Tomcat behind httpd, with Let's Encrypt and Certbot

Fri, 14 Aug 2020 15:46:17 -0700 

Now (as John Cleese would say) for something completely different.
I've got my indpendent Tomcat and httpd servers on the development box (the Amazon Linux "Not 2" instance) successfully obtaining, using and (I hope) auto-renewing a Let's Encrypt cert via Lego. (I'll know more on September 6th: the cron log shows it ran this past Sunday, but the auto-update script skips the actual renewal if it's not the first Sunday of the month.)
But now, I have a situation in which I *do* want Tomcat running behind httpd, on an Amazon Linux 2 instance that's already obtaining a Let's Encrypt cert via certbot. But the last time I experimented with this one (several months ago, like the one I finally got working with Lego), I had a fair amount of trouble getting it even partially functional, and something I did badly screwed up the auto-renewal, which we didn't find out about until the cert expired on us.
Here is the (actual names and IP addresses redacted) httpd conf file I added, to provide the virtual host for the new subdomain. It makes no difference to me whether browser requests sent to port 80 get redirected to https or not; the important part is that (1) Certbot and Let's Encrypt can see and do what they need to, (2) users can reach all webapp contexts on the Tomcat server, including ROOT, and (3) only the specified IP addresses can see manager and host-manager. 

Is there anything obvious that I'm doing wrong?

 <VirtualHost *:80>
 ServerName xyweb.frobozz.com
 DocumentRoot /var/www/html/test
 ServerAdmin i...@frobozz.com
 <Directory /var/www/html/test>
 AllowOverride All
 </Directory>
 # RewriteEngine on
 # RewriteCond %{HTTP_HOST} !^www\. [NC]
 # RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 </VirtualHost>

 <IfModule mod_ssl.c>
 <VirtualHost *:443>
 ServerName xyweb.frobozz.com
 DocumentRoot /var/www/html/test
 ServerAdmin i...@frobozz.com
 <Location /manager>
  Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
 </Location>
 <Location /host-manager>
  Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
 </location>
 ProxyPass "/" "http://127.0.0.1:8080/";
 ProxyPassReverse "/" "http://127.0.0.1:8080/";
 ProxyRequests Off
 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/fizmo.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/fizmo.com/privkey.pem
 </VirtualHost>
 </IfModule>

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to