0

I have configured Apache on local server (Server1) and Apache Tomcat on remote server (Server2). Apache works with mod_jk connector that redirect requests to remote Tomcat. Both working on SSL. Is this configuration is safe and use encryption beetween Server1 and remote Server2 ?

workers.properties

worker.ajp13.type=ajp13
worker.ajp13.host=<REMOTE_IP>
worker.ajp13.port=8009
marioosh
  • 133
  • 1
  • 1
  • 7
  • How remote is the `tomcat` instance? Is it another server in the same rack, another datacentre in the same company, or another datacentre at a different company? How are the networks between `apache` and `tomcat` connected? Is there a VPN link in-place, is it a private LAN / WAN, or do they communicate over the public internet without a VPN? – Mike Insch Jul 22 '11 at 12:11
  • They communicate over public internet, but both use https / SSL. – marioosh Jul 22 '11 at 12:42
  • On one server is Apache, on another is Tomcat. Both communicate over internet. Config is as in my previous question [here](http://serverfault.com/questions/238190/one-ssl-certificate-one-domain-for-two-servers) – marioosh Jul 22 '11 at 13:11
  • I took a look at your setup from your previous question - you are aware that the connection between `apache` and `tomcat` is *not* encrypted? With your setup, only the connection from your user to your `apache` server is protected by SSL, the connection using `mod_jk` from `apache` to `tomcat` is open. If this channel also needs encryption then no, this is not safe. – Mike Insch Jul 22 '11 at 13:26
  • You may want to change to mod_proxy to do the HTTPS trick – ghm1014 Jul 22 '11 at 15:17
  • @ghm1014: I tried use mod_proxy for that, but with no 100% success. Do You have some examples, how to do that right ? – marioosh Jul 25 '11 at 05:39
  • Example added as an answer. – ghm1014 Aug 02 '11 at 19:18

1 Answers1

1

Let say you have your public server on: public.example.com:443

And your private server on: private.example.com:8443

Your apache configuration should look like:

<VirtualHost *:443>
ServerName public.example.com
SSLEngine on
SSLProxyEngine on 
ProxyPass / https://private.example.com:8443/
ProxyPassReverse / https://private.example.com:8443/

#Common SSL configuration
DirectoryIndex index.php index.html index.htm index.shtml
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn  
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/ssl/startssl/ssl.crt
SSLCertificateKeyFile /etc/ssl/startssl/ssl.key
SSLCACertificateFile /etc/ssl/startssl/sub.class1.server.ca.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
ghm1014
  • 944
  • 1
  • 5
  • 14