Apache2.0 atat5.0 SSL Configuration

Recently, because of a project, the other party used Apache + Tomcat for application configuration. I didn't know much about the Apache + Tomcat cooperation method before. I started to build and test the test environment after learning about Google. The configuration methods include JK and proxypass. There is also a kind of AJP that I did not find the appropriate Configuration documentation, so it was not successful. Here I will only introduce the first two configuration methods.

I. Environment preparation

Apache2.0.63 (OpenSSL) + Tomcat 5.0.30 can be downloaded from the official website.

Jk_mod can be downloaded from http://tomcat.apache.org/download-connectors.cgi.

Operating System WINXP SP3

The installation of Apache and tomcat can be run, and the digital certificate has been applied. View http://files.cnblogs.com/bjrmt/server_Apache.pdf http://files.cnblogs.com/bjrmt/113656.pdf for details

Http://files.cnblogs.com/bjrmt/apache-tomcat-install.pdf documentation.

Ii. JK environment Configuration
JK2 is currently not officially supported, so I am using a mod_jk-1.2.26-httpd-2.0.61.so. JK mode communicates with each other through Tomcat port 8009. It does not matter what protocols are used between Apache Tomcat. The Tomcat server. xml file contains the following content:

<Connection Port = "8009"
Enablelookups = "false" redirectport = "8443" DEBUG = "0"
Protocol = "AJP/1.3" type = "codeph" text = "/codeph"/>

When Tomcat is started --

Configure Apache: in httpd. conf

Add loadmodule jk_module modules/mod_jk-1.2.26-httpd-2.0.61.so

Jkworkersfile CONF/workers. Properties
Jklogfile logs/mod_jk.log
Jkloglevel info
Jklogstampformat "[% A % B % d % H: % m: % S % Y]"
Jkrequestlogformat "% w % v % t"
Jkoptions + forwardkeysize + forwarduricompat-forwarddirectories

<Virtualhost *: 80>
<Ifmodule mod_ssl.c>
Sslengine on
Sslsessioncachetimeout 300
Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull
Ssloptions + stdenvvars + exportcertdata when Tomcat needs to read client certificate content, add exportcertdata
Sslcertificatefile CONF/SSL. CRT/localhost. Cer ca returned Certificate file
Sslcertificatekeyfile CONF/SSL. CRT/server. Key Private Key generated through OpenSSL
Sslcertificatechainfile CONF/SSL. CRT/cachain. Cer server certificate verification chain file
Sslcacertificatepath CONF/SSL. crt ca root certificate file path
Sslcacertificatefile CONF/SSL. CRT/cachain. Cer CA root certificate file
Does sslverifyclient require client certificate verification if none is not required?
Sslverifydepth 3 certificate retrieval depth, usually placed in 3 or 4
</Ifmodule>
Servername localhost
Jkmount/*. jsp worker1
Jkmount/*. Do worker1
</Virtualhost>

Workers. properties File Content: this does not exist and needs to be created

Workers. tomcat_home = D: \ Program Files \ Apache Software Foundation \ Tomcat 5.0
Workers. java_home = D: \ Program Files \ Java \ jdk1.5.0 _ 06
Worker. List = worker1
Worker. worker1.type = ajp13
Worker. worker1.host = localhost
Worker. worker1.port = 8009
Worker. worker1.lbfactor = 50
Worker. worker1.socket _ keepalive = 1
Worker. worker1.socket _ timeout = 300

In this way, Apache configuration is complete and can be tested through Apache-T. If syntax is OK, the configuration is normal and the server can be started.

Test Application page:

<% @ Page import = "Java. Security. *" %>
<% @ Page import = "Java. Security. cert. *" %>
<% @ Page contenttype = "text/html; charset = GBK" %>
<HTML>
<Head>
<Meta name = "generator" content = "Microsoft Visual Studio 6.0">
</Head>
<Body bgcolor = # e4edff>
<%
Boolean brevoked = false;
Boolean isfaf = true;
X509certificate x509cert;
String STR = "";
/// // Jsp get request certificata
X509certificate certs [] = (x509certificate []) request. getattribute ("javax. servlet. Request. x509certificate ");
X509cert = certs [0];
Out. println ("serialnumber:" + x509cert. getserialnumber (). tostring (16 ));
Out. println ("<br> ");
Out. println ("<br> ");
Out. println ("subjectdn:" + x509cert. getsubjectdn (). tostring ());
Out. println ("<br> ");
Out. println ("<br> ");
%>
</Body>
</Html>

Access https: // localhost/cert. jsp. The test is successful.

 

3. proxypass is easy to configure and can be configured directly. However, for two-way authentication, the certificate content cannot be read in this way. I still don't understand the reason.

Loadmodule proxy_module modules/mod_proxy.so
Loadmodule proxy_connect_module modules/mod_proxy_connect.so
Loadmodule proxy_http_module modules/mod_proxy_http.so
Loadmodule proxy_ftp_module modules/mod_proxy_ftp.so

Remove the comments from the four items.

<Virtualhost *: 80>
<Ifmodule mod_ssl.c>
Sslengine on
Sslsessioncachetimeout 300
Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull
Ssloptions + stdenvvars + exportcertdata
Sslcertificatefile CONF/SSL. CRT/localhost. Cer
Sslcertificatekeyfile CONF/SSL. CRT/server. Key
Sslcertificatechainfile CONF/SSL. CRT/cachain. Cer
Sslcacertificatepath CONF/SSL. CRT
Sslcacertificatefile CONF/SSL. CRT/cachain. Cer
Sslverifyclient require
Sslverifydepth 3
</Ifmodule>
Servername localhost
Proxypass/http: // localhost: 8081/
Proxypassreverse/http: // localhost: 8081/
</Virtualhost>