Fog Creek Software
Discussion Board




SSL and Tomcat

Hi:

I was thinking of setting up SSL for a bunch of JSPs and Servlets that I have running in a Tomcat container.

Would I need to use Apache (and mod_ssl) front-end to have SSL on Tomcat?

I am pretty confused - as Tomcat seems to come with SSL as well, some articles recommend using Apache and Tomcat together for SSL. I am not sure if this is because SSL in Tomcat is immature.

Fuzzy Logic
Thursday, April 22, 2004

Nah.  SSL on Tomcat works fine.  You are being encouraged to use Apache because that's what everyone else does, and heaven forbid that you should decide you don't need Apache.
You are right to hesitate to set up Apache as a front end for Tomcat - it's a flaming pain in the ass.  And nobody even agrees on how to do it and which module to use.  Do yourself a favor and stick with Tomcat.  It's easy and it works great.

Ethan Herdrick
Thursday, April 22, 2004

I do SSL with Tomcat only. No need of any Apache in front of it.

In server.xml:


    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector className="org.apache.catalina.connector.http.HttpConnector"
              port="8080"
              minProcessors="20"
              maxProcessors="30"
              enableLookups="false"
              acceptCount="100"
              debug="0"
              connectionTimeout="60000"/>
    <!-- Note : To disable connection timeouts, set connectionTimeout value
    to -1
    redirectPort="8443"
    -->

    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector className="org.apache.catalina.connector.http.HttpConnector"
              port="8443"
              minProcessors="5"
              maxProcessors="75"
              enableLookups="false"
            acceptCount="10"
            debug="0"
            scheme="https"
            secure="true">
            <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
                    clientAuth="false"
                    protocol="TLS"
                    keystoreFile="D:\jakarta-tomcat-4.0.4\security\keystorefile"
                    keystorePass="putyourpasswordhere"
            />
    </Connector>

You will have ot generate your keystorefile but standards java tools work there. Of course, you may want a CA and so on ...

Philippe Back
Thursday, April 22, 2004

Usually Apache is used in front of Tomcat to serve static data because it performs so much better. I don't know, but there might also be differences in SSL performance. With dev sites or sites with low to medium traffic it doesn't buy you much.

Juha
Thursday, April 22, 2004

On the related Apache/Tomcat thread, I use Apache as a front end for Tomcat because it allows me to bind to port 80 and then setuid to non-root.  I am on Linux (red hat enterprise to be specific).  Can I get similar behavior using only Tomcat?
 

madking
Thursday, April 22, 2004

Don't bother with Apache (as a Tomcat frontend) unless your site is mostly static content or you need some other fancy features of Apache. The SSL in Tomcat works just great. We're using it in a commercial server.

And the SSL How-to in the Tomcat documentation is fantastic. Step-by-step, complete instructions.

Bill Tomlinson
Thursday, April 22, 2004

I use mod_ssl with Apache as a front end to Tomcat.  mod_ssl isn't bad, but the mod_jk link to Tomcat is a pain to set up.  (and poorly documented to boot).  Skip it if you can. 

The other reason to use Apache as the front end (BTW) is if you're mixing JSP-generated content with other web content (e.g. PHP).  Apache serves as the front end for all web requests and directs them to different services as needed in our system

Will
Thursday, April 22, 2004

As regards your apache frontend and tomcat backend, running non-stuid. sure you can.

If starts as root, to bind to a port <1024 (e.g. 80) using say, mod_jk. Remember, mod_jk can redirect to any port internally (actually the point is you cluster) Anyway. I have never run tomcat as root, ever, ever. If you have any errors on start, be sure that the ports are above 1024, other than that you should be set.

Remember, mod_jk doesn't care what port it redirects to, it doesn't have to be port 80. So just set some high unused port and run tomcat as some user other than root.

anonomouse
Thursday, April 22, 2004

anonamouse, was your response to me?  What application do I start as root?  I want to run Tomcat Standalone, bound to port 80, not as root.  Since I don't know how to do that, I have Apache bind to port 80 and then use mod_jk to communicate to Tomcat at a higher port.  I would like to drop Apache out of the  loop?  Can I do this?

madking
Friday, April 23, 2004

to run tomcat as standalone on port 80 you only need to change in server.xml the attributes for the non-SSL connector from 8080 to 80.

Albert
Wednesday, May 05, 2004

*  Recent Topics

*  Fog Creek Home