Put your Tomcat behind a reverse proxy on CentOS

I have an API service with an embedded tomcat running on port 8080 on a CentOS server. I don't want to expose it directory and I want to access this API threw HTTPS (port 443). If I access to it on 'classic' http (port 80)

A simple solution is to deploy an Apache httpd server on my CentOS and use is as reverse proxy.

Step 1 : install Apache httpd server

yum install httpd
yum install mod_ssl

Open /etc/https/conf/httpd.conf file and add the directive Listen 443 after Listen 80 to enable apache to listen to port 443

Step 2 : Install your certificate files

First all all, you can to install your certificate by copying  your three files to a directory of your choice. For me, it's /etc/ssl like this :

000000000 4 -rw-r--r--.   1 root root 1674  9 janv. 18:20 intermediate-CA.key
000000000 4 -rw-r--r--.   1 root root 1708  9 janv. 18:20 private.key
000000000 4 -rw-r--r--.   1 root root 2248  9 janv. 18:20 public.key

Everything is x509 key encoded in base64
  • private.key is the key you generated. This key must ot be share to anyone. You need it to generate your CSR (Certificate Service Request) you provide to your SSL provider to obtain your certificate.
  • intermediate-CA.key is the key signature of your certificate provider (daddygo, digicert, etc...)
  • public.key is the key signature you obtained from your provider you gave your CSR.
Note : on centOS, don't use 'mv' command to place your files in the directory of your choice. Only use 'cp'. 'mv' change internal files status that will not let apache httpd access to this. If you use 'mv', you will be expose to issue like this :

"SSLCertificateFile: file '/etc/ssl/mycert.pem' does not exist or is empty"

Step 3 : Configure your Reverse proxy

Once it's done, you have to prepare your apache config file. I use a virtualhost so I neeed declared this config file in the httpd.conf.

<VirtualHost *:80>
  ServerName srvapir1
  DocumentRoot "/var/www/html"
  ErrorLog "logs/error_log"

  <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<VirtualHost *:443>
  ServerName srvapir1
  DocumentRoot "/var/www/html" 
  ErrorLog "logs/error_log"

  SSLEngine on
  SSLVerifyClient None
  SSLCertificateFile /etc/ssl/public.key
  SSLCACertificateFile /etc/ssl/intermediate-CA.key
  SSLCertificateKeyFile /etc/ssl/private.key
  SSLProtocol all -SSLv2

  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/
  ProxyPreserveHost Off
  ProxyRequests Off

  <Proxy *>
        Order deny,allow
        Allow from all

You can test your apache configuration with the shell command :
apachectl testconfig

Then restart apache :
systemctl restart httpd

Step 4 : Update CentOS conf to avoid HTTP 503 errors

Important : If you get an HTTP 503 error code, that's because CentOS has security rule to prevent localhost proxies. You have t change this with a shell command :

Only for testing :

/usr/sbin/setsebool httpd_can_network_connect 1

Permanently :
/usr/sbin/setsebool -P httpd_can_network_connect 1