Tuesday, April 26, 2011

Securing Tomcat with Apache Web Server mod_proxy

I wanted to enable SSL encryption to allow secure channels (https) to our tomcat server. There were 2 obvious ways to do this:

  1. Secure Tomcat directly
  2. Secure an Apache web server front-end that controls access to tomcat

Secure Tomcat directly

Securing tomcat directly is fairly straight-forward and is the easiest. But it does have some drawbacks. The major drawback for me was restricting access to other webapps running within the tomcat container. I had about 5 different webapps running, but I only wanted one to be publicly available. Now some will argue that you can restrict access by enforcing rules within the firewall, but I found that to be clunky. If you're interested in going this route, here is a link describing how to enable security for tomcat directly:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Secure an Apache web server front-end

 I prefer using Apache web server as the front-end for many reasons which has been discussed to death. I'll note some of the more important reasons:
  • Apache can server static content much faster
  • Apache can run as a load balancer in front of a cluster of tomcat instances
  • Apache can handle SSL encryption for a cluster of tomcat instances
  • Apache has several modules that can easily be plugged in
For more reasons have a look at this article: http://wiki.apache.org/tomcat/FAQ/Connectors

In this instance I will be using Apache's mod_proxy module to redirect traffic to the tomcat server and use Apache to provide the SSL encryption.


To get an idea of how it works see the diagram below:




When a user visits our website using the default web port of 80, Apache will redirect the traffic to Tomcat on port 8080. Similarly, when browser is communicating on port 443 (https), apache will enable encryption and redirect traffic to tomcat on port 8443.




In my setup of Apache, I have 2 main configuration files:
  1. httpd.conf
  2. ssl.conf
httpd.conf contains the configuration for handling traffic running on port 80:

Listen 80
ProxyRequests Off
ProxyPreserveHost on
<VirtualHost _default_:80>

    ServerName your_company_domain_name
    ProxyPass /app http://localhost:8080/app
    ProxyPassReverse /app http://localhost:8080/app 
  
    RewriteEngine On
    RewriteRule ^(.*)/login$ https://%{SERVER_NAME}$1/login [L,R]      
</VirtualHost>

The ProxyPass and ProxyPassReverse is responsible for the redirection.
The RewriteEngine and RewriteRule is responsible for redirecting  any requrests for the login page on port 80 to the secure channel running on port 443.

ssl.conf contains the configuration for handling traffic running on port 443:
Listen 443
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/your_company_certificate.pem
SSLCertificateKeyFile /etc/pki/tls/certs/your_company_private_key.pem
ServerName your_company_domain_name
ProxyPass /app http://localhost:8443/app
ProxyPassReverse /app http://localhost:8443/app
</VirtualHost>

The SSLCertificateFile and SSLCertificateKeyFile are responsible for enabling encryption and requires the private key as well as the certificate file provided by your certificate authority.
Just as before, the lines ProxyPass and ProxyPassReverse are responsible for the redirection of traffic from port 443 to tomcat on port 8443.

server.xml contains the tomcat configuration details
Server.xml
    <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" redirectPort="443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>  

    <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"        
        scheme="https"
        secure="false" 
        SSLEnabled="false" 
        proxyPort="443"
        proxyName="your_company_domain_name"
     />

Importing certficates into keystore

keytool -import -alias auscert -keystore -trustcacerts -file


Extracting existing certificates and private keys from a keystore to be used in Apache in PEM format

Originally, I had setup encryption witin Tomcat rather than apache. When I wanted to  migrate the control of security from Tomcat to Apache, I was faced with the issue that each Tomcat and Apache expected the certificates in different formats. After much researching I found a tool that was helpful in extracting the private key and the certificate out of the keystore into the PEM format expected by Apache. The opensource tool can be downloaded here: http://sourceforge.net/projects/portecle




To extract the private key from JKS keystore, use this:
http://www.softpedia.com/get/Security/Security-Related/KeyTool-IUI.shtml
Select Export -> Keystore's entry -> Private key
When identifying the Target files, remember to choose 'Private key and certificates' and 'PEM Encoded'
And the rest is self explantory


Remove passphrase from key

openssl rsa -in private_key.pem -out private_key_no_passphrase.pem


Here are some articles describing the problem in more detail:
http://techsk.blogspot.com/2009/01/exporting-tomcat-keys-to-apache-httpd.html
http://pnkumaresh.wordpress.com/2010/11/12/exporting-tomcat-ssl-keys-to-apache-httpd/

Verification

To verify that the certificates are properly installed use the following command:

keytool -printcert -sslserver servername

References:

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://thejavamonkey.blogspot.com/2008/07/using-apache-httpd-server-as-secure.html
http://www.mooreds.com/wordpress/archives/223
http://www.customware.net/repository/display/GREENHOUSE/2009/06/13/Reverse+Proxy+with+Apache+mod_proxy
https://confluence.sakaiproject.org/display/DOC/Sakai+Admin+Guide+-+Advanced+Tomcat++%28and+Apache%29+Configuration

15 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. BAD idea. This setup will result in an open proxy

    ReplyDelete
    Replies
    1. Hmm? How do you figure? I thought that by using 'ProxyRequests Off' this cannot be used as an open proxy.

      Delete
  3. Can you elaborate on the difference of using mod_jk instead of mod_proxy in your implementation?

    ReplyDelete
  4. SSL certificate gives a pledge that the server is lawful. When an e-commerce site buys a certificate, certificate authorities offer a digital certificate. This makes certain that the website possessor's information is broadcasted and kept secure by a legitimate server.SSL for Apache

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. I've been pounding my head the past week trying to accomplish this for a development project and you gave me the one piece I needed to make it all work. Thanks!!!

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. Hi there, I've been searching for a simplified explanation to this for so long. I can only thank you for this. I now understand what my technical consultant is proposing. Also know what I will be spending my money on :)

    ReplyDelete
  10. Is it possible for Apache Web Server to pass details of the certificate Subject DN to Tomcat in some way - presumably as an http header?

    ReplyDelete
  11. Hi Nicholas,

    I haven't tried so I'm sorry I can't add more than what I've posted

    Good luck!

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete