Showing posts with label apache. Show all posts
Showing posts with label apache. Show all posts

Monday 7 March 2016

Apache httpd reverse proxy for Tomcat with SSL self signed certificates.

Recalling from the previous article on how to install Apache Tomcat 7 and Httpd on Fedora 22 we are now going to present how to configure Apache Httpd working as a reverse proxy for Apache Tomcat.

In more details, we are going to implement the following setup:
  • Setup Tomcat 7 listening on port 8080
  • Redirect port 80 (HTTP) to port 443 (HTTPS)
  • Use self signed RSA server certificates to authenticate our HTTPs server on clients and secure the TCP session.

Public and Private Server Key

In order to create the Server Public/Private key set we are going to use openSSL tools. 
 To install them in you Fedora 22 server do:
# dnf install openssl
# or for older Fedora systems
# yum install openssl

Then openssl tools are installed to:
# which openssl
/bin/openssl

Go to the apache httpd configuration directory and do the following:
# cd  /etc/httpd/conf/

Generate a PEM RSA private key key using DES3
# openssl genrsa -des3 -passout pass:mypass  -out server.pass.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
...................................................................................+++
e is 65537 (0x10001)

Create a Server PEM certificate request using the server key:
# openssl req -new -key server.pass.key -out server.csr
Enter pass phrase for server.pass.key:     # put mypass here
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GR
State or Province Name (full name) [Some-State]:Athens
Locality Name (eg, city) []:Athens
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Illumine IT Consulting
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.illumineit.com
Email Address []:info@illumine.gr

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                      # press enter here to skip password
An optional company name []:  Illumine IT Consulting 


Finally, create the server certificate using the PEM Certificate Request
# openssl x509 -req -in server.csr -signkey server.pass.key -out server.crt  -days 365

Signature ok
subject=/C=GR/ST=Athens/L=Athens/O=Illumine IT Consulting/CN=www.illumineit.com/emailAddress=info@illumineit.com
Getting Private key
Enter pass phrase for server.pass.key:  # put mypass here


By the end of this operation you should have the following files created:
# ls -l
-rw-r--r--. 1 root root 1318 Mar  7 18:11 server.crt
-rw-r--r--. 1 root root 1115 Mar  7 18:07 server.csr
-rw-r--r--. 1 root root 1743 Mar  7 18:05 server.pass.key
  • server.ctr: is the server certificate
  • server.csr: is the server PEM certificate request
  • server.pass.key : server´s private RAS key.

Configure Apache HTTPd working with SSL certificates and reverse proxy to Tomcat

# vi /etc/httpd/conf/httpd.conf

Add the following section:
ServerRoot "/etc/httpd"
# Port 80 (HTTP) will be redirected to 443 (HTTPS)
Listen 80

   ServerName www.illumineit.com
   Redirect permanent / https://www.illumineit.com

# Port 443 HTTPS will be default
Listen 443

  ServerName www.illumineit.com
  ServerAdmin my-mail-here
  #
  # Configure SSL engine on and add your certificates
  #
  SSLEngine on
  SSLCertificateFile     conf/server.crt
  SSLCertificateKeyFile  conf/server.key
  #
  # proxypass configuration to your tomcat server running on 8080
  #
  ProxyPass        /zsecure-pdf/   http://www.illumineit.com:8080/zsecure-pdf/
  ProxyPassReverse /zsecure-pdf/   http://www.illumineit.com:8080/zsecure-pdf/
  ProxyPassReverseCookieDomain www.illumineit.com www.illumineit.com
  ProxyPassReverseCookiePath /zsecure-pdf  /zsecure-pdf
  
     ProxyPassReverse /
     SetOutputFilter  proxy-html
     RequestHeader    unset  Accept-Encoding
  

  BrowserMatch "MSIE [2-5]" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

The first section VirtualHost configures Apache to redirect whatever goes to port 80 to be redirected to port 443 (HTTPS)

The second section VirtualHost configures Apache to use Tomcat as reverse Proxy. So if someone requests URI path /zsecure-pdf/ this will be redirected to port 8080 where tomcat listens.

Save and restart the Apache HTTPD:
# service httpd restart
Redirecting to /bin/systemctl restart  httpd.service

Test Apache

Hit with browser http://www.illumineit.com this will redirect you to https://www.illumineit.com

if you also navigate to the path that was reverse pass: https://31.171.245.82/zsecure-pdf/secure-my-pdf-to-image-password-encrypt-and-watermark.html then you will be served from Tomcat serving your application.

Potential problems

AH01114: HTTP: failed to make connection to backend
To get rid of this log to your server as root and run those commands:
/usr/sbin/setsebool httpd_can_network_connect 1
/usr/sbin/setsebool -P httpd_can_network_connect 1


Page does not renders correctly: images and CSS are missing. That is very common since HTML pages might taken from other sites by A HREF. The only think you can do is copy them locally to WebContent directory of your WAR deployment.

Fedora 22 Apache Tomcat and Httpd. Publishing an application in minutes.

Recalling from the previous article "Quest of the Holy Cloud" I got a provider and started a simple VM over there.
One of my first actions was to baptize my server and give it a fancy hostname.
Now lets come to the juicy part. In this article I am going to build a simple application server to handle PDF trans-code to images with a custom Java application I built.
The actions I am going to demonstrate are how to:
  • Setup OpenJKD on Fedora 22
  • Install Ghostscript libraries required for my application.
  • Download, install and configure Apache Tomcat 7
  • Install and configure Apache HTTPd.
  • Installing Open JDK

Install OpenJDK

The first step is really easy. We need a JDK or a JRE in order to run Tomcat that hosts our application. The straight option is to use opensource community JAVA: OpenJDK.
To do so, I entered the following commands:
# dnf install java
Last metadata expiration check performed 1:09:31 ago on Mon Mar  7 12:20:26 2016.
...
To check where java is and what has been installed:
# which java
/bin/java
# java -version
openjdk version "1.8.0_72"
OpenJDK Runtime Environment (build 1.8.0_72-b15)
OpenJDK 64-Bit Server VM (build 25.72-b15, mixed mode)

Install Ghostscript

Most of the software I wrote rely to Ghostscript shared libraries that are called from the corresponding Java API. To install them I entered the following commands:
# dnf install ghostscript
Last metadata expiration check performed 1:15:36 ago on Mon Mar  7 12:20:26 2016.
..
The library got installed at:
# ls -lh /lib64/libgs*
..
-rwxr-xr-x. 1 root root 16M Mar 31  2015 /lib64/libgs.so.9.16

# file  /lib64/libgs.so.9.16
/lib64/libgs.so.9.16: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6601d742a4829cb3e4fe8197f1b1457f665ce130, stripped

Install Apache Tomcat 7

Apache Tomcat 7 can be downloaded from here as a tar.gz file by picking up a binary distribution as follows:
# cd /opt
# wget http://mirror.serversupportforum.de/apache/tomcat/tomcat-7/v7.0.68/bin/apache-at-7.0.68.tar.gz
# tar -xvf apache-tomcat-7.0.68.tar.gz

Now tomcat is not provided as a service from Fedora. To do so, we need to create a simple start script in /etc/init.d:

# cd /etc/init.d
# vi tomcat
paste the following to the script tomcat:
#!/bin/bash
# start/ stop Tomcat script
# Since you are using OpneJDK put this as your java home
JAVA_HOME=/
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
# Where you have placed tomcat
CATALINA_HOME=/opt/apache-tomcat-7.0.68

case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;;
stop)
sh $CATALINA_HOME/bin/shutdown.sh
;;
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;;
esac
exit 0
Now tomcat needs to be registered as a Linux service. To do so add those commands:
# cd /etc/init.d
# chmod 755 tomcat  
# chkconfig --add tomcat  
# chkconfig --level 234 tomcat on  
# chkconfig --list tomcat 

Installing Apache HTTPD

This comes as a standard service supported from Fedora distribution. To install it:
# dnf install httpd
...
For a very fast configuration of http you can edit httpd.conf and add a simple virtual host:
#  vi /etc/httpd/conf/httpd.conf
# add where "Listen 80" is:
Listen My.Host.IP.Here:80

    DocumentRoot "/www/illumineit.com"
    ServerName www.illumineit.com

    # Other directives here

Since in modern Cloud environments the linux firewall IP Tables may block everything, here are the commands to unlock the ports:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
You can start the HTTP service and get its status:

# service httpd start
Redirecting to /bin/systemctl start  httpd.service
# service httpd status
Redirecting to /bin/systemctl status  httpd.service
 httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-03-07 14:09:27 UTC; 4s ago
 Main PID: 1760 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─1760 /usr/sbin/httpd -DFOREGROUND
           ├─1761 /usr/sbin/httpd -DFOREGROUND
           ├─1762 /usr/sbin/httpd -DFOREGROUND
           ├─1763 /usr/sbin/httpd -DFOREGROUND
           ├─1764 /usr/sbin/httpd -DFOREGROUND
           └─1765 /usr/sbin/httpd -DFOREGROUND

Mar 07 14:09:27 securepdf.illumineit.com systemd[1]: Starting The Apache HTTP Server...
Mar 07 14:09:27 securepdf.illumineit.com systemd[1]: Started The Apache HTTP Server.
The deployment directory for tomcat where you can place your WAR files is: /opt/apache-tomcat-7.0.68/webapps/ since I have donwloaded and installed tomcat on /opt.
You can use WinSCP to copy your WAR file there:

# ls -lh  /opt/apache-tomcat-7.0.68/webapps/
total 27M
drwxr-xr-x. 14 root root 4.0K Mar  3 11:00 docs
drwxr-xr-x.  7 root root 4.0K Mar  3 11:00 examples
drwxr-xr-x.  5 root root 4.0K Mar  3 11:00 host-manager
drwxr-xr-x.  5 root root 4.0K Mar  3 11:00 manager
drwxr-xr-x.  3 root root 4.0K Mar  3 11:00 ROOT
drwxr-xr-x.  4 root root 4.0K Mar  4 16:59 zsecure-pdf
-rw-r--r--.  1 root root  27M Mar  4 16:59 zsecure-pdf.war