How can I use SSL through Apache with multiple Tomcat Webapp instances?

We currently have our webapp which is a standard sort of thing, http main and info pages but redirects to httpS (ie SSL) for login and user actions etc.

Currently we have all our webapp instances (p开发者_C百科roduction, test, demo etc) deployed into one instance of Jetty and we can access them all via www.ourapp.com/test and www.ourapp.com/demo and obviously www.ourapp.com for production.

The problem with this is every time we make changes to one instance we need to restart all instances, not ideal. Also I don't particularly like using Jetty for production, even tho our app isn't very high volume at the moment.

I'm trying to move to Apache httpd forwarding to multiple instances of tomcat each hosting a different instance of our app. This would let me shutdown and restart each tomcat/app instance individually.

I have setup mutliple tomcats installations on various different ports so they don't conflict with eachother (eg 8081, 8082, 8083), set their AJP connector ports to be different to eachother (eg 8010, 8011, 8012) and httpd listens on port 8090 at the moment so as not to conflict with out current production instance running on port 80.

In the httpd.conf I have settings such as ;

JkMount /test* tomcatTest

And in workers.properties I have settings such as;

worker.tomcatTest.port=8010

worker.tomcatTest.host=localhost

worker.tomcatTest.type=ajp13

worker.tomcatTest.lbfactor=100

httpd is forwarding fine to the initial landing pages. The issues arise when I need to go to the SSL pages for login etc. Each of the tomcat installs have their SSL connector uncommented and the port varies also, 8444, 8445, 8446 etc.

Hopefully you can see the setup I'm trying to achieve here. I just need some help getting the non-SSL pages to link to the SSL pages like they normally do if they were all in one Jetty/Tomcat instance and Apache wasn't doing all the forwarding. Any pointers one what I need to do here?

If you want to use Tomcat's native SSL connector, then you'll have to have your application redirect to the Tomcat port on the host. It cannot be handled by Apache. This is because Apache would also have to have each Tomcat server's SSL certificate installed - and you can only have one cert installed at a time.

It would be better to use Apache to terminate your SSL connections.

Configure Apache with an appropriate certificate (see [1] below), and enable SSL. Then in your VirtualHost definition for SSL, add all your JkMount lines again.

For example:

<VirtualHost _default_:443>
   JkMount /test* tomcatTest
</VirtualHost>

This means SSL connections will be handled by Apache, then punted over to Tomcat with AJP. This greatly simplifies configuration, as all you need in your Tomcat config is the AJP connector.

[1] You'll need a certificate with all the possible vhosts that you want to use. Creating one of these is a bit beyond the scope of the question, but suffice it to say you need a subjectAltName in the certificate for every hostname you may use. If you create a new application with a new hostname, you'll need to regenerate the certificate.

Also I don't particularly like using Jetty for production, even tho our app isn't very high volume at the moment.

Jetty in production is absolutely fine for 99% of use cases. I've often found Tomcat to be more of a capricious beast, and often end up swapping it out for Jetty.

What you need is actually ssl-offloading: 1. Configure in jetty, what or with path is to be protected with ssl; 2. Front jetty with apache, and let apache handling all the ssl stuff for jetty. 3. Configure jetty to accept ssl handling of apache 4. Setup multiple vhosts on apache (for a single ip), configure apache to use different SSL certifiacate for each vhosts. ...

A step by step guide for this topic can be found here:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

Suppose your worker.properties file contains this.

> worker.list=balancer,stat   worker.tomcat1.type=ajp13
> worker.tomcat1.port=8109 worker.tomcat1.host=localhost  
> worker.tomcat2.type=ajp13 worker.tomcat2.port=8209
> worker.tomcat2.host=localhost   worker.tomcat3.type=ajp13
> worker.tomcat3.port=8309 worker.tomcat3.host=localhost
>     worker.balancer.type=lb worker.balancer.balance_workers=tomcat1,tomcat2,tomcat3  
> worker.stat.type=status

Then you have to add JkMount /* balancer

in httpd-ssl.conf within the

<Virtualhost> tag

<VirtualHost _default_:443>
#No change in other existing code
JkMount  /*  balancer   

> </VirtualHost>