SSL connection to Tomcat (behind Apache - mod_jk)
Solution 1
Check the output of apache2ctl -S
- a second SSL vhost that is loading first on the port will get requests instead of the desired vhost.
Solution 2
The DocumentRoot
from the httpd.conf is only in charge for the global Apache settings. If you set on your server on a VirtualHost
configuration it shouldn't interfere with your VH at all.
I'd recommend for now to increase yourLogLevel
and check the log file after that. Additionally, if it ain't on productive server yet, you can drop the DocumentRoot
lines in httpd.conf as well.
I haven't used mod_jk for a very long time as I find the configuration itself not very amusing. I switched over to mod_proxy for this sort of reverse proxying as it is more intuitive. In case of Tomcat I use mod_proxy_ajp and enclose the elements with the <IfModule mod_proxy_ajp.c>
container. But that might be a personal flavour thing. If you can't figure out why, you might save time giving that a try.
Solution 3
What is controlling whether the Apache is searching in DocumentRoot dir or forwarding the requests to Tomcat?
Two factors: the order and definition of <Directory>
and related directives, and the JKMount
location(s).
I am curious why you think you need two - just use /cas/* (apache will redirect a request for /cas to /cas/ automatically if /cas does not exist, based on the DirectorySlash setting, which defaults to On)
TheMouse
Updated on September 18, 2022Comments
-
TheMouse over 1 year
The SSL connection is working for every page on the Apache server except these served to Tomcat. Tomcat works well on http connection.
The setup:
- Apache/2.2.21
- Tomcat-7.0.23
- mod_jk to connect them
- self-signed certificate
What is working
If I try to connect to tomcat through http everything is OK. Every page which is specified in the JkMount directive is forward to Tomcat and all the others pages are Apache's responsibility. I have two virtual hosts - one for port 80 and one for 443. The working configuration for 80 is:
<VirtualHost *:80> ServerName ******* JkMount /cas ajp13_worker JkMount /cas/* ajp13_worker </VirtualHost>
What is my problem
When I try to use https with similar vhost configuration for port 443 - there is an entry in the apache logs:
File does not exist: ****/apache2/htdocs/cas
Configuration files
The settings for vhost on port 443:
<VirtualHost ****:443> ServerName ******* JkMount /cas ajp13_worker JkMount /cas/* ajp13_worker </VirtualHost>
In the httpd.conf the section for mod_jk is:
JkWorkersFile ****/tomcat-7.0.23/conf/workers.properties JkLogFile ****/apache2/logs/mod_jk.log JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " (I've read that I need the following lines ... ) JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT
In httpd-ssl.conf I've specified the certificate paths ... https is working correctly for all pages except the Tomcat ones.
DocumentRoot is specified in httpd.conf.
Questions
What is controlling whether the Apache is searching in DocumentRoot dir or forwarding the requests to Tomcat? What am I doing wrong?
Thank you :)
-
ravi yarlagadda about 12 yearsWhat's the output from
apache2ctl -S
? I have a sneaking suspicion that a different :443 vhost is getting the requests instead. -
TheMouse about 12 yearsCould you write this as an answer (so I can select it) and not just a comment. This was my problem. There was a second vhost for 443 in
conf/extra/httpd-ssl.conf
Thank you.
-
TheMouse about 12 yearsI've read some examples and just enter it like that. You are right - I need only '/cas/*'.
-
TheMouse about 12 yearsI have tried mod_proxy_ajp - it seems easier to configure. When I add
ProxyPass /cas ajp://localhost:8010/cas
to the vhost configs: if I add it to to *:80 config section - it works (like with mod_jk) ... but when I add it to the 443 section - all requests are forward to the htdocs dir. There is no helpful info in the logs (I've switched to debug). Any ideas? -
Chris about 12 yearsHow does your
<VirtualHost>
container for SSL look like? Can you try and work with the IP address? Like<VirtualHost 222.333.444.555:443>
and do you have theNameVirtualHost
set for SSL as well?