Properly configure Apache and TomEE for Https GWT application.
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Properly configure Apache and TomEE for Https GWT application.
Hi,
I would like to learn how to properly configure Apache2 and Tomcat (TomEE)/8.5.6 (7.0.2) for GWT https application on fresh installation of Ubuntu Server 16.04.03.
9. Now, when I typed http://www.zethanath.tk, I would receive (https) site, which is what I want.
10. Now, when I typed http://servlet.zethanath.tk, I would also receive (https) site, which is what I want as well.
My questions to you are.
1. What do I have to do to get the (https), when I typed http://zethanath.tk in the browser?
2. From question 1, if it is uncommon to serve http://zethanath.tk as the URL, what I should do to hide it?
3. What is the proper way to serve (http/https)://servlet.zethanath.tk behind my router only? If I understood correctly, servlet.zethanath.tk should be used as a reference from within Apache server to make redirection to TomEE server only correct? In other words, people outside my router should not be able to access directly correct?
For example, the final configuration from within Apache server should be something like this right?
2. From question 1, if it is uncommon to serve http://zethanath.tk as the URL, what I should do to hide it?
See if the configuration above does what you want.
Quote:
3. What is the proper way to serve (http/https)://servlet.zethanath.tk behind my router only? If I understood correctly, servlet.zethanath.tk should be used as a reference from within Apache server to make redirection to TomEE server only correct? In other words, people outside my router should not be able to access directly correct?
For example, the final configuration from within Apache server should be something like this right?
Doh, I don't get what you mean, but you just need to use either one of mod_jk or a reverse proxy for tomcat. Besides mod_jk config is incomplete.
I also don't get, why you use both /etc/apache2/sites-enabled/000-default-le-ssl.conf and /etc/apache2/sites-enabled/default-ssl.conf. Aren't they the same?
Also since all 3 SSL vhosts are actually doing the same thing, you can use the same ServerAlias as in the http vhosts, to have only one SSL vhost.
And you don't need the 2nd trailing slash at the reverse proxy configuration.
So something like that should work:
1. What do I have to do to get the (https), when I typed http://zethanath.tk in the browser?
This morning, when I woke up, this issue disappeared mysteriously. I am able to get (https), when I type http://zethanath.tk now.
Quote:
I also don't get, why you use both /etc/apache2/sites-enabled/000-default-le-ssl.conf and /etc/apache2/sites-enabled/default-ssl.conf. Aren't they the same?
I am unsure why as well . However, I am guessing that, upon securing Apache with Let's Encrypt (sudo certbot --apache -d zethanath.tk -d www.zethanath.tk -d servlet.zethanath.tk), I ended up with both /etc/apache2/sites-enabled/000-default-le-ssl.conf and /etc/apache2/sites-enabled/default-ssl.conf.
I will try to hide my http:zethanath.tk by using what you suggested now.
<VirtualHost *:80 >
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
ProxyPreserveHost On
ProxyPass / http://192.168.1.70:8080/Index/
ProxyPassReverse / http://192.168.1.70:8080/Index/
#ServerAdmin erick9.hi5@gmail.com
#DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
JKMount /* ajp13_worker
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
JKMount /* ajp13_worker
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.zethanath.tk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
ProxyPreserveHost On
ProxyPass / http://192.168.1.70:8080/Index/
ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
JKMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/zethanath.tk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zethanath.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
ProxyPreserveHost On
ProxyPass / http://192.168.1.70:8080/Index/
ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
JKMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/letsencrypt/live/zethanath.tk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zethanath.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
4. sudo apache2ctl configtest
Syntax OK
5. $ sudo systemctl restart apache2
6. $ sudo apache2ctl -S
Code:
VirtualHost configuration:
*:80 www.zethanath.tk (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server www.zethanath.tk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost www.zethanath.tk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias servlet.zethanath.tk
alias zethanath.tk
port 443 namevhost www.zethanath.tk (/etc/apache2/sites-enabled/default-ssl.conf:2)
alias servlet.zethanath.tk
alias zethanath.tk
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
If you want to use just the SSL vhosts, you need just the "Redirect ..." in the http vhost definition, as I've told you in my previous post.
I forgot to make adjustment, to the area below, for all the three files /etc/apache2/sites-enabled/000-default.conf, /etc/apache2/sites-enabled/000-default-le-ssl.conf, and /etc/apache2/sites-enabled/000-default.conf yesterday. I will do it right now. I could not see it clearly somehow yesterday. I need to use this format, so that I will not get syntax error, however.
4. I had to clear browser's cache, in order to get the results below.
- When I typed http://zethanath.tk, I got "Unable to connect".
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/ The page isn’t redirecting properly".
- When I typed http://servlet.zethanath.tk, I also got "https://www.zethanath.tk/ The page isn't redirecting properly".
For all three cases above, I think they are correct, because I do not have any welcome page in Tomcat, except a GWT application of mine.
Do you happen to know how to serve a GWT application (Google Web tool kit) as a welcome page? I name my GWT application as "Index" and its URL is
- When I typed http://zethanath.tk, I got "Unable to connect".
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly.
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly as well.
Later today, I will try to experiment by removing those ProxyPass setting, and using Mod JK instead. I have been reading some post online. People says Mod JK is better than ProxyPass as you can see below.
# workers.properties -
#
# This file is a simplified version of the workers.properties supplied
# with the upstream sources. The jni inprocess worker (not build in the
# debian package) section and the ajp12 (deprecated) section are removed.
#
# As a general note, the characters $( and ) are used internally to define
# macros. Do not use them in your own configuration!!!
#
# Whenever you see a set of lines such as:
# x=value
# y=$(x)\something
#
# the final value for y will be value\something
#
# Normaly all you will need to do is un-comment and modify the first three
# properties, i.e. workers.tomcat_home, workers.java_home and ps.
# Most of the configuration is derived from these.
#
# When you are done updating workers.tomcat_home, workers.java_home and ps
# you should have 3 workers configured:
#
# - An ajp13 worker that connects to localhost:8009
# - A load balancer worker
#
#
# OPTIONS ( very important for jni mode )
#
# workers.tomcat_home should point to the location where you
# installed tomcat. This is where you have your conf, webapps and lib
# directories.
#
workers.tomcat_home=/opt/tomcat
#
# workers.java_home should point to your Java installation. Normally
# you should have a bin and lib directories beneath it.
#
workers.java_home=/usr/lib/jvm/java-8-oracle/jre
#
# You should configure your environment slash... ps=\ on NT and / on UNIX
# and maybe something different elsewhere.
#
ps=/
#
#------ ADVANCED MODE ------------------------------------------------
#---------------------------------------------------------------------
#
#
#------ worker list ------------------------------------------
#---------------------------------------------------------------------
#
#
# The workers that your plugins should create and work with
#
worker.list=ajp13_worker
#
#------ ajp13_worker WORKER DEFINITION ------------------------------
#---------------------------------------------------------------------
#
#
# Defining a worker named ajp13_worker and of type ajp13
# Note that the name and the type do not have to match.
#
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13
#
# Specifies the load balance factor when used with
# a load balancing worker.
# Note:
# ----> lbfactor must be > 0
# ----> Low lbfactor means less work done by the worker.
worker.ajp13_worker.lbfactor=1
#
# Specify the size of the open connection cache.
#worker.ajp13_worker.cachesize
#
#------ DEFAULT LOAD BALANCER WORKER DEFINITION ----------------------
#---------------------------------------------------------------------
#
#
# The loadbalancer (type lb) workers perform wighted round-robin
# load balancing with sticky sessions.
# Note:
# ----> If a worker dies, the load balancer will check its state
# once in a while. Until then all work is redirected to peer
# workers.
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker
3. sudo nano /opt/tomcat/conf/server.xml
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- TomEE plugin for Tomcat -->
<Listener className="org.apache.tomee.catalina.ServerListener" />
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" xpoweredBy="false" server="Apache TomEE" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation with the JSSE engine. When
using the JSSE engine, the JSSE configuration attributes must be used.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" xpoweredBy="false" server="Apache TomEE" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation. When using the
APR/native implementation or the OpenSSL engine with NIO or NIO2 then
the OpenSSL configuration attributes must be used.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" xpoweredBy="false" server="Apache TomEE" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
4. sudo systemctl restart tomcat
I started using Mod JK by using the following setup in the three files below.
<VirtualHost _default_:443>
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
Redirect permanent "/" "https://www.zethanath.tk/"
#ProxyPreserveHost On
#ProxyPass / http://192.168.1.70:8080/Index/
#ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
DocumentRoot /opt/tomcat/webapps/Index
JkMountCopy On
JKMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
...
</VirtualHost>
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and "The page isn’t redirecting properly".
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and "The page isn’t redirecting properly" as well.
I hope someone can help.
Last edited by sethanath; 08-17-2017 at 02:27 PM.
Reason: I forgot very important segtion.
<VirtualHost>
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
Redirect permanent "/" "https://www.zethanath.tk/"
#ProxyPreserveHost On
#ProxyPass / http://192.168.1.70:8080/Index/
#ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
DocumentRoot /opt/tomcat/webapps/Index/
Alias /Index "/opt/tomcat/webapps/Index/"
<Directory "/opt/tomcat/webapps/Index/">
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
</Directory>
<Location "/Index/WEB-INF/">
AllowOverride None
Deny from all
</Location>
JKMountCopy On
JKMount /* ajp13_worker
...
</VirtualHost>
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and "The page isn’t redirecting properly".
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and "The page isn’t redirecting properly" as well.
I hope someone can help.
Last edited by sethanath; 08-18-2017 at 10:30 AM.
Reason: Typo
- When I typed http://zethanath.tk, I got "Unable to connect".
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly.
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly as well.
The 1st means that there is no IP for plain zethanath.tk. Maybe you've removed it from /etc/hosts
The other 2 responses mean that there is a loop in your config. Comment out (or remove) from inside the SSL vhost definition the
The 1st means that there is no IP for plain zethanath.tk. Maybe you've removed it from /etc/hosts
That is correct. I really want to remove zethanath.tk, so that no one can use it. By using the two statements below, if the users typed servlet.zethanath.tk or zethanath.tk, they would be redirected to https://www.zethanath.tk. This is what I want all along.
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly.
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly as well.
The other 2 responses mean that there is a loop in your config. Comment out (or remove) from inside the SSL vhost definition.
Are you sure there is a loop? the other two that you read are what I want as well In other words,
- When the users type http://www.zethanath.tk, they should be redirected to "https://www.zethanath.tk/".
- When the users type http://servlet.zethanath.tk, they should be redirected to "https://www.zethanath.tk/".
All three cases were configured successfully through the uses of Mod_Proxy.
However, I am hoping if someone can help me to do the same with Mod JK as well.
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly.
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and my GWT application is served correctly as well.
The other 2 responses mean that there is a loop in your config. Comment out (or remove) from inside the SSL vhost definition.
Are you sure there is a loop? the other two that you read are what I want as well In other words,
Sorry didn't notice that you last posted it's served correctly. I was referring to post #8:
Quote:
- When I typed http://www.zethanath.tk, I got "https://www.zethanath.tk/", and "The page isn’t redirecting properly".
- When I typed http://servlet.zethanath.tk, I got "https://www.zethanath.tk/", and "The page isn’t redirecting properly" as well.
Anyway, so far so good
Quote:
All three cases were configured successfully through the uses of Mod_Proxy.
However, I am hoping if someone can help me to do the same with Mod JK as well.
AFAIK you have to put the mod_jk directives inside the SSL vhost stanza. I you want to see how to configure mod_jk, take a look here
I believe I got really interesting results today. Here is the summary of what I think. You do not need to read previous post, but start from this one.
1. I believe Mod JK is the best way to accomplish https between Apache and TomEE. Please let me know your opinion, as I only know Mod Proxy and Mod JK at this point
2. Here is the content of /etc/apache2/sites-enabled/000-default.conf
Code:
<VirtualHost *:80 >
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
Redirect permanent "/" "https://www.zethanath.tk/Index"
#ProxyPreserveHost On
#ProxyPass / http://192.168.1.70:8080/Index/
#ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
DocumentRoot "/opt/tomcat/webapps/Index"
Alias /Index "/opt/tomcat/webapps/Index"
<Directory "/opt/tomcat/webapps/Index">
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
</Directory>
<Location "/Index/WEB-INF/">
AllowOverride None
Deny from all
</Location>
JKMountCopy On
JKMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.zethanath.tk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
3. Here is the content of /etc/apache2/sites-available/default-ssl.conf
Code:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
Redirect permanent "/" "https://www.zethanath.tk/Index"
#ProxyPreserveHost On
#ProxyPass / http://192.168.1.70:8080/Index/
#ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
DocumentRoot "/opt/tomcat/webapps/Index"
Alias /Index "/opt/tomcat/webapps/Index"
<Directory "/opt/tomcat/webapps/Index">
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
</Directory>
<Location "/Index/WEB-INF/">
AllowOverride None
Deny from all
</Location>
JKMountCopy On
JKMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/letsencrypt/live/zethanath.tk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zethanath.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
4. Here is the content of /etc/apache2/sites-enabled/000-default-le-ssl.conf
Code:
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
Redirect permanent "/" "https://www.zethanath.tk/Index"
#ProxyPreserveHost On
#ProxyPass / http://192.168.1.70:8080/Index/
#ProxyPassReverse / http://192.168.1.70:8080/Index/
#DocumentRoot /var/www/html
DocumentRoot "/opt/tomcat/webapps/Index"
Alias /Index "/opt/tomcat/webapps/Index"
<Directory "/opt/tomcat/webapps/Index">
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
</Directory>
<Location "/Index/WEB-INF/">
AllowOverride None
Deny from all
</Location>
JKMountCopy On
JKMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/zethanath.tk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zethanath.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
1. How do I fix that?
2. What I have problems with are the begin "/" and the end "/" in the three files above. How do I use this "/" in the configuration files.
<VirtualHost .......>
Redirect permanent "/" "https://www.zethanath.tk/Index" --> Should I end this line with "/" and make it behttps://www.zethanath.tk/Index/?
DocumentRoot "/opt/tomcat/webapps/Index" --> When should I start or end this line with "/"? --> DocumentRoot "/opt/tomcat/webapps/Index/"
Alias /Index "/opt/tomcat/webapps/Index" --> When should I start or end this line with "/"? --> Alias /Index "/opt/tomcat/webapps/Index/"
<Directory "/opt/tomcat/webapps/Index"> --> When should I start or end this line with "/"? --> <Directory "/opt/tomcat/webapps/Index/">
...
</Directory>
<Location "/Index/WEB-INF/"> --> When should I start or end this line with "/"? --> <Location "/Index/WEB-INF/">
...
</Location>
</VirtualHost .......>
Last edited by sethanath; 08-21-2017 at 12:38 PM.
Reason: Typo
1. I believe Mod JK is the best way to accomplish https between Apache and TomEE. Please let me know your opinion, as I only know Mod Proxy and Mod JK at this point
I'm always using apache as a reverse proxy, even though mod_jk is faster, because it's easier to configure.
Quote:
2. Here is the content of /etc/apache2/sites-enabled/000-default.conf
Told you many times that you only need the Redirect in the http vhost (without the /Index/ part)
3. Here is the content of /etc/apache2/sites-available/default-ssl.conf
<snip>
4. Here is the content of /etc/apache2/sites-enabled/000-default-le-ssl.conf
<snip>
I'm not familiar with ubuntu apache config style, but AFAIK, you only edit one of those files (besides the latter should be a symlink of the former).
You have a loop, because as I've already told you many times, you don't need a Redirect in the SSL vhost!!!! Please pay attention to what I'm suggesting to you.
Quote:
My questions are below.
1. How do I fix that?
2. What I have problems with are the begin "/" and the end "/" in the three files above. How do I use this "/" in the configuration files.
1. See the answer above
2. The "/" is important only in Redirect, Alias, and such. If you use a trailing "/" at the end of a URI at the left, you need also to use one at the URI on the right.
The trailing "/" is not important in a <Directory...>, or DocumentRoot, but I suggest you to read apache documentation for more details.
Told you many times that you only need the Redirect in the http vhost (without the /Index/ part)
Code:
I removed the /Index/ part, just like you suggested.
Code:
<VirtualHost *:80 >
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
Redirect permanent "/" "https://www.zethanath.tk/"
DocumentRoot "/opt/tomcat/webapps/Index"
Alias /Index "/opt/tomcat/webapps/Index"
<Directory "/opt/tomcat/webapps/Index">
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
</Directory>
<Location "/Index/WEB-INF/">
AllowOverride None
Deny from all
</Location>
</VirtualHost>
I also removed the redirect from the https vhost.
Code:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin erick9.hi5@gmail.com
ServerName www.zethanath.tk
ServerAlias servlet.zethanath.tk zethanath.tk
DocumentRoot "/opt/tomcat/webapps/Index"
Alias /Index "/opt/tomcat/webapps/Index"
<Directory "/opt/tomcat/webapps/Index">
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
</Directory>
<Location "/Index/WEB-INF/">
AllowOverride None
Deny from all
</Location>
</VirtualHost>
</IfModule>
Here are the results that I have.
- When I typed "http://www.zethanath.tk" in the browser, I would get "https://www.zethanath.tk/" with HTTP Status 404 The requested resource is not available.
- When I typed "http://servlet.zethanath.tk" in the browser, I would get "https://www.zethanath.tk/" with HTTP Status 404 The requested resource is not available too.
If I am not mistaken, what I need is to associate port 8080 with "DocumentRoot". I need to be able to do something like this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
. However, I am guessing that, upon securing Apache with Let's Encrypt (sudo certbot --apache -d zethanath.tk -d 
In other words, 
