-
Notifications
You must be signed in to change notification settings - Fork 15
apache fronting tomcat
Wiki ▸ Server Installation ▸ Apache fronting Tomcat
These instructions allow for the Apache Web server to front the Web Application running under Tomcat.
-
Install Apache: in Ubuntu execute the following command on the command line:
sudo apt-get update sudo apt-get install apache2
-
Install mod_jk: To install @mod_jk@ in Ubuntu execute the following command on the command line:
sudo apt-get install libapache2-mod-jk libapache2-mod-security2
This wil also enable the module.
-
Ensure the following settings are enabled in
/etc/apache2/mods-enabled/jk.conf:JkWorkersFile /etc/libapache2-mod-jk/workers.properties JkLogFile /var/log/apache2/mod_jk.log JkLogLevel info JkOptions +RejectUnsafeURI JkStripSession On
-
Configure the workers properties file: Edit
/etc/libapache2-mod-jk/workers.propertiesand Setworkers.tomcat_hometo point to the Biobank Tomcat directory.workers.tomcat_home=/opt/tomcat/apache-tomcat-8.5.30
Set
workers.java_hometo point to your Java JRE.workers.java_home=/data/java-7-oracle
-
Enable SSL connections on Apache server:
sudo a2ensite default-ssl.conf
Enable the
sslmodule on Apache:sudo a2enmod ssl
-
Set server name: Edit the SSL configuration file:
ServerName __your_server_name_here__ ServerAlias __your_alias_here__
And add the following line in the
<VirtualHost>section:JkMount /biobank* ajp13_worker -
Optional: create a self signed certificate. Use these instructions.
-
Restart: restart the appache server and start the Biobank Tomcat server:
sudo service apache2 reload /etc/init.d/tomcat start
For more SSL certificate info see
/usr/share/doc/apache2/README.Debian.gz.
Usa a TLS/SSL certificate from Let’s Encrypt for the Apache server.
This section uses the DNS name biobank.cbsr.ualberta.ca as an
example. Please substitute it with the DNS name for your server.
-
Add the repository:
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache
-
Set up the SSL certificate.
sudo certbot --apache -d biobank.cbsr.ualberta.ca
Replace
biobank.cbsr.ualberta.cawith your server's full DNS name. -
Set up auto renewal. First, edit the crontab file:
sudo crontab -e
Add the following line to the end of the file:
15 3 * * * /usr/bin/certbot renew --quietThis will run a cron job every morning at 3:15 AM and renew the certificate if it has expired. A log of the command's excution is saved to
/var/log/le-renew.log.
If you cannot log in with the client and get the error
java.lang.RuntimeException: Could not generate DH keypair and
java.security.InvalidAlgorithmParameterException: Prime size must be
multiple of 64, and can only range from 512 to 1024 (inclusive)
/var/log/le-renew.log
Add the following to the end of the first certificate file you have
configured using the SSLCertificateFile directive in
/etc/apache2/sites-enabled/default-ssl.conf.
-----BEGIN DH PARAMETERS-----
MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
-----END DH PARAMETERS-----
For the server at biobank.cbsr.ualberta.ca this was added to the
file /etc/letsencrypt/live/biobank.cbsr.ualberta.ca/fullchain.pem.
Using Acme Shell script.
-
Switch to the
rootuser and install usingcurl:sudo -i curl https://get.acme.sh | sh -
Logout of the
rootshell. -
Switch to the
rootuser again, and install certificate:sudo -i .acme.sh/acme.sh --issue --alpn --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" -d biobank.cbsr.ualberta.ca systemctl start apache2
-
Restart the Apache server:
sudo systemctl start apache2