Setup Nginx as a reverse proxy for multiple tomcat application with SSL

Description: Here I have explain, How to setup tomcat, deploy multiple application and setup nginx as reverse proxy for tomcat application. 

Setup:

• Install tomcat on port 8080 with 2 sample application
• Install Nginx on port 80 and 443 to serve as a reverse proxy
• 34.222.157.147 Public IP address of the machine 

Install Tomcat on Ubuntu 22: 

Install java for tomcat, first we are going to install java for tomcat

# apt install openjdk-11-jdk

Verify the java version after  installation 

# java --version

Install tomcat after validating the java 

# apt install tomcat9 tomcat9-admin

After installation verify the port number listening. You can get port 8080 [default port of tomcat] in list

# netstat -tnlp

Make necessary security changes for allow port 8080 from out side

After installation, set user credentials for admin url. To set the credentials open tomcat-users.xml file and modify as follow. Here we have set admin user with password 'admin'

<tomcat-users>
<role rolename="manager-gui" />
<user username="manager" password="admin" roles="manager-gui" />

<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
</tomcat-users>

After tomcat application, I am going to setup 2 sample application with below name 

/SampleWebApp ==   http://34.222.157.147:8080/SampleWebApp

/sample                ==   http://34.222.157.147:8080/sample

So both the url accessible directly, Now I am installing nginx and configure it as proxy for both the url with self signed SSL. 

Install and configure Nginx

# apt install nginx

# systemctl start nginx

# systemctl enable nginx

After installation of nginx, configuring 2 virtual host for each application 

• application1.local  ==  http://34.222.157.147:8080/SampleWebApp
• application2.local  ==  http://34.222.157.147:8080/sample

To create the vhost file navigate to /etc/nginx/conf.d and create application1.conf  for application1.local site as follow 

server {
  listen 80;

  server_name    application1.local;
   }
server {
 listen 443 http2 ssl;
  server_name application1.local;
  ssl_certificate /etc/ssl/application1/application1.crt;
  ssl_certificate_key /etc/ssl/application1/application1.key;
  access_log /var/log/nginx/application1-access.log;
  error_log /var/log/nginx/application1-error.log;

  location = / {
          return 301 https://application1.local/SampleWebApp/;
        }
  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8080;
  }
}

Now create vhost file on /etc/nginx/conf.d path with application2.conf file name for application2.local site as follow

server {
  listen 80;

  server_name    application2.local;
}
server {
   listen 443 http2 ssl;
   server_name application2.local;
   ssl_certificate /etc/ssl/application2/application2.crt;
   ssl_certificate_key /etc/ssl/application2/application2.key;
   access_log /var/log/nginx/application2-access.log;
   error_log /var/log/nginx/application2-error.log;

  location = / {
          return 301 https://application2.local/sample/;
        }
  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8080;
  }
}

After setting up both the vhost, need to setup either self signed or upload purchased SSL and upload to respective location. 

To apply the changes restart the nginx service and verify by browse both the url on browser. Both the application will redirect to its url with application path as follow

https://application1.local/

https://application2.local/

Hosting multiple virtual host with multiple SSL certificate in Tomcat

Description: Here I explained, how to host virtual site with multiple SSL certificates in tomcat

We are going to set up a virtual host with multiple SSL certificates with a different domain name like as follow

• site1.com
• testsite1.com

In Tomcat SSL configuration defined in <Connector> element on server.xml or config.xml. In the example already site1.com host with default port number 80 and 443.

First, we need to create CSR and get SSL from a certificate authority using below URL

https://servertecholab.blogspot.com/2018/02/ssl-certificate-installation-tomcat.html

Now to set up a virtual host for testsite1.com first need to set up an additional port on connector with created .jks and Host with the site name 

<Connector port="443" 
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
 clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keyAlias="server" keystoreFile="E:\sites\site1.com.jks" keystorePass="Password"
 connectionTimeout="20000" />


Connector port="9443"
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true
 clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keyAlias="ERP" keystoreFile="E:\sites\testsite1.jks" keystorePass="Password"
 connectionTimeout="20000" />


<Host name="testsite1.com"  appBase="webapps" unpackWARs="true" autoDeploy="true">
 <Alias>testsite1.com</Alias>
 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="tapasyaedu_access_log" suffix=".txt"
           pattern="%h %l %u %t %r %s %b" />
 <Context path="" docBase="E:\sites\webapps\testsite1"
    debug="0" reloadable="true"/>
</Host>

After adding above content save the configuration file and restart tomcat. Once tomcat restarted try to browse the site using https://testsite1.com:9443

Virtual Host Configuration in Tomcat

Description: Here I have explained How to configure Virtual Host in Tomcat

Procedure: 

• To create Virtual hosts first you need to navigate to installation directory and edit config/server.xml or conf/server.xml in editor. Then create virtual host for your applications

1. The first application with domain name application1.com and /opt/tomcat/webapps/app1 document root
2. Second application with domain name application2.com and /opt/tomcat/webapps/app2 document root.

<Host name="application1.com"  appBase="webapps" unpackWARs="true" autoDeploy="true">


 <Alias>application1.com</Alias>



 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"

           prefix="example_access_log" suffix=".txt"

           pattern="%h %l %u %t %r %s %b" />



 <Context path="" docBase=" /opt/tomcat/webapps/app1"

    debug="0" reloadable="true"/>

</Host>







<Host name="application2.com"  appBase="webapps" unpackWARs="true" autoDeploy="true">

 <Alias>application2.com</Alias>



 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"

           prefix="example_access_log" suffix=".txt"

           pattern="%h %l %u %t %r %s %b" />



 <Context path="" docBase="/opt/tomcat/webapps/app2 "

    debug="0" reloadable="true"/>

</Host>

   
     3. Restart tomcat service

How to Deploy war file in Tomcat

Description: Here I have explained how to deploy war file in Tomcat

Procedure: There are two ways to deploy war file in tomcat.

1. Copy war file to webapp folder

• Open webapp folder and copy sample.war file 
• After copying file browse URL http://localhost:8080/sample 
• Once you browse URL folder sample folder will automatically create under webapp folder

    

      2. Upload and Deploy war file remotely. 

• Open http://localhost:8080/manager
• Login with admin credentials [define in tomcat-users.xml] 
• Browse war file and Deploy

403 Access Denied in Tomcat Host-manage webapp

Description: 403 Access Denied in Tomcat in Manager and host-manage webapp

Procedure: Here I have explained how to add user for host-manage and manager webapp

• Go to /opt/tomcat/webapps/host-manager/META-INF open context.xml comment everything in context tag example:

<Context antiResourceLocking="false" privileged="true" >
     <!--Valve className="org.apache.catalina.valves.RemoteAddrValve"
            allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /-->
   </Context>

• Open /opt/tomcat/conf/tomcat-users.xml and add user details as follow:

<user username="admin" password="Password of admin" roles="admin-gui,manager-gui,manager-script" />

Restart tomcat service and verify by browse http://IPADDRESS:8080/host-manager

Install Tomcat On Centos 7

Description: Here I have explained how to install Tomcat on Centos 7

Procedure: 

• Install JDK: Tomcat 9 require java 8 or later. You can install java using below command.

# yum install java-1.8.0-openjdk-devel

• Verify Java Version: 

# java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)

• Create User For Tomcat:  For security purpose create user with group and home directory for tomcat.

# useradd -m -U -d /opt/tomcat -s /bin/false tomcat

• Download Tomcat : We will download latest version of  Tomcat from Tomcat Download Site Navigate to /tmp directory and download using wget command.

# cd /tmp
# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.34/bin/apache-tomcat-9.0.34.tar.gz

• Extract tar file 

# tar -zxvf apache-tomcat-9.0.34.tar.gz

• Move folder to opt drive

# mv apache-tomcat-9.0.34.tar.gz /opt/tomcat/

• Change User ownership 

# chown -R tomcat: /opt/tomcat

• Executable File:  Make the scripts inside the bin directory executable by issuing the following chmod command:

# chmod +x /opt/tomcat/bin/*.sh

• Create Tomcat Service : Create service to start or stop tomcat and paste below content.

# vi /etc/systemd/system/tomcat.service

[Unit]
Description=Tomcat 9 servlet container

After=network.target

[Service]

Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

• Save file and notify systemd that we created a new unit file by typing:

# systemctl daemon-reload

• Start and Enable Service

# systemctl enable tomcat
# systemctl start tomcat

• Setup firewall and enable tomcat port

# firewall-cmd --zone=public --permanent --add-port=8080/tcp
# firewall-cmd --reload

• Browse URL http://IP_ADDRESS:8080