Apache2.0 atat5.0 SSL Configuration

Source: Internet
Author: User
Tags apache tomcat

Recently, because of a project, the other party used Apache + Tomcat for application configuration. I didn't know much about the Apache + Tomcat cooperation method before. I started to build and test the test environment after learning about Google. The configuration methods include JK and proxypass. There is also a kind of AJP that I did not find the appropriate Configuration documentation, so it was not successful. Here I will only introduce the first two configuration methods.

I. Environment preparation

Apache2.0.63 (OpenSSL) + Tomcat 5.0.30 can be downloaded from the official website.

Jk_mod can be downloaded from http://tomcat.apache.org/download-connectors.cgi.

Operating System WINXP SP3

The installation of Apache and tomcat can be run, and the digital certificate has been applied. View http://files.cnblogs.com/bjrmt/server_Apache.pdf http://files.cnblogs.com/bjrmt/113656.pdf for details

Http://files.cnblogs.com/bjrmt/apache-tomcat-install.pdf documentation.

Ii. JK environment Configuration
JK2 is currently not officially supported, so I am using a mod_jk-1.2.26-httpd-2.0.61.so. JK mode communicates with each other through Tomcat port 8009. It does not matter what protocols are used between Apache Tomcat. The Tomcat server. xml file contains the following content:

<Connection Port = "8009"
Enablelookups = "false" redirectport = "8443" DEBUG = "0"
Protocol = "AJP/1.3" type = "codeph" text = "/codeph"/>

When Tomcat is started --

Configure Apache: in httpd. conf

Add loadmodule jk_module modules/mod_jk-1.2.26-httpd-2.0.61.so

Jkworkersfile CONF/workers. Properties
Jklogfile logs/mod_jk.log
Jkloglevel info
Jklogstampformat "[% A % B % d % H: % m: % S % Y]"
Jkrequestlogformat "% w % v % t"
Jkoptions + forwardkeysize + forwarduricompat-forwarddirectories

<Virtualhost *: 80>
<Ifmodule mod_ssl.c>
Sslengine on
Sslsessioncachetimeout 300
Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull
Ssloptions + stdenvvars + exportcertdata when Tomcat needs to read client certificate content, add exportcertdata
Sslcertificatefile CONF/SSL. CRT/localhost. Cer ca returned Certificate file
Sslcertificatekeyfile CONF/SSL. CRT/server. Key Private Key generated through OpenSSL
Sslcertificatechainfile CONF/SSL. CRT/cachain. Cer server certificate verification chain file
Sslcacertificatepath CONF/SSL. crt ca root certificate file path
Sslcacertificatefile CONF/SSL. CRT/cachain. Cer CA root certificate file
Does sslverifyclient require client certificate verification if none is not required?
Sslverifydepth 3 certificate retrieval depth, usually placed in 3 or 4
Servername localhost
Jkmount/*. jsp worker1
Jkmount/*. Do worker1

Workers. properties File Content: this does not exist and needs to be created

Workers. tomcat_home = D: \ Program Files \ Apache Software Foundation \ Tomcat 5.0
Workers. java_home = D: \ Program Files \ Java \ jdk1.5.0 _ 06
Worker. List = worker1
Worker. worker1.type = ajp13
Worker. worker1.host = localhost
Worker. worker1.port = 8009
Worker. worker1.lbfactor = 50
Worker. worker1.socket _ keepalive = 1
Worker. worker1.socket _ timeout = 300

In this way, Apache configuration is complete and can be tested through Apache-T. If syntax is OK, the configuration is normal and the server can be started.

Test Application page:

<% @ Page import = "Java. Security. *" %>
<% @ Page import = "Java. Security. cert. *" %>
<% @ Page contenttype = "text/html; charset = GBK" %>
<Meta name = "generator" content = "Microsoft Visual Studio 6.0">
<Body bgcolor = # e4edff>
Boolean brevoked = false;
Boolean isfaf = true;
X509certificate x509cert;
String STR = "";
/// // Jsp get request certificata
X509certificate certs [] = (x509certificate []) request. getattribute ("javax. servlet. Request. x509certificate ");
X509cert = certs [0];
Out. println ("serialnumber:" + x509cert. getserialnumber (). tostring (16 ));
Out. println ("<br> ");
Out. println ("<br> ");
Out. println ("subjectdn:" + x509cert. getsubjectdn (). tostring ());
Out. println ("<br> ");
Out. println ("<br> ");

Access https: // localhost/cert. jsp. The test is successful.


3. proxypass is easy to configure and can be configured directly. However, for two-way authentication, the certificate content cannot be read in this way. I still don't understand the reason.

Loadmodule proxy_module modules/mod_proxy.so
Loadmodule proxy_connect_module modules/mod_proxy_connect.so
Loadmodule proxy_http_module modules/mod_proxy_http.so
Loadmodule proxy_ftp_module modules/mod_proxy_ftp.so

Remove the comments from the four items.

<Virtualhost *: 80>
<Ifmodule mod_ssl.c>
Sslengine on
Sslsessioncachetimeout 300
Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull
Ssloptions + stdenvvars + exportcertdata
Sslcertificatefile CONF/SSL. CRT/localhost. Cer
Sslcertificatekeyfile CONF/SSL. CRT/server. Key
Sslcertificatechainfile CONF/SSL. CRT/cachain. Cer
Sslcacertificatepath CONF/SSL. CRT
Sslcacertificatefile CONF/SSL. CRT/cachain. Cer
Sslverifyclient require
Sslverifydepth 3
Servername localhost
Proxypass/http: // localhost: 8081/
Proxypassreverse/http: // localhost: 8081/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.