Apache SSL, Let’s Encrypt & Tomcat
Hi folks,
as first post in our blog I’ll share the steps to configure the typical architecture scenario for many J2EE webapps (as Alfresco or Liferay) : Apache SSL + mod_jk + Tomcat.
Thanks to Lets Encrypt we are able to use trusted CA certificates with autorenew process FOR FREE!
So let’s describe the general procedure :
1. Apache and virtual host.
The Apache web server is the most popular way of serving web content on the internet. It accounts for more than half of all active websites on the internet and is extremely powerful and flexible.
Apache breaks its functionality and components into individual units that can be customized and configured independently. The basic unit that describes an individual site or domain is called a virtual host.
Each domain that is configured will direct the visitor to a specific directory holding that site’s information, never indicating that the same server is also responsible for other sites. This scheme is expandable without any software limit as long as your server can handle the load.
Prerequisites.
$ sudo apt-get update $ sudo apt-get install apache2
* Note : We’ll use webapp.venzia.es as domain name.
Step One – Creating directory structure and granting permissions.
$ sudo mkdir -p /var/www/webapp.venzia.es
$ sudo chown -R $USER:$USER /var/www/webapp.venzia.es
The $USER variable will take the value of the user you are currently logged in as when you press Enter. By doing this, our regular user now owns the public_html subdirectories where we will be storing our content.
We should also modify our permissions a little bit to ensure that read access is permitted to the general web directory and all of the files and folders it contains so that pages can be served correctly :
$ sudo chmod -R 755 /var/www
Step Two – Create and enable new Virtual Host file.
Apache comes with a default virtual host file called 000-default.conf that we can use as a jumping off point. We are going to copy it over to create a virtual host file for our domain.
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/webapp.venzia.es.conf $ sudo nano /etc/apache2/sites-available/webapp.venzia.es.conf
<VirtualHost *:80> ServerAdmin admin@webapp.venzia.es ServerName webapp.venzia.es ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Now that we have created our virtual host files, we must enable them. Apache includes some tools that allow us to do this.
We can use the a2ensite tool to enable each of our sites like this :
$ sudo a2ensite webapp.venzia.es.conf
Next, disable the default site defined in 000-default.conf :
$ sudo a2dissite 000-default.conf
When you are finished, you need to restart Apache to make these changes take effect :
$ sudo service apache2 restart
Now that you have your virtual hosts configured, you can test your setup easily by going to the domains that you configured in your web browser (if you have configured the A type records of your domain) :
http://webapp.venzia.es
2. Secure Apache with Let’s Encrypt.
SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
Prerequisites.
$ sudo apt-get update $ sudo apt-get install python-letsencrypt-apache
Step One – Set Up the SSL Certificate.
Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
$ sudo letsencrypt --apache -d webapp.venzia.es
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.
When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live.
Step Two – Set Up Auto Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.
Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run :
$ sudo crontab -e
( You may be prompted to select an editor )
Include the following content at the end of the crontab, all in one line :
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.
3. Encrypt Tomcat 8 connections with Apache.
Apache Tomcat is a web server and servlet container designed to serve Java applications. Frequently used in production enterprise deployments and for smaller application needs, Tomcat is both flexible and powerful.
By default, upon installation, all communication between the Tomcat server and clients is unencrypted, including any passwords entered or any sensitive data. There are a number of ways that we can incorporate SSL into our Tomcat installation.
The Apache web server has a module called mod_jk which can communicate directly with Tomcat using the Apache JServ Protocol. A connector for this protocol is enabled by default within Tomcat, so Tomcat is already ready to handle these requests.
Step One – Install and Configure mod_jk
We can install mod_jk from Ubuntu’s default repositories. Update the local package index and install by typing :
$ sudo apt-get update $ sudo apt-get install libapache2-mod-jk
The module will be enabled automatically upon installation.
Next, we need to configure the module. The main configuration file is located at /etc/libapache2-mod-jk/workers.properties. Open this file now in your text editor :
$ sudo nano /etc/libapache2-mod-jk/workers.properties
Inside, find the workers.tomcat_home and workers.java_home directives. Set these to your Tomcat/Java installation home directories :
workers.tomcat_home=/opt/tomcat workers.java_home=/usr/lib/jvm/java-8-oracle
Save and close the file when you are finished.
Step Two – Adjust the Apache Virtual Host to Proxy with mod_jk
$ sudo nano /etc/apache2/sites-enabled/webapp.venzia.es-le-ssl.conf
Somewhere within the VirtualHost tags, you should enter the following :
<VirtualHost *:443> . . . JKMount /* ajp13_worker . . . </VirtualHost>
Save and close the file.
When you are finished, check your configuration by typing :
$ sudo apache2ctl configtest
If the output contains Syntax OK, restart the Apache web server process :
$ sudo service apache2 restart
You should now be able get to your Tomcat installation by visiting the SSL version of your site in your web browser :
https://example.com
Step Three – Restricting access to the Tomcat installation.
Now you have SSL encrypted access to your Tomcat installation, we can lock down the Tomcat installation a bit more.
Since we want all of our requests to Tomcat to come through our proxy, we can configure Tomcat to only listen for connections on the local loopback interface. This ensures that outside parties cannot attempt to make requests from Tomcat directly.
Open the server.xml file within your Tomcat configuration directory to change these settings :
$ sudo nano /opt/tomcat/conf/server.xml
In order to restrict access to the local loopback interface, we just need to add an “address” attribute set to 127.0.0.1 in each of these Connector definitions. The end result will look like this :
. . . <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" address="127.0.0.1" redirectPort="8443" /> . . . <Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" />
After you’ve made those two changes, save and close the file.
We need to restart our Tomcat process to implement these changes :
$ sudo service tomcat restart
Conclusion.
At this point, connections to your Tomcat instance should be encrypted with SSL with the help of a web server proxy. While configuring a separate web server process might increase the software involved in serving your applications, it simplifies the process of securing your traffic significantly.
Sources :
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04