Sunday, September 9, 2012

SSL Offloading with mod_jk part 5

Document  Version 1.0
  Copyright © 2012-2013 beijing.beijing.012@gmail.com

Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip


SSL Port Problem

In part4 of this serial, we have successfully configured, a virtual host "ahaha.com", we have configured Apache and mod_jk, so that when a request comes form browser(clien), mod_jk will try to communicate this request to Tomcat. mod_jk talks "ajp language" to Tomcat. Now we need to configure Tomcat so that, he can also understand "ajp".
This could be accmplished by uncommenting following lines of "server.xml" of tomcat:



...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
...


Now restart Tomcat and try accessing the "TestWebSec20"applicaiton again:
"http://www.ahaha.com/TestWebSec20/HalloNormal

And now you will see: 




Now you could access the "TestWebSec20" web applicaiton through a "real" domain name.
And you do NOT see the port 8080 in browser input any more!

Let's try accessing the secured resource, namly:
http://www.ahaha.com/TestWebSec20/secure/HalloSec

And you will see in you browser:


Cool! Isn't it?

The brower was redirected to HTTPS, and after confirmation of th SSL certificate, we see the protected resource!


But, wait a minute! There is still something wrong!
  • The  browser was redirected to HTTPS, but we see now another port numer 8443 (which is configured  for Tomcat https),  but we actually don't want to show users the port number in browser. We are expecting something like this
           https:///www.ahaha.com/TestWebSec20/secure/HalloSec
  • When we take a closer look at the SSL certificate details, we will see that the certificate here is the certificate of Tomcat, not the certificate of "www.ahaha.com".

To sum it up, we do NOT want to show the SSL port to brower; we want to show the user our "real" certificate that we created for domain "ahaha.com". 

To solve these two problems, we need to introduce a new "term", i.e. so called "SSL offload" or "SSL Termination". This is actually the main purpose of  the  "SSL Offloading with mod_jk" serial I am writing!


So what is SSLTermination / Offloading? 

SSL Termination is used take care of  everything about SSL in a centralized position in a system, at the border between secured and unsecured areas. "SSL Terminator" takes care of the SSL things between client and Servers, and all the traffic behinde "SSL Terminator" is not encrypted but thought to be secure.

To make it simple,  in our case we want apache / mod_jk to take care of the SSL handling, and by NOT Tomcat.


SSL Offloading with mod_jk part 6
part1 part2 part3 part4

No comments:

Post a Comment