Sometimes we want to limit the availability of the NetVizura application and add additional security layers. Reverse proxy and SSL configuration are here to ensure this. A reverse proxy is an application that forwards requests from client to server, but in a way that the client isn't aware there is something in between. Use cases for this are usually network security oriented. SSL configuration can be done on the reverse proxy or directly on Apache Tomcat. In a production environment, however, it is not advisable to set SSL termination directly on Apache Tomcat. A much better choice would be using a reverse proxy as an SSL termination point.
All examples presented in this blog post are for Ubuntu Server. Nonetheless, just minor modifications are needed to make them applicable to Windows Server or any Linux Distribution.
Apache Web server reverse proxy configuration
1. Install Apache service and enable proxy mods
apt install apache2 -y
a2enmod proxy
a2enmod proxy_http
2. Delete all other sites from /etc/apache2/sites-available
3. Create /etc/apache2/sites-available/apache2proxy.conf with the following content:
<VirtualHost *:80>
ServerName netvizura.example.com
ServerAlias www.netvizura.example.com
ServerAdmi webmaster@netvizura.example.com
ErrorLog ${APACHE_LOG_DIR}/RP-error.log
CustomLog ${APACHE_LOG_DIR}/RP-access.log combined
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
4. Enable the site we have just configured
a2ensite apache2proxy.conf
5. Restart Apache service
systemctl restart apache2
Now you should be able to check the NetVizura web page as http://yoursite/netvizura.
SSL apache2
To include an additional layer of security, you can create your certificates and add them to Apache. The first step would be to create self-signed certificates. However, if you want your application to be available on WWW, you need to add a fitting certificate, either by buying it online or by using Let's Encrypt service. We will not go deeper into this is for now as it out of scope (but maybe we will cover the subject in some future post, so stay tuned).
1. Create self-signed certificates
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout server.key -out server.crt
2. Enable additional mods
a2enmod ssl
3. Create /etc/apache2/sites-available/https.conf with the following content:
<VirtualHost *:443>
ServerName netvizura.example.com
ServerAlias www.netvizura.example.com
ServerAdmin webmaster@netvizura.example.com
ErrorLog ${APACHE_LOG_DIR}/RPSSL-error.log
CustomLog ${APACHE_LOG_DIR}/RPSSL-access.log combined
SSLEngine On
SSLCertificateFile /home/server.crt
SSLCertificateKeyFile /home/server.key
ProxyPreserveHost On
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
4. Enable the virtual host
a2ensite https.conf
5. Restart Apache service
systemctl restart apache2
https://yoursite/netvizura should now be fully functional.
NGINX instead of Apache
If you are more inclined to use NGINX instead of Apache, here is the simple configuration you may use.
1. Install NGINX
apt install nginx -y
2. Delete all files from /etc/nginx/sites-available/ directory
3. Create file /etc/nginx/sites-available/http.conf with the following content:
server {
listen 80;
server_name netvizura.example.com;
access_log /var/log/nginx/tomcat-access.log;
error_log /var/log/nginx/tomcat-error.log;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/;
}
}
4. Link the file
ln -s /etc/nginx/sites-available/http.conf /etc/nginx/sites-enabled/
5. Restart NGINX
systemctl restart nginx
Now, you should see your NetVizura website accessible from http://yoursite/netvizura.
NGINX SSL
In this example, the same as in Apache configuration, we are adding an additional layer. We have omitted SSL key generation, that you can reuse from Apache SSL configuration.
1. Create file /etc/nginx/sites-available/ssl.conf with the following content:
server {
server_name netvizura.example.com
listen443 ssl;
ssl_certificate_key /home/server.key;
ssl_certificate /home/server.crt;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/;
}
}
2. Link the file
ln -s /etc/nginx/sites-available/ssl.conf /etc/nginx/sites-enabled/
3. Restart NGINX
systemctl restart nginx
Afterwards, you should see your NetVizura web page accessible from https://yoursite/netvizura.
Tomcat SSL
In our last (but not the least) example, we will cover Tomcat which has SSL capabilities itself.
1. Create the keytool which will have the keys below:
keytool -genkey -alias tomcat -keyalg RSA -keystore /home/keystore
2. Edit the server xml (note that depending on your Tomcat version, the folder can be different). We are using Tomcat 7, and therefore the folder is /etc/tomcat7/server.xml
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/home/keystore "
keystorePass="123123"
clientAuth="false"
sslProtocol="TLS"/>
3. Restart Tomcat
systemctl restart tomcat7
Again, now you should see your NetVizura website accessible from https://yoursite/netvizura.
If you are interested into checking out some other similar configurations, you may find them on our Confluence page: SSL Configuration.
