Re: Apache/Tomcat with SSL

Tue, 29 Sep 2009 15:41:24 -0700 

Pid,
> Thanks for the response, I have contacted the developers of our web site to separate the documentRoot directories. Also, I have tested the SSL with httpd turned off, and I don't seem to have the same luck. I received the following error: Error code: ssl_error_rx_record_too_long. I believe this was because Apache did not find the ssl.conf setting to enable SSL (I commented it out for testing). 



> Once I re-enabled it the error went away, but I was wondering if this 
could mean that some configuration setting is missing or incorrect with 
Tomcat. I have researched the error, but haven't found anything that may 
help. Here is the snippet from server.xml that specifies the SSL settings:


<!--  Define a SSL HTTP/1.1 Connector on port 8443
  -->

  <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75" enableLookups="false" 
disableUploadTimeout="true" acceptCount="100" scheme="https" 
secure="true" clientAuth="false" sslProtocol="TLS" 
keystoreFile="/usr/local/ssl/private/fun.macneillgroup.com.keystore" 
keypass="nottherealkeypass" 
truststoreFile="/usr/local/ssl/cert/fun.macneillgroup.com.crt" 
truststorePass="nottherealkeypass" />



>Also, you mentioned a bad mod_jk. The httpd.conf calls mod_proxy, 
which currently doesn't have any specific settings. I tried to 
manipulate the entry to point to our site:443 but the page didn't display.



>Sorry for explosion of thoughts. I want to make know (if my rambling 
hasn't already), I am very new to Apache/Tomcat. Is there a resource 
that I can use to identify "good practices" to manage this web server. 
Please note that this server was setup by a consulting company which 
created the page, I have been recently tasked to manage it and configure 
the SSL. Thanks again.




Either Apache HTTPD handles the SSL, or Tomcat does.


You've got a Tomcat connector set up for port 443, if you also have a 
port 443 set up in your HTTPD you have a problem right there.



If you want to use Apache HTTPD, then I'd advise that you configure it 
to handle the SSL as well - comment out the Tomcat SSL Connector in 
server.xml.



You state that you're using mod_proxy; is there also a LoadModule  for 
mod_proxy_ajp or mod_proxy_http?


What other Connectors are defined in server.xml?


p






On 28/09/2009 22:12, Jorge Medina wrote:

As suggested by André, you may want to join the Apache User's list and ask 
there your question.

You need to configure SSL in your Apache web server.
To configure SSL Apache Web server, the first thing you need to do is to verify 
that the module mod_ssl is available.
You may want to consider posting sections of your httpd.conf file (or any relevant file 
included by the "Include" directive) (Remove any sensitive information when 
posting your question)

-Jorge



-----Original Message-----
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com]
Sent: Monday, September 28, 2009 3:19 PM
To: 'Tomcat Users List'; 'Tomcat Users List'
Subject: RE: Apache/Tomcat with SSL

André,

That is what I did and it still came up with server not found. If you would 
like to verify. Our site is http://fun.macneillgroup.com. The site we are 
currently testing is http://fun.macneillgroup.com/focus/common/Index.jsp. This 
page works, however the https form doesn't seem to produce the desired results.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Monday, September 28, 2009 3:02 PM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:

André,

This server was configured by our web development contractors. I was only 
tasked with setting up the SSL. When I go to the specified URL, firefox throws 
a server not found.



When I mentioned the URL
http://your-hostname/ROOT/WEB-INF/web.xml
I meant for you to replace the "your-hostname" part by your own host's name.
:-)

Also, basically I think that this discussion belongs more to the Apache user's 
list, than Tomcat's, because it seems that the SSL part is done at the Apache 
httpd level, not at Tomcat's level.
It is also not easy to just add SSL to an Apache httpd, if this Apache httpd 
uses VirtualHosts.

In the first responses to your first post, some very relevant questions were 
asked, which I don't think you have answered fully yet.  It is difficult for 
someone to help you with the partial information you have supplied so far.  
Tell us :
- on which platform (OS) this is running
- how Apache httpd and Tomcat are connected together (using mod_jk, 
mod_proxy_ajp, or mod_proxy_http?)
- is (was) your Apache httpd configured with multiple<VirtualHost>  sections ?
- can you append your main Apache httpd configuration file (httpd.conf or 
apache2.conf, depending on platform).  Don't put it as an attachment, because 
chances are this list will strip it. Paste it right into your message.
- what exactly did you add, and where, to add the SSL capability ?









Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Monday, September 28, 2009 11:25 AM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:
...

[u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log [Mon
Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does
not exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory
index forbidden by Options directive: /var/lib/tomcat5/webapps/


Nothing to, I think, with your problem, but it would seem from the
above that you have configured your Apache front-end with something
like

DocumentRoot /var/lib/tomcat5/webapps

which, in principle, is not a good idea.
What do you get in your browser when you request
http://your-hostname/ROOT/WEB-INF/web.xml

(or with https:// as the case may be)
?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date:
09/28/09 05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to