Apache2 with SSL and Tomcat5.5 on Ubuntu January 31, 2008

Posted by idimmu in linux.
One of the newer features to our site is an access control mechanism to force specific paths to only be delivered over SSL when our customers have particularly sensitive data. We already use Apache2 with mod_jk to talk to the Tomcat5.5 instance running our app so the only part left is to enable SSL!

First make sure mod_ssl is enabled:


root@reltest-tcj0:/var/log/apache2# a2enmod
Which module would you like to enable?
Your choices are: actions asis auth_anon auth_dbm auth_digest auth_ldap cache cern_meta cgid cgi dav_fs dav deflate disk_cache expires ext_filter file_cache headers imap include info jk ldap mem_cache mime_magic proxy_connect proxy_ftp proxy_http proxy rewrite speling ssl suexec unique_id userdir usertrack vhost_alias
Module name? ssl
This module is already enabled!


Then we configure mod_jk to pass it's SSL environment variables to Tomcat by adding the following to apache2.conf


JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT


Tell Apache2 to listen on the SSL port by editing ports.conf


Listen 443


We want to make sure we have the latest common CA certificates in order to establish a trusted root for our new shiny signed certificate!


apt-get install ca-certificates


If you have a lovely genuinely signed certificate like we do you might need to then add it's intermediate certificate to the ca-certificates system. Move the certificate to /usr/share/ca-certificates then add it's location to /etc/ca-certificates.conf

Now run update-ca-certificates to update the system's certificate store (located in /etc/ssl/certs/ca-certificates.crt).


root@reltest-tcj0:/etc/apache2/sites-enabled# update-ca-certificates
Updating certificates in /etc/ssl/certs....done.


We want the same site to simply be available over SSL I'm going to duplicate the existing VirtualHost for that site specifying the use of port 80 for the original vhost and port 443 for the new one that uses SSL. The only change that needs to be made to the new vhost are the following SSL directives:


SSLEngine On
SSLCertificateFile /etc/apache2/ssl/domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt


Obviously making sure the keys are in the right place!

And lastly make sure that NameVirtualHost settings exist for both port 80 and port 443!


NameVirtualHost *:80
NameVirtualHost *:443


et voila.

Tags

Friends

twitter

  • @jooli2 I just wanted to see what @dpashley looked like after a pint of the black stuff, turns out he looks ugly!
  • looking forwards to performing at Burning The Clocks next Wednesday :o Come all and come watch!
  • @journoannie are they giant sad puppy eyes, as that could be kind of cute? Although the whole self pity thing is a bit of a turn off!
  • Elgg 1.8 Tidypics Group Fix http://t.co/C2D56UsH
  • BackupPC ping too slow http://t.co/9Na2PxKs

lastfm

  • Bogart Shwadchuck – Bitch Go Buy Me A Hot Dog (I'll Be Waiting Here, Doing The Robot)
  • Ill Nillas – What Up Bitches
  • M9 – Mental Prison (Feat. Phoenix Da Icefire) (Produced By Chemo)
  • Therapy? – A Moment Of Clarity
  • Therapy? – Unbeliever
  • Therapy? – Die Laughing
  • Finger Eleven – Swallowtail
  • Equilibrium – Mana
  • Equilibrium – Dämmerung
  • Equilibrium – Ruf In Den Wind

IdleRPG Stats

  • 1 webvictim 57
  • 2 HRH_H_Crab 57