James, > Am 06.04.2020 um 21:53 schrieb James H. H. Lampert <jam...@touchtonecorp.com>: > > Here is the situation: > > We have an existing Amazon EC2 instance, running Amazon Linux 2, with an > Apache httpd server already running our web sites (for argument's sake, > "foo.com," "bar.com," and "baz.com."), and already getting its certs from > Let's Encrypt, using "foo.com" as the CN, with "www.foo.com," "bar.com," > "www.bar.com," "baz.com," and "www.baz.com" as SANs. And it seems to be > working quite nicely. > > Now, we want to add a Tomcat server, which would then serve several webapp > contexts at "qux.baz.com," and maybe also "corge.baz.com," running behind the > httpd server (which is something I've never done before; I've always set up > Tomcat directly facing the outside world, so with this, I frankly haven't a > clue what I'm doing). >
Don‘t be scared! > First of all, which is currently considered the easier/better way to get > Tomcat running behind httpd, given the above scenario? "mod_proxy," or > "mod_jk?" Or is there something else I haven't heard of? > > Second of all, I found this step-by-step procedure. > >> https://preview.tinyurl.com/vwnutqj > > Is it any good? > Sounds reasonable. Are you going to host tomcat on the same „server“ or are you proxying to a different instance? Then mod_proxy and ssl (!) should be the way to go. If you are on the same instance, you may want to see if mod_jk is an option. > Third, am I correct in assuming that all we need to do in order for the > existing Let's Encrypt setup to cover the new "qux" and "corge" subdomains is > to add them to the SANs already listed? > That and the additional Serveralias‘ or VirtualHosts that proxy the tomcat requests. > Finally, are there any "gotchas" I need to be concerned with? > Any headers that are necessary for your tomcat application need to be sent or maybe rewritten. You may need to set the correct attributes on your connector, so the URLs are correctly rewritten (port 8080/8443 in tomcat should be https 443 to the outside! Cookies may need the correct path and secure flag.) That may be a second round of tweaking. First get to serve the pages on the right Uri. Let us know how you get along and we can add to the config if necessary. Peter > -- > James H. H. Lampert > Touchtone Corporation > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
