SSL Offloading for Apache Tomcat

Wiki (en)
,
1

Viewing real estate projects through different user interfaces

Part of the concept behind Invantive Estate is that numerous user interface give access to the same real estate data in the real-time data warehouse. For example, there is an Microsoft Outlook user interface to request and edit information on real estate projects. But also a user interface within Microsoft Excel for the creation of cost-benefit analysis on real estate projects in Invantive Estate. There is also a user interface for other systems, Word and PowerPoint.

Prying eyes and the HTTP and HTTP Protocol

With the web interface you can also view and edit the data of real estate projects. For internal use of the web interface the HTTP protocol is often used; a URL would then resemble: “http://invantive.com”. However, for use by users outside of the LAN the HTTPS protocol is most often used. The HTTPS protocol has some overhead, but does ensure that prying eyes do not get access to the data during transport. A URL that makes use of the HTTPS protocol would resemble “https://invantive.com”.

The web server encrypts the data. The encryption uses so-called “certificates”. The encryption with certificates is based on encryption algorithms with public and secret keys that match each other. After a short introduction between web server and the browser they construct a secure connection using these keys even though the intermediate network is not guaranteed to be safe. In this introduction there is - if so desired - a check to see if everybody is who he claims to be, so that for example your transfer to Manhattan Chase bank is not handled by a different (malicious) website. The browser and server also arrange a way of secured communication that requires little processing time.

Apache Tomcat and the HTTPS Protocol

The web interface uses Apache Tomcat as web server. There are two methods which can easily support the HTTPS protocol:

  • Apache Tomcat SSL: Apache Tomcat takes care of the encryption and Apache Tomcat only communicates in HTTPS to the outside.
  • SSL Offloading: A different program is located between Apache Tomcat and the internet. This program ensures that Apache Tomcat only uses HTTP and that the outside world can only communicate with Apache Tomcat through HTTPS.

For both methods you need a certificate. For the first method of HTTPS with Apache Tomcat there are numerous instructions to be found on the internet. The second method is called “SSL Offloading”. SSL Offloading has a number of advantages, but does require extra attention of both the application supplier and the administrator.

What are the advantages of SSL Offloading?

The advantages of SSL Offloading compared to SSL with Apache Tomcat are:

  • Increased maximum number of users: a processing intensive standard task is moved away from Apache Tomcat which allows the Tomcat server to process more transactions.
  • Scaling: in combination with a HTTP proxy you can combine numerous Apache Tomcat installations into a big website. It does not matter if you are running many different versions at the same time or different versions of Java; everything can be reached through one URL.
  • Less installation work: the installation of a certificate per Apache Tomcat environment expires. But not completely. That is why you should read on.
  • Lower costs: you can use a certificate for a single domain to secure numerous environments. A wild card certificate or multiple certificates for independent servers are significantly more expensive.

How to Implement SSL Offloading for Apache Tomcat

For the implementation of SSL Offloading you can use various programs or devices. For example the Apache HTTP web server that runs on Windows and UNIX, but also AWS CloudFront can be used. You also need Apache Tomcat. I assume that the Invantive Estate web user interface is already reachable on the Apache Tomcat using HTTP.

Apache HTTP Web Server

To use Apache HTTP for SSL offloading, you first need to acquire a certificate. Then you can use the certificate to send HTTPS data. You can also use a so-called “self-signed” certificate. This suffices for test purposes, but for more user comfort and a bit of extra security you should use a certificate signed by an external party.

An example for a configuration of the Apache web server would be:

ServerAdmin sysadmin-acme@acme.com
#
# External name of the Apache web server.
#
ServerName apps.acme.com

#
# HTTPS configuration.
#
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache243/conf/ssl/apps_acme_com.crt
SSLCertificateKeyFile /etc/apache243/conf/ssl/apps_acme_com.key
SSLCertificateChainFile /etc/apache243/conf/ssl/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/apache243/conf/ssl/COMODOHigh-AssuranceSecureServerCA.crt

#
# Some useful settings.
#
ProxyRequests Off
ProxyPreserveHost On
AddDefaultCharset utf-8
HostnameLookups off
UseCanonicalName off
ProxyBadHeader Ignore
KeepAlive off

#
# Tracking who is requesting what for visitor analysis.
#
ErrorLog /var/log/ws453/apache243/apps.acme.com/error_log
CustomLog /var/log/ws453/apache243/apps.acme.com/access_log combined

#
# HTTPS requests to .../invantive-estate/production are forwarded to the
# Apache Tomcat server that runs on the server with IP address 10.1.2.3 on port 14593.
#
# And vice versa.
#
ProxyPass /invantive-estate/production http://10.1.2.3:14593/invantive-estate/production retry=3
ProxyPassReverse /invantive-estate/production qbubs http://10.1.2.3:14593/invantive-estate/production

#
# ... Space for other settings.
#

Apache Tomcat SSL Offloading

The Apache Tomcat server and application are unaware that they are being access from the outside world through HTTPS. The Apache web server ensures that a request from the browser for https://…/invantive-estate/production/projecten is received by Apache Tomcat as http://.../invantive-estate/production/projecten. A web page can therefore behave differently than expected. In Invantive Estate the application is aware that SSL offloading is used. Sometimes the Tomcat web server will compile URLs itself, namely for a HttpServletResponse.sendRedirect. So you will need to include a number of settings in the Apache Tomcat configuration to make SSL Offloading work properly. The Apache Tomcat configuration is by default to be found in the file server.xml in the conf folder:

protocol="HTTP/1.1"
connectionTimeout="20000"
compression="on"
compressionMinSize="32"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,application/x-javascript,text/css"
redirectPort="8443"
URIEncoding="UTF-8"
proxyPort="443"
proxyName="www.invantive.com"
scheme="https"
secure="true"

The most important attributes of the Connector settings to make SSL Offloading work properly are:

  • proxyName: the name of the website through which users approach Invantive Estate using SSL.
  • proxyPort: the port through which this happens (443 is the standard port for HTTPS).
  • scheme: the protocol that is being used (“http” or “https”).
  • secure: is this a secured connection?

Apache Tomcat keeps switches between the HTTP and HTTPS protocol

An often occurring problem in the use of SSL Offloading is that users repeatedly get an error because the protocol changes back and forth between HTTPS and HTTP. A user might select the “Search” button in the projects screen and then receive a HTTP 404 error (Page not found). If this occurs, please perform the following checks:

  • Is there a connector in Apache Tomcat with the correct settings?
  • Does the configuration of the the port number of this connector in your proxy configuration as well or have you accidentally used a different connector from the same Apache Tomcat installation?

Summary

With these instructions you can easily make the web user interface of numerous Invantive Estate installations available through HTTPS. You can also easier and cheaper scale up to higher numbers of installations and higher numbers of users.