Home

SSL via Apache2 Proxy and Tomcat6/Alfresco

You are here

13 posts / 0 new
Last post
SSL via Apache2 Proxy and Tomcat6/Alfresco

Hello,

I am trying to use Apache2 to set up an SSL-connection with Alfresco. I have a reversed proxied Alfresco with Apache2 and SSL, but I get warnings that the connection isn't entirely encrypted. (Warning: Connection Partially Encrypted) Is there something I have to do on the Alfresco/Tomcat6 side?

Excerpt from http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Quote:
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.

So according to the Apache2 documentation it should be sufficiant to encrypt the traffic from/to the Apache2 proxy and not Tomcat6 itself.
So why is the encrypted connection failing? This is in all browsers I've tried, Firefox, IE8, Safari, etc...

Please advice,

Oblivian

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

What does the configuration look like?

Personally I prefer to use mod_jk when proxying Tomcat with Apache, it's very simple to setup and seems to be pretty failsafe:

http://tomcat.apache.org/connectors-doc/generic_howto/quick.html


Feel free to rate this post as useful if it was of any help to you.

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Hi gronfelt,

This is the current Apache2 SSL config running the reversed proxy.

<IfModule mod_ssl.c>
NameVirtualHost *:443
 
####
#### DOCS.DOMAIN.TLD ####
####
 
 
<virtualhost *:443>
ServerName docs.domain.tld
ServerAlias alfresco.domain.tld
ServerAdmin webmaster@domain.tld
 
### ### ### ### ### ###
 
### Start SSL
SSLEngine On
 
### Certificates
SSLCertificateFile /etc/apache2/ssl/star_domain_tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/star_domain_tld.key
SSLCertificateChainFile /etc/apache2/ssl/DigiCertCA.crt
 
### Only allow SSLv3 and TLSv1 and HIGH/MED encryption.
SSLCipherSuite -ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+TLSv1:+SSLv3:-EXP:-eNULL
SSLProtocol -all +SSLv3 +TLSv1
 
### ### ### ### ### ###
 
#Dummy folder for virtual host
DocumentRoot /var/www/htdocs/docs.domain.tld/
 
 
<directory /var/www/htdocs/docs.domain.tld/>
Options -Indexes -FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</directory>
 
ErrorLog /var/log/apache2/docs.domain.tld_error.log
 
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
 
CustomLog /var/log/apache2/docs.domain.tld_access.log combined
 
### Log to Syslog
LogLevel notice
ErrorLog syslog:local6
#CustomLog "|/usr/bin/logger -t apache -i -p local6.notice" combined
 
ServerSignature Off
 
ProxyRequests Off
 
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
 
ProxyPass /share http://localhost:8080/share
ProxyPassReverse /share http://localhost:8080/share
ProxyPass /alfresco http://localhost:8080/alfresco
ProxyPassReverse /alfresco http://localhost:8080/alfresco
 
</virtualhost>
</IfModule>

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

gronfelt wrote:
What does the configuration look like?

Personally I prefer to use mod_jk when proxying Tomcat with Apache, it's very simple to setup and seems to be pretty failsafe:

http://tomcat.apache.org/connectors-doc/generic_howto/quick.html


Hi again gronfelt,

I am quite new to Tomcat6... Could you enlighten me on why you prefer mod_jk over ordinary apache proxying? Is it better speedwise, more secure, or just easier, etc... Thanks for sharing. :)

BTW, I am currently on Ubuntu 9.04 server. When running a2enmod I have module proxy_ajp available. Is that the same as mod_jk? Also, is it just Apache2 I have to configure (like with normal proxy) or do I have to configure Tomcat6 as well?

EDIT: proxy_ajp is not the same as mod_jk. apt-get install libapache2-mod-jk installed the correct Apache2 module... :oops:

Regards,

Oblivian

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Well, to a great extent it's probably just due to the fact that I started to use mod_jk and got used to that.

But as far as I understand using ajp is normally much faster than accessing tomcat through http, but wether you choose to use proxy_ajp/proxypass or mod_jk seems to be mostly a matter of taste.

Tomcat configuration is the same, regardless, the only thing you need to do is to uncomment the AJP connector in server.xml.


Feel free to rate this post as useful if it was of any help to you.

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Hi gronfelt,

I have now set up Apache2 to use mod_jk and it works perfectly with Alfresco/Tomcat6. All traffic is now sent correctly over SSL and so no more warnings. :D

Thanks for all your help.

Oblivian

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

I have Alfresco working with SSL, however in IE8 I keep getting a security warning that pops up on every single page telling me that some of the pages are non-secure. This is true, there is one hardcoded Alfresco call to http://www.alfresco.com/assets/images/common/alfresco_community_horiz30.gif

This one http call are the only one that's not transferred into a https page. After reading the following I tried to upgrade to the latest Alfresco build without luck. https://issues.alfresco.com/jira/browse/ETHREEOH-2331

Do you have this also? Did any manage to get this to work? :cry:

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

I use to have the same problem when running Alfresco with Apache reverse proxy over SSL. When using mod_jk instead, all problems vanished.

I recommend you do the same.

Regards.

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

oblivian wrote:
I use to have the same problem when running Alfresco with Apache reverse proxy over SSL. When using mod_jk instead, all problems vanished.

I recommend you do the same.

Regards.

That sounds really good :D

Could you post your configuration files, that would help me alot. You are right, I was running reverse proxy over SSL but after reading this page I tried to change to mod_jk, apparently without any luck :oops:

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Hi,

Sorry for late reply. Did you manage or do you want me to post my configs?

Oblivian

PS. What platform are you on? I'm on Ubuntu 9.04.

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Right now its not working, so I would be very happy to take a deep look at your config files (apache and tomcat server.xml) :)

I am running on a Debian 5 server.

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

OK, here goes.

Make sure mod_jk is installed and enabled in Apache2.

Add the following at the bottom of the main Apache2 config file. (apache2.conf)

JkWorkersFile /etc/apache2/workers.properties
 
# Where to put jk logs
JkLogFile /var/log/apache2/mod_jk.log
 
# Set the jk log level [debug/error/info]
JkLogLevel info
 
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
 
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize -ForwardDirectories
 
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
 
# Send servlet for context /alfresco to your repository
JkMount /share worker1
JkMount /alfresco worker1
 
# Send JSPs for context /alfresco/* to your repository
JkMount /share/* worker1
JkMount /alfresco/* worker1

Create a new file: /etc/apache2/worker.properties and enter the following. (Make neccesary adjustments to the java_home and tomcat_home)

workers.tomcat_home=/usr/share/tomcat6
workers.java_home=/usr/lib/jvm/java-6-sun-1.6.0.16
ps=/
worker.list=worker1
 
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1

Add the following to server.xml (On Ubuntu 9.04 /etc/tomcat6/server.xml)
Add the following lines

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8442" protocol="AJP/1.3" URIEncoding="UTF-8" />

NB. Add the above lines just before the following lines: (Around line 70).

Add the following lines to the Apache2 SSL-enabled virtual server: (Just before the the virtualhost close tag)

JkMountCopy On
JkMount /alfresco worker1
JkMount /alfresco/* worker1
JkMount /share worker1
JkMount /share/* worker1

And that should be it.

Good luck! :)

PS. You have to restart both Apache2 and Tomcat6 too se the changes of course...

Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Beautiful, so simple and jet so complicated... Its working, thank you very much :D