Securing Apache Tomcat with SSL

Securing Apache Tomcat with SSL

Apache gridscale ssl

After I showed you in our tutorial Apache Tomcat for your webserver & webcontainer under Ubuntu 16.04/18.04 how to install and configure Apache Tomcat on your Ubuntu, I additionally provide this tutorial here. Here you will learn how to secure the Tomcat webserver and -container with SSL. Strictly speaking, you will learn how to set up an SSL-enabled proxy server to securely negotiate with clients and submit requests to Tomcat.

Without SSL, all communication between the Tomcat server and clients is unencrypted by default, except for passwords or confidential data. There is more than one way you can integrate SSL into your Tomcat installation. To consider the possibilities, we will cover both Apache and Nginx in this tutorial.

First of all: Why reverse proxy?

Tomcat has the ability to encrypt connections natively, so the question arises what a reverse proxy solution is required/helpful for.

In this context, the disadvantages that SSL can bring with Tomcat play a role. I will briefly discuss some disadvantages:

  • It may happen that SSL with Tomcat is not so strongly supported by certain software. For example, Let’s Encrypt does not offer a native way to interact with Tomcat. Furthermore, the Java Keystore format requires that traditional certificates be converted before use, which makes automation difficult.
  • In addition, traditional web servers are published more often than Tomcat. This can ultimately have a significant impact on the security of your applications. For example, the supported Tomcat SSL encryption suite can quickly become outdated, so your applications may not be optimally protected. If security updates are required, it is probably easier to update a web server than your Tomcat installation.

A reverse proxy solution avoids such problems by simply placing a strong web server in front of the Tomcat. The web server can handle client requests using SSL. This functionality is designed specifically for processing.

The web server can then forward requests to Tomcat that are executed in their normal, non-privileged configuration. This separation of requests simplifies configuration, even if additional software needs to be run.

HTTP proxy with the mod_jk module of your Apache

The Apache web server has a module called mod_jk that can communicate directly with Tomcat via the Apache JServ protocol. A connector for this protocol is enabled by default in Tomcat, so Tomcat is ready to handle these requests by default.

Before we can discuss how to run Apache web server connections to Tomcat, you need to install and secure an Apache web server. For more information, see our tutorial Installing Apache2 on Ubuntu 16.04/18.04. Afterwards it is necessary to set up SSL on the server.

If you have a domain name, the easiest way to secure the server is with Let’s Encrypt, which provides free trusted certificates. Just follow our tutorial Setting up an Apache server as a reverse proxy with Ubuntu to set this up.

It also covers how to connect the Apache web server to your Apache Tomcat. Install the mod_jk module using the command shown below. The Apache web server uses this module to communicate with Tomcat via the Apache JServ protocol. The module is automatically activated during the installation process.

 apt-get install libapache2-mod-jk 

But next you have to configure the module. The main configuration file is located in /etc/libapache2-mod-jk/workers.properties. Now open this file in the editor of your choice. I do this in the nano editor.

 nano /etc/libapache2-mod-jk/workers.properties 

Search the contents of the file for the workers.tomcat_home statement and specify your Tomcat installation directory here. For our Tomcat installation this would be /opt/tomcat. Save the update of the file content with the key combination Ctrl+O and leave the nano editor with Ctrl+X.

 workers.tomcat_home=/opt/tomcat 

Adapt the Apache Virtual Host to the proxy with mod_jk

Next, we need to adapt our Apache Virtual Host to make proxy requests to our Tomcat installation.

If you have set up SSL with Let’s Encrypt, the file location depends on the options you selected during the certificate process. You can determine which virtual hosts are involved in providing SSL requests by using the following command.

 apache2ctl -S 

The resulting output will then look similar.

 
VirtualHost configuration:
*:80                   example.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  is a NameVirtualHost
         default server example.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost example.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost www.example.com (/etc/apache2/sites-enabled/default-ssl.conf:2)

. . .

Using the lines associated with SSL port 443 (lines 3-6 in this example), we can determine which virtual hosts files are involved in serving these domains.

Here we see that both the 000-default-le-ssl.conf file and the default ssl.conf file are involved. So you should edit both. Your results will probably be different.
Open the two files in the editor of your choice.


nano /etc/apache2/sites-enabled/000-default-le-ssl.conf

nano /etc/apache2/sites-enabled/default-ssl.conf

Regardless of which files you need to open, the process is the same. Within the tags you should enter the following.


<VirtualHost *:443>

    . . .

    JKMount /* ajp13_worker

    . . .

</VirtualHost>

Save the update with the key combination Ctrl+O and exit the nano editor with Ctrl+X. Repeat the above process for any other files you have identified that need to be edited.
Verify your configuration.

 apache2ctl configtest 

If your output says “syntax OK”, then restart your Apache web server.

 systemctl restart apache2 

You should now get to your Apache Tomcat by visiting the SSL version of your site in your web browser (e.g. https://example.com).

HTTP Proxy with Nginx

With Nginx, proxying is as easy as Apache is for me. While Nginx does not have a module to speak the Apache JServ protocol, it can use its robust HTTP proxying capabilities to communicate with Tomcat.

Before we get into how Nginx connects to Tomcat, you need to install Nginx, secure it and set up SSL on the server.

If you have a domain name, the easiest way to secure the server is with Let’s Encrypt, which provides free trusted certificates. Follow our Let’s Encrypt Guide for Nginx, which includes instructions for installing Nginx.
After that, it’s all about how to connect the Nginx web server to your Tomcat.

Step 1: Customize the Nginx server block configuration

Setting up Nginx as a proxy for Tomcat is very easy.

Start by opening the server block file associated with your site. We assume that you are using the default server block file in this tutorial.

 nano /etc/nginx/sites-available/default 

In the upper part of the file you have to add an upstream block. This describes the connection details so that Nginx knows where our Tomcat server is listening. Place it outside one of the server blocks defined in the file, as shown in the code snippet below.


upstream tomcat {
    server 127.0.0.1:8080 fail_timeout=0;
}

server {

    . . .

Then change the storage location/block within the server block defined for port 443. We want to forward all requests directly to the currently defined upstream block. Comment out the current content and use the proxy_pass directive to get to the just defined “Tomcat” upstream.

We also need to include the configuration of proxy_params in this block. This file defines many details about how Nginx forwards the connection. After this, save the update with the shortcut Ctrl+O and exit the nano editor with Ctrl+X.


    server 127.0.0.1:8080 fail_timeout=0;
}

server {

    . . .

    location / {
        #try_files $uri $uri/ =404;
        include proxy_params;
        proxy_pass http://tomcat/;
    }

    . . .
}

Step 2: Test and restart Nginx

Next, test that no syntax errors occurred during the configuration changes.

 nginx -t 

If no errors are reported, restart Nginx to implement your changes.

 systemctl restart nginx 

You should now be able to get to your Tomcat installation by visiting the SSL version of your site in your web browser (e.g. https://example.com)

Restrict access to the Tomcat installation

Now you have SSL encrypted access to your Apache Tomcat. Since all requests to Tomcat should be sent through our proxy, we can configure Tomcat to only monitor connections on the local loopback interface. This ensures that external parties cannot attempt to make requests directly from Tomcat.

Open the server.xml file in your Tomcat configuration directory to change these settings.

 nano /opt/tomcat/conf/server.xml 

In this file we have to change the connector definitions. Currently there are two connectors activated in the configuration. One handles normal HTTP requests on port 8080, while the other handles Apache JServ protocol requests on port 8009. The configuration looks something like this:


...

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
...

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

To restrict access to the local loopback interface, simply add an “address” attribute to 127.0.0.1 in each of these connector definitions. The end result should look like the following code snippet. Save with Ctrl+O and exit the nano editor with Ctrl+X.


. . .

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               address="127.0.0.1"
               redirectPort="8443" />
. . .

    <Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" />

Restart your Apache Tomcat again so that the updates are applied.

 systemctl restart tomcat 

If you have followed our tutorial Apache Tomcat to your web server & web container under Ubuntu 16.04/18.04, you should have an ufw firewall enabled for your installation.

Since all our requests to Tomcat are now limited to the local loopback interface, we can remove the rule from our firewall that allows external requests to Tomcat.

 ufw delete allow 8080 

Your Apache Tomcat should now only be accessible through your web server proxy.

Conclusion

At this time, connections to your Tomcat instance should be encrypted using a web server proxy with SSL. While configuring a separate web server process can increase the software used to deploy your applications, it makes it much easier to secure traffic. I have enjoyed helping you with this. 🙂

Zurück zur Tutorial Übersicht Back to Tutorial Overview

After I showed you in our tutorial Apache Tomcat for your webserver & webcontainer under Ubuntu 16.04/18.04 how to install and configure Apache Tomcat on your Ubuntu, I additionally provide this tutorial here. Here you will learn how to secure the Tomcat webserver and -container with SSL. Strictly speaking, you will learn how to set […]

Schade, dass dir der Artikel nicht gefallen hat.
Was sollten wir deiner Meinung nach besser machen?

Thank you for your feedback!
We will get back to you as soon as the article is finished.

Übrigens: kennst du schon unser Tutorial zum Thema Getting started with PaaS by gridscale?