On 05.07.2018 12:35, Sandels Mark (RTH) OUH wrote:
Hi Peter
I would use tomcat to provide https if it could be configured to do this - is
this fairly easy to do?
The IT Department have given me a Certificate and private key for the server
(OXNETMDMS04) but do I need to use "keytool" to create a key store for the
Certificate? (I am referring to the link
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html).
I'll go with André and Peter for the cause - that's the one line that
was well hidden in the ~600 other lines of your httpd.conf.
With regards to https in Tomcat:
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html are quite good.
Alternatively, you can also just map *everything* from Tomcat through
JkMount - this way Apache will forward all requests to tomcat, tomcat
will handle the allowed/disallowed content (e.g. /WEB-INF/*) and you'll
be safe again while still having encryption handled by Apache. I
personally like it this way, because this neatly separates various
aspects - like read-permissions on the private key: What tomcat doesn't
need to read, it can't reveal to the world. And httpd typically knows
how to drop root permissions. Too often I see tomcat run as root,
because that's the quick fix to serve ports 80 and 443.
Not to mention that mod_rewrite has saved my bacon a few times when it
took only a minute to configure to work around an application problem.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
