Apache + Tomcat: Which one should handle SSL? IP-based proxy forwarding?

Question

We currently have a Tomcat application running with SSL on port 443. Right now we have an apache server that accepts http requests on port 80 and redirects to the Tomcat instance:

<VirtualHost *:80>
    ServerName domain.com
    ServerAlias domain.com
    <LocationMatch "/">
        Redirect permanent / https://domain.com/
    </LocationMatch>
</VirtualHost>

Tomcat is handling SSL, because there's no proxy, just a simple redirect to the SSL port:

    <Connector 
          port="443" maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="/app/ssl/domain_com.jks" keystorePass="ourpassword"
          clientAuth="false" sslProtocol="TLS"/>

We want to begin using the apache web server as a proxy and additionally, do per-IP redirects to certain apps that should only be used by hosts on a pre-determined IP range. We would also like to redirect IPs that don't match the pre-determined list to a static html page hosted on the apache server.

My first question is: Should I continue to handle SSL on Tomcat's end, or should I use apache with SSL while forwarding to an "unprotected" tomcat port?

Is there any way to redirect to different apps (and potentially hosts) depending on the incoming IP?

thanks, del

Answer 1

As to the SSL handling, this is a typical use case of SSL Offloading. Since you are very probabily going to use one SSL Certificate (certificate for your domain name), you are going to have one apache and n Tomcats.. So apache is the better place for SSL handling. The communicate bewteen Apache and Tomcat should then through AJP and NOT http or https..

I have written a step by step instruction to SSL offloading, might be helpful to you. And the link to it : http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

Answer 2

We always use Apache (or Nginx) for proxying and "SSL offloading", as some call it. Have been doing it for years in various production systems with various requirements. Apache gives you much flexibility and many features you can leverage so you can keep the application server configuration as simple, thin and easy to understand as possible. I would also recommend using mod_jk (i.e. AJP) for the connection between Apache and Tomcat. Tomcat listens for AJP requests on port 8009 by default.

As to your questions on redirecting: this can be done easily using a combination of mod_rewrite, mod_jk and maybe a few Location/LocationMatch directives in your Apache configuration. Depends on what exactly you want to do. Needs more details, or better, a separate question.

Answer 3

This is possible. I prefer to have Apache as frontend for all backend web servers, including multiple versions of Tomcat (allowing easier upgrades per customer), IIS and some appliances.

The SSL offloading is described at http://www.invantive.com/about-invantive/news/entryid/897/ssl-offloading-for-apache-tomcat.

Regarding question 2 (selective redirection):

we typically use two approaches:

• All similar instances of an application are reachable behind one URL using a virtual host. For instance, app1.invantive.com or that-other-app.invantive.com.
• Each user group gets a different URL within that virtual host, as well as some form of splitting DTAP. For instance, app1.invantive.com/acme-corporation/production, app1.invantive.com/acme-northpole-corporation/test.

If you use Apache only for routing traffic, you will seldom if ever need to replace it. So it becomes a robust component which makes it easy to transfer applications and sites to new locations and you just need to redirect the Apache routing rules. You don't have DNS changes and issues with TTL anymore.

Answer 4

I am really not that familiar with tomcat apps or architecture (I only run a few in my organization), so there might be other ways to go about large scale implementations; however, SSL could be handled by Tomcat, Apache or offloaded to a load-balancer and the other stuff you mentioned could be easily handled using mod_rewrite.

There are some Apache modules out there that do just this (with tons of howto's and guides on the net). Check out mod_proxy, mod_proxy_ajp or maybe mod_jk. You will want to do some research to find out the best fit for you.

Hopefully this will be a good research starting point anyway.

Hope this helps!