Re: Tomcat behind httpd, with Let's Encrypt and Certbot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/17/20 03:50, Mark Thomas wrote: > On 16/08/2020 18:00, James H. H. Lampert wrote: >> Permit me to clarify: >> >> 1. The existing httpd server on this box, and its certbot setup >> may be extended/expanded, but not otherwise disturbed. >> >> 2. Running Tomcat independently of httpd on this box is not an >> option, because *both* are to be visible to the outside world on >> port 443 of the same IP address. Doing so was not merely "an >> option," but *mandatory* on the other box, which has Tomcat and >> httpd on separate ports. >> >> 3. At this point, the concern is making certain that the httpd >> virtual host for the new subdomain provides for the needs of both >> Certbot and Tomcat. Then, I can worry about adding the new >> subdomain to Certbot. > > First of all, to confirm I am reading the config correctly: > > - httpd redirects all http requests to https - anything proxied to > Tomcat MUST have been received by httpd over https > > Given you don't mind whether proxying to Tomcat is over http or > https, I recommend http and an http connector in Tomcat with the > following settings: > > SSLEnabled="false", secure="true", scheme="https" This is the right sauce for telling Tomcat that the request is secure yet not encrypted, but that the reverse-proxy is handling the encryption (which is why it's "secure"). But I wouldn't recommend this unless you are sure it will be on the same box. If you decide to separate httpd from Tomcat on another server, I'd recommend encrypting the connection between them. For that, there is no need for a cert from a known CA: you can be your own CA. Just mint your own cert which is valid however long you want, install it in Tomcat, and make sure that httpd trusts it. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl88W6QACgkQHPApP6U8 pFjBRw/8C7VHEDxmbo2dvKnIA6/AIYu1NnrEdVYvVlBBDGYYcL35EJ5MgQFnkbEt uXAfRE7YIBkePuC1/C4Z+4TQzYqws7GTmqsKxjrc4qwLx/nmBgNm4UumMMQI2lJT htFbsNOJCshHw+260EQGSnF0qkSH+OU+Tg8oCLoJN8CpNHP7ND/rjJyEkKv0gfnq vhY6BXEc1CLXtqNBAjRke2g6p3Z2xJhpVLkTauZ067wvOWbFq3SjapVK4fq1iFEO 4m6W7SURtKgZmflqtq8LDlHgmix63O61LldC1CunZObKW9FLxxqRCMRUmhKStDJw +pmkjh11mtyILHhphuIjdKSdYsRere9JM0ewQ54JaAF2q7S5FXd1DPg328OfwnTh tac0lBeRXxEzZyxxcT3bpIZpket6W0tqfD1Tn56++vEnzGKvfsb+px0oAufEab1p HjmSmC823ixb0RSVP9V6DS9XapG6JoPnvnp10ekdlKF2XJ2uMB6j1+9oMy0pR/Rn Q4faxJhm9dnuPSYdSeY9HXWdOUD3I1zudasJUhCMmwa9dc3VWmbxsn2F0/xxLTvF FNbABkAnGo2rJ+dVqnyPtE2zQgRBZUVHuuGLxQFUsrB5bxnXnkTwD8pKBf8W64J+ L111/xdcZdYCCn1LY45uN7cnpsE+3TUtvzyovhhR2F0NCzVP3/o= =oAo4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
Well, today, I brought the Tomcat server back up, and put the Virtual Host back into conf.d, and it worked. Then I learned that my whole silly-go-round of a few months ago, trying to add the new subdomain to the existing certs, was completely unnecessary, that each subdomain's virtual host could point to its own cert file, and I also learned about "certbot renew --force-renewal" to test whether renewal would actually work (it does). -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
On 16/08/2020 18:00, James H. H. Lampert wrote: > Permit me to clarify: > > 1. The existing httpd server on this box, and its certbot setup may be > extended/expanded, but not otherwise disturbed. > > 2. Running Tomcat independently of httpd on this box is not an option, > because *both* are to be visible to the outside world on port 443 of the > same IP address. Doing so was not merely "an option," but *mandatory* on > the other box, which has Tomcat and httpd on separate ports. > > 3. At this point, the concern is making certain that the httpd virtual > host for the new subdomain provides for the needs of both Certbot and > Tomcat. Then, I can worry about adding the new subdomain to Certbot. First of all, to confirm I am reading the config correctly: - httpd redirects all http requests to https - anything proxied to Tomcat MUST have been received by httpd over https Given you don't mind whether proxying to Tomcat is over http or https, I recommend http and an http connector in Tomcat with the following settings: SSLEnabled="false", secure="true", scheme="https" I'd be wary of directory traversal issues with the IP controls on Manager and Host Manager access in httpd. There are some edge cases where the Servlet spec's view on matching URIs to targets and the HTTP spec's view are not entirely consistent. This has been known to expose directory traversal issues. I'd recommend using the RemoteIpValve to expose the original IP to Tomcat and then perform the IP filtering in Tomcat. Whether you keep the filtering in httpd (pro of early rejection vs con of having to keep configs in sync) is up to you. HTH, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat behind httpd, with Let's Encrypt and Certbot
Permit me to clarify: 1. The existing httpd server on this box, and its certbot setup may be extended/expanded, but not otherwise disturbed. 2. Running Tomcat independently of httpd on this box is not an option, because *both* are to be visible to the outside world on port 443 of the same IP address. Doing so was not merely "an option," but *mandatory* on the other box, which has Tomcat and httpd on separate ports. 3. At this point, the concern is making certain that the httpd virtual host for the new subdomain provides for the needs of both Certbot and Tomcat. Then, I can worry about adding the new subdomain to Certbot. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat behind httpd, with Let's Encrypt and Certbot
Now (as John Cleese would say) for something completely different. I've got my indpendent Tomcat and httpd servers on the development box (the Amazon Linux "Not 2" instance) successfully obtaining, using and (I hope) auto-renewing a Let's Encrypt cert via Lego. (I'll know more on September 6th: the cron log shows it ran this past Sunday, but the auto-update script skips the actual renewal if it's not the first Sunday of the month.) But now, I have a situation in which I *do* want Tomcat running behind httpd, on an Amazon Linux 2 instance that's already obtaining a Let's Encrypt cert via certbot. But the last time I experimented with this one (several months ago, like the one I finally got working with Lego), I had a fair amount of trouble getting it even partially functional, and something I did badly screwed up the auto-renewal, which we didn't find out about until the cert expired on us. Here is the (actual names and IP addresses redacted) httpd conf file I added, to provide the virtual host for the new subdomain. It makes no difference to me whether browser requests sent to port 80 get redirected to https or not; the important part is that (1) Certbot and Let's Encrypt can see and do what they need to, (2) users can reach all webapp contexts on the Tomcat server, including ROOT, and (3) only the specified IP addresses can see manager and host-manager. Is there anything obvious that I'm doing wrong? ServerName xyweb.frobozz.com DocumentRoot /var/www/html/test ServerAdmin i...@frobozz.com AllowOverride All # RewriteEngine on # RewriteCond %{HTTP_HOST} !^www\. [NC] # RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] ServerName xyweb.frobozz.com DocumentRoot /var/www/html/test ServerAdmin i...@frobozz.com Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh ProxyPass "/" "http://127.0.0.1:8080/"; ProxyPassReverse "/" "http://127.0.0.1:8080/"; ProxyRequests Off Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/fizmo.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/fizmo.com/privkey.pem -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org