Put your Tomcat behind a reverse proxy on CentOS

I have an API service with an embedded tomcat running on port 8080 on a CentOS server. I don't want to expose it directory and I want to access this API threw HTTPS (port 443). If I access to it on 'classic' http (port 80)

A simple solution is to deploy an Apache httpd server on my CentOS and use is as reverse proxy.




Step 1 : install Apache httpd server


yum install httpd
yum install mod_ssl

Open /etc/https/conf/httpd.conf file and add the directive Listen 443 after Listen 80 to enable apache to listen to port 443

Step 2 : Install your certificate files


First all all, you can to install your certificate by copying  your three files to a directory of your choice. For me, it's /etc/ssl like this :


000000000 4 -rw-r--r--.   1 root root 1674  9 janv. 18:20 intermediate-CA.key
000000000 4 -rw-r--r--.   1 root root 1708  9 janv. 18:20 private.key
000000000 4 -rw-r--r--.   1 root root 2248  9 janv. 18:20 public.key


Everything is x509 key encoded in base64
  • private.key is the key you generated. This key must ot be share to anyone. You need it to generate your CSR (Certificate Service Request) you provide to your SSL provider to obtain your certificate.
  • intermediate-CA.key is the key signature of your certificate provider (daddygo, digicert, etc...)
  • public.key is the key signature you obtained from your provider you gave your CSR.
Note : on centOS, don't use 'mv' command to place your files in the directory of your choice. Only use 'cp'. 'mv' change internal files status that will not let apache httpd access to this. If you use 'mv', you will be expose to issue like this :

"SSLCertificateFile: file '/etc/ssl/mycert.pem' does not exist or is empty"


Step 3 : Configure your Reverse proxy


Once it's done, you have to prepare your apache config file. I use a virtualhost so I neeed declared this config file in the httpd.conf.

<VirtualHost *:80>
  ServerName srvapir1
  DocumentRoot "/var/www/html"
  ErrorLog "logs/error_log"

  <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  </IfModule>
</VirtualHost>

<VirtualHost *:443>
  ServerName srvapir1
  DocumentRoot "/var/www/html" 
  ErrorLog "logs/error_log"

  SSLEngine on
  SSLVerifyClient None
  SSLCertificateFile /etc/ssl/public.key
  SSLCACertificateFile /etc/ssl/intermediate-CA.key
  SSLCertificateKeyFile /etc/ssl/private.key
  SSLProtocol all -SSLv2
  SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/
  ProxyPreserveHost Off
  ProxyRequests Off

  <Proxy *>
        Order deny,allow
        Allow from all
  </Proxy>
</VirtualHost>



You can test your apache configuration with the shell command :
apachectl testconfig

Then restart apache :
systemctl restart httpd



Step 4 : Update CentOS conf to avoid HTTP 503 errors


Important : If you get an HTTP 503 error code, that's because CentOS has security rule to prevent localhost proxies. You have t change this with a shell command :

Only for testing :

/usr/sbin/setsebool httpd_can_network_connect 1

Permanently :
/usr/sbin/setsebool -P httpd_can_network_connect 1




Popular posts from this blog

DCcduino usb drivers (CH340 / CH341 chipset)

Insert code into your Blogger posts

The great alternative to JRebel