or Sign in

Home

SSL via Apache2 Proxy and Tomcat6/Alfresco

You are here

Home » Forums » Installation, Upgrades, Configuration, & Integration » Installation & Upgrades
13 posts / 0 new
Log in or register to post comments
Last post
Mon, 10/05/2009 - 17:35
#1
SSL via Apache2 Proxy and Tomcat6/Alfresco

Hello,

I am trying to use Apache2 to set up an SSL-connection with Alfresco. I have a reversed proxied Alfresco with Apache2 and SSL, but I get warnings that the connection isn't entirely encrypted. (Warning: Connection Partially Encrypted) Is there something I have to do on the Alfresco/Tomcat6 side?

Excerpt from http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Quote:
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.

So according to the Apache2 documentation it should be sufficiant to encrypt the traffic from/to the Apache2 proxy and not Tomcat6 itself.
So why is the encrypted connection failing? This is in all browsers I've tried, Firefox, IE8, Safari, etc...

Please advice,

Oblivian

Top
Mon, 10/05/2009 - 17:55
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

What does the configuration look like?

Personally I prefer to use mod_jk when proxying Tomcat with Apache, it's very simple to setup and seems to be pretty failsafe:

http://tomcat.apache.org/connectors-doc/generic_howto/quick.html


Feel free to rate this post as useful if it was of any help to you.

Top
Mon, 10/05/2009 - 18:03
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Hi gronfelt,

This is the current Apache2 SSL config running the reversed proxy.

<IfModule mod_ssl.c>

NameVirtualHost *:443

 

####

#### 		DOCS.DOMAIN.TLD			####

####

 

 

<virtualhost *:443>

		ServerName docs.domain.tld

		ServerAlias alfresco.domain.tld

		ServerAdmin webmaster@domain.tld

 

### ### ### ### ### ###

 

	   ### Start SSL

       SSLEngine On

 

   ### Certificates

		SSLCertificateFile /etc/apache2/ssl/star_domain_tld.crt

		SSLCertificateKeyFile /etc/apache2/ssl/star_domain_tld.key

		SSLCertificateChainFile /etc/apache2/ssl/DigiCertCA.crt

 

	### Only allow SSLv3 and TLSv1 and HIGH/MED encryption.

		SSLCipherSuite -ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+TLSv1:+SSLv3:-EXP:-eNULL

		SSLProtocol -all +SSLv3 +TLSv1

 

### ### ### ### ### ###

 

	#Dummy folder for virtual host	

       DocumentRoot /var/www/htdocs/docs.domain.tld/

 

 

	<directory /var/www/htdocs/docs.domain.tld/>

            Options -Indexes -FollowSymLinks MultiViews

            AllowOverride All

            Order allow,deny

            allow from all

	</directory>

 

       ErrorLog /var/log/apache2/docs.domain.tld_error.log

 

       # Possible values include: debug, info, notice, warn, error, crit,

       # alert, emerg.

       LogLevel warn

 

       CustomLog /var/log/apache2/docs.domain.tld_access.log combined

 

### Log to Syslog

LogLevel notice

ErrorLog syslog:local6 

#CustomLog "|/usr/bin/logger -t apache -i -p local6.notice" combined

 

ServerSignature Off

 

ProxyRequests Off

 

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

 

ProxyPass /share http://localhost:8080/share

ProxyPassReverse /share http://localhost:8080/share 

ProxyPass /alfresco http://localhost:8080/alfresco

ProxyPassReverse /alfresco http://localhost:8080/alfresco 

 

</virtualhost>

</IfModule>

Top
Mon, 10/05/2009 - 18:09
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

gronfelt wrote:
What does the configuration look like?

Personally I prefer to use mod_jk when proxying Tomcat with Apache, it's very simple to setup and seems to be pretty failsafe:

http://tomcat.apache.org/connectors-doc/generic_howto/quick.html


Hi again gronfelt,

I am quite new to Tomcat6... Could you enlighten me on why you prefer mod_jk over ordinary apache proxying? Is it better speedwise, more secure, or just easier, etc... Thanks for sharing. :)

BTW, I am currently on Ubuntu 9.04 server. When running a2enmod I have module proxy_ajp available. Is that the same as mod_jk? Also, is it just Apache2 I have to configure (like with normal proxy) or do I have to configure Tomcat6 as well?

EDIT: proxy_ajp is not the same as mod_jk. apt-get install libapache2-mod-jk installed the correct Apache2 module... :oops:

Regards,

Oblivian

Top
Mon, 10/05/2009 - 19:02
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Well, to a great extent it's probably just due to the fact that I started to use mod_jk and got used to that.

But as far as I understand using ajp is normally much faster than accessing tomcat through http, but wether you choose to use proxy_ajp/proxypass or mod_jk seems to be mostly a matter of taste.

Tomcat configuration is the same, regardless, the only thing you need to do is to uncomment the AJP connector in server.xml.


Feel free to rate this post as useful if it was of any help to you.

Top
Mon, 10/05/2009 - 19:30
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Hi gronfelt,

I have now set up Apache2 to use mod_jk and it works perfectly with Alfresco/Tomcat6. All traffic is now sent correctly over SSL and so no more warnings. :D

Thanks for all your help.

Oblivian

Top
Sun, 10/11/2009 - 23:04
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

I have Alfresco working with SSL, however in IE8 I keep getting a security warning that pops up on every single page telling me that some of the pages are non-secure. This is true, there is one hardcoded Alfresco call to http://www.alfresco.com/assets/images/common/alfresco_community_horiz30.gif

This one http call are the only one that's not transferred into a https page. After reading the following I tried to upgrade to the latest Alfresco build without luck. https://issues.alfresco.com/jira/browse/ETHREEOH-2331

Do you have this also? Did any manage to get this to work? :cry:

Top
Sun, 10/11/2009 - 23:19
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

I use to have the same problem when running Alfresco with Apache reverse proxy over SSL. When using mod_jk instead, all problems vanished.

I recommend you do the same.

Regards.

Top
Mon, 10/12/2009 - 06:45
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

oblivian wrote:
I use to have the same problem when running Alfresco with Apache reverse proxy over SSL. When using mod_jk instead, all problems vanished.

I recommend you do the same.

Regards.

That sounds really good :D

Could you post your configuration files, that would help me alot. You are right, I was running reverse proxy over SSL but after reading this page I tried to change to mod_jk, apparently without any luck :oops:

Top
Mon, 10/12/2009 - 19:16
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Hi,

Sorry for late reply. Did you manage or do you want me to post my configs?

Oblivian

PS. What platform are you on? I'm on Ubuntu 9.04.

Top
Mon, 10/12/2009 - 20:08
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Right now its not working, so I would be very happy to take a deep look at your config files (apache and tomcat server.xml) :)

I am running on a Debian 5 server.

Top
Mon, 10/12/2009 - 21:18
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

OK, here goes.

Make sure mod_jk is installed and enabled in Apache2.

Add the following at the bottom of the main Apache2 config file. (apache2.conf)

JkWorkersFile /etc/apache2/workers.properties

 

# Where to put jk logs

JkLogFile /var/log/apache2/mod_jk.log

 

# Set the jk log level [debug/error/info]

JkLogLevel info

 

# Select the log format

JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

 

# JkOptions indicate to send SSL KEY SIZE,

JkOptions +ForwardKeySize -ForwardDirectories

 

# JkRequestLogFormat set the request format

JkRequestLogFormat "%w %V %T"

 

# Send servlet for context /alfresco to your repository

JkMount /share worker1

JkMount /alfresco worker1

 

# Send JSPs for context /alfresco/* to your repository

JkMount /share/* worker1

JkMount /alfresco/* worker1

Create a new file: /etc/apache2/worker.properties and enter the following. (Make neccesary adjustments to the java_home and tomcat_home)

workers.tomcat_home=/usr/share/tomcat6

workers.java_home=/usr/lib/jvm/java-6-sun-1.6.0.16

ps=/

worker.list=worker1

 

worker.default.port=8009

worker.default.host=localhost

worker.default.type=ajp13

worker.default.lbfactor=1

Add the following to server.xml (On Ubuntu 9.04 /etc/tomcat6/server.xml)
Add the following lines

<!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector port="8009"

               enableLookups="false" redirectPort="8442" protocol="AJP/1.3" URIEncoding="UTF-8" />

NB. Add the above lines just before the following lines: (Around line 70).

Add the following lines to the Apache2 SSL-enabled virtual server: (Just before the the virtualhost close tag) 

JkMountCopy On

JkMount /alfresco worker1

JkMount /alfresco/* worker1

JkMount /share worker1

JkMount /share/* worker1

And that should be it.

Good luck! :)

PS. You have to restart both Apache2 and Tomcat6 too se the changes of course...

Top
Mon, 10/12/2009 - 23:31
Re: SSL via Apache2 Proxy and Tomcat6/Alfresco

Beautiful, so simple and jet so complicated... Its working, thank you very much :D

Top
Subscribe to Comments for "SSL via Apache2 Proxy and Tomcat6/Alfresco"
Subscribe to All activity.