplyDeletewhen you see in your browser, at left of address bar, the SSL Cert, then you could be sure SSL is activated! When you again remove the ssl serts in Tomcat, you will see , ssl still works. So who handles ssl for you, when not Apache?
There are a lot of people who may wonder why they need to get Cheapest SSL Certificates Provider for their websites. If you are one of those people then this is the perfect article for you. The first thing you should know is the SSL is the backbone of security on the internet and will help protect sensitive information as it is transmitted around the world.
ReplyDelete