Skip to content

Apache HTTPd Reverse Proxy and Tomcat CAS

November 7, 2009

Having a correct combination of front-end Apache HTTPd Reverse Proxy server and back-end Tomcat hosted CAS was not as easy as it seems for me.

I could have used mod_auth_cas but decided to relay only on jk based proxy.

Here is my config:

  • Apache HTTPd 2.2
  • Apache Tomcat 6.0
  • CAS 3.3.1
  • Balancer (mod_proxy + proxy_ajp + proxy_balancer)

deployment model:

  • Front-end machine (ip: 192.168.183.3) running httpd on ports 80, 443.
  • CAS back-end app running tomcat on ports 18180 (http) and 18109 (ajp)
  • Another back-end app on the same box which uses CAS and runs on ports 18080 (http) and 18009 (ajp)

Steps:

0. Add proper hostnams to /etc/hosts. In my case all (profiles.myraysaz.com) simply points to 192.168.183.3

  1. CAS Tomcat
    1. Configure your CAS box. I have deployed my CAS application under “/auth” in Tomcat (i.e. rename cas-3.3.1 in webapps to auth) .
    2. set correct paths in your cas.properties. This is mine:
      cas.properties
      cas.securityContext.serviceProperties.service=https://profiles.myraysaz.com/auth/services/j_acegi_cas_security_check
      cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://profiles.myraysaz.com/auth/login
      cas.securityContext.ticketValidator.casServerUrlPrefix=https://profiles.myraysaz.com/auth
      cas.themeResolver.defaultThemeName=default
      cas.viewResolver.basename=default_views
      host.name=profiles.myraysaz.com
      database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
    3. Here is server.xml of this box. Pay attention to proxyName and proxyPort!
      server.xml
      <?xml version='1.0' encoding='utf-8'?>
      <Server port="18105" shutdown="SHUTD0WN">
      
        <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />
        <Listener className="org.apache.catalina.core.JasperListener" />
        <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
        <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
      
        <Service name="Catalina">
      
          <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
              maxThreads="1000"
              minSpareThreads="50"/>
      
          <Connector executor="tomcatThreadPool"
                     port="18180"
                      protocol="HTTP/1.1"
                     connectionTimeout="20000"
                     redirectPort="443"
                      enableLookups="false"
                      proxyName="profiles.myraysaz.com"
          />
      
          <Connector executor="tomcatThreadPool"
                     port="18109" protocol="AJP/1.3"
                     redirectPort="443"
                      enableLookups="false"
                      proxyName="profiles.myraysaz.com"
          />
      
          <Engine name="Catalina" defaultHost="profiles.myraysaz.com">
            <Host name="profiles.myraysaz.com"  appBase="webapps"
                  unpackWARs="false" autoDeploy="true"
                  xmlValidation="false" xmlNamespaceAware="false">
            </Host>
          </Engine>
        </Service>
      </Server>
    4. Be sure this is working by pointing browser to http://ip:18080/auth
  2. Configure HTTPd.
    1. Enable required modules:
      a2enmod proxy
      a2enmod proxy_ajp
      a2enmod proxy_balancer
    2. Here is my host file definition in sites-enabled
      000-profiles.myraysaz.conf
      <VirtualHost 192.168.183.3:80>
              ServerName profiles.myraysaz.com
              ServerAdmin amin@raysaz.com
      	DocumentRoot /
      
              ErrorLog /var/log/apache2/profiles/error.log
              LogLevel warn
              CustomLog /var/log/apache2/profiles/access.log combined
      
      	ProxyRequests Off
      	ProxyPreserveHost On
      
      	<Proxy *>
      	    Order deny,allow
      	    Allow from all
      	</Proxy>
      
      	ProxyPass /auth balancer://casCluster/auth stickysession=JSESSIONID|jsessionid
              ProxyPassReverse /auth balancer://casCluster/auth
              <Proxy balancer://casCluster>
                      Order deny,allow
                      allow from all
                      #BalancerMember ajp://192.168.183.3:18109
                      BalancerMember ajp://profiles.myraysaz.com:18109
              </Proxy>
      
      	ProxyPass / balancer://profilesCluster/ stickysession=JSESSIONID|jsessionid
              ProxyPassReverse / balancer://profilesCluster/
              <Proxy balancer://profilesCluster>
                      Order deny,allow
                      allow from all
                      BalancerMember ajp://profiles.myraysaz.com:18009
              </Proxy>
      </VirtualHost>
      
      <VirtualHost 192.168.183.3:443>
              ServerName profiles.myraysaz.com
              ServerAdmin amin@raysaz.com
      	DocumentRoot /
      
              ErrorLog /var/log/apache2/profiles/error-ssl.log
              LogLevel warn
              CustomLog /var/log/apache2/profiles/access-ssl.log combined
      
      	ProxyRequests Off
      	ProxyPreserveHost On
      
      	<Proxy *>
      	    Order deny,allow
      	    Allow from all
      	</Proxy>
      
      	ProxyPass /auth balancer://casCluster/auth stickysession=JSESSIONID|jsessionid
              ProxyPassReverse /auth balancer://casCluster/auth
              <Proxy balancer://casCluster>
                      Order deny,allow
                      allow from all
                      BalancerMember ajp://profiles.myraysaz.com:18109
              </Proxy>
      
      	ProxyPass / balancer://profilesCluster/ stickysession=JSESSIONID|jsessionid
              ProxyPassReverse / balancer://profilesCluster/
              <Proxy balancer://profilesCluster>
                      Order deny,allow
                      allow from all
                      BalancerMember ajp://profiles.myraysaz.com:18009
              </Proxy>
      
      	SSLEngine On
      	SSLCertificateFile    /etc/ssl/profiles/profiles.myraysaz.com.crt
      
      </VirtualHost>
    3. you can make a fake SSL using:
      make-ssl-cert /usr/share/ssl-cert/ssleay.cnf auth.myraysaz.com.crt
    4. This config is able to stick on session id and supports multiple back end cas-servers.
  3. SSL+CAS
    CAS (java) needs access your SSL certificate. If you make a fake one using SSL, do as follows to import it to Java.

     

    1. Eliminate private key part from fake certificate.
      cp profiles.myraysaz.com.crt profiles.myraysaz.com.crt-only
      vim profiles.myraysaz.com.crt-only
    2. import it to java
      sudo keytool -import -file profiles.myraysaz.com.crt-only -alias mycas -keystore /opt/java/jdk1.6.0_06/jre/lib/security/cacerts
Advertisements

From → java, linux

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: