0

The SSL connection is working for every page on the Apache server except these served to Tomcat. Tomcat works well on http connection.

The setup:

  • Apache/2.2.21
  • Tomcat-7.0.23
  • mod_jk to connect them
  • self-signed certificate

What is working

If I try to connect to tomcat through http everything is OK. Every page which is specified in the JkMount directive is forward to Tomcat and all the others pages are Apache's responsibility. I have two virtual hosts - one for port 80 and one for 443. The working configuration for 80 is:

<VirtualHost *:80>
ServerName *******

JkMount /cas ajp13_worker
JkMount /cas/* ajp13_worker

</VirtualHost>

What is my problem

When I try to use https with similar vhost configuration for port 443 - there is an entry in the apache logs:

File does not exist: ****/apache2/htdocs/cas

Configuration files

The settings for vhost on port 443:

<VirtualHost ****:443>
ServerName *******

JkMount /cas ajp13_worker
JkMount /cas/* ajp13_worker

</VirtualHost>

In the httpd.conf the section for mod_jk is:

JkWorkersFile ****/tomcat-7.0.23/conf/workers.properties
JkLogFile ****/apache2/logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

(I've read that I need the following lines ... )
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT

In httpd-ssl.conf I've specified the certificate paths ... https is working correctly for all pages except the Tomcat ones.

DocumentRoot is specified in httpd.conf.

Questions

What is controlling whether the Apache is searching in DocumentRoot dir or forwarding the requests to Tomcat? What am I doing wrong?

Thank you :)

TheMouse
  • 28
  • 1
  • 4
  • 1
    What's the output from `apache2ctl -S`? I have a sneaking suspicion that a different :443 vhost is getting the requests instead. – Shane Madden Mar 12 '12 at 16:51
  • Could you write this as an answer (so I can select it) and not just a comment. This was my problem. There was a second vhost for 443 in `conf/extra/httpd-ssl.conf` Thank you. – TheMouse Mar 12 '12 at 22:26

3 Answers3

2

Check the output of apache2ctl -S - a second SSL vhost that is loading first on the port will get requests instead of the desired vhost.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
1

What is controlling whether the Apache is searching in DocumentRoot dir or forwarding the requests to Tomcat?

Two factors: the order and definition of <Directory> and related directives, and the JKMount location(s).

I am curious why you think you need two - just use /cas/* (apache will redirect a request for /cas to /cas/ automatically if /cas does not exist, based on the DirectorySlash setting, which defaults to On)

adaptr
  • 16,576
  • 23
  • 34
1

The DocumentRoot from the httpd.conf is only in charge for the global Apache settings. If you set on your server on a VirtualHostconfiguration it shouldn't interfere with your VH at all.

I'd recommend for now to increase yourLogLeveland check the log file after that. Additionally, if it ain't on productive server yet, you can drop the DocumentRoot lines in httpd.conf as well.

I haven't used mod_jk for a very long time as I find the configuration itself not very amusing. I switched over to mod_proxy for this sort of reverse proxying as it is more intuitive. In case of Tomcat I use mod_proxy_ajp and enclose the elements with the <IfModule mod_proxy_ajp.c> container. But that might be a personal flavour thing. If you can't figure out why, you might save time giving that a try.

Chris
  • 1,185
  • 2
  • 9
  • 18
  • I have tried mod_proxy_ajp - it seems easier to configure. When I add `ProxyPass /cas ajp://localhost:8010/cas` to the vhost configs: if I add it to to *:80 config section - it works (like with mod_jk) ... but when I add it to the 443 section - all requests are forward to the htdocs dir. There is no helpful info in the logs (I've switched to debug). Any ideas? – TheMouse Mar 12 '12 at 11:02
  • How does your ``container for SSL look like? Can you try and work with the IP address? Like ``and do you have the `NameVirtualHost` set for SSL as well? – Chris Mar 12 '12 at 17:08