Categories
Tutorial, Manual, Tips dan Trik

Tomcat Di Belakang Apache

Tomcat biasanya tidak berjalan sebagai server web, tetapi berjalan sebagai aplikasi. Opsi terbaik adalah meletakkan Tomcat berada di bawah server web yang memiliki kemampuan menangani koneksi HTTP dengan lebih baik, seperti Apache.

Daftar Isi

Tomcat dan Apache

Aplikasi yang dibangun pada server Tomcat relatif lebih aman apabila diletakkan di belakang Apache2/Nginx atau dengan kata lain menggunakan reverse proxy untuk mengakses aplikasi. Aplikasi pada server Tomcat tidak dapat diakses secara langsung, kecuali melalui reverse proxy.

— Tomcat Di Belakang Apache
https://bptsi.unisayogya.ac.id/tomcat-di-belakang-apache/ 2023-02-28 23:41:12

IP Apache
Server Apache 1
Server Apache 2
Tomcat HTTPS Port
Server Tomcat 1
Server Tomcat 2

Apache

Kondisi:

  • Terpasang modul proxy
  • Terpasang modul evasive dan/atau security
#filename: /etc/apache2/ssl.conf
Protocols h2 h2c http/1.1

SSLEngine on
SSLCertificateFile    /etc/ssl/site.crt
SSLCertificateKeyFile /etc/ssl/site.key
SSLCertificateChainFile /etc/ssl/site.ca-bundle
#filename: /etc/apache2/sites-available/tomcat_proxy.conf
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    ServerName  ErrorLog ${APACHE_LOG_DIR}/1st_error.log
    Include ssl.conf
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLProxyEngine on
    ProxyPreserveHost Off
    ProxyPass /   timeout=1200 KeepAlive=On
    ProxyPassReverse /   Header add Content-Security-Policy "upgrade-insecure-requests"
    RequestHeader set Content-Security-Policy "upgrade-insecure-requests"
  </VirtualHost>
  <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    ServerName  ErrorLog ${APACHE_LOG_DIR}/2nd.log
    Include include/ssl.conf
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLProxyEngine on
    ProxyPreserveHost Off
    ProxyPass /   timeout=1200 KeepAlive=On
    ProxyPassReverse /   Header add Content-Security-Policy "upgrade-insecure-requests"
    RequestHeader set Content-Security-Policy "upgrade-insecure-requests"
  </VirtualHost>
</IfModule>

Tomcat

<?xml version='1.0' encoding='utf-8'?>
<!-- filename: /etc/tomcat8/server.xml -->
<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">

     <!-- http di redirect ke https -->
     <Executor name="threadPool-http" namePrefix="http-pool-"/>
     <Connector port="8080" executor="threadPool-http" protocol="org.apache.coyote.http11.Http11Nio2Protocol" redirectPort="9993" />

     <!-- https -->
     <Executor name="threadPool-https" namePrefix="https-pool-"/>
     <Connector port="" executor="threadPool-https" protocol="org.apache.coyote.http11.Http11Nio2Protocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/etc/ssl/site.pfx" keystorePass="yourpasswordhere" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />

      <Engine name="Catalina" defaultHost="localhost">
        <!-- tomcat1st -->
        <Host name="localhost" appBase="webapps" undeployOldVersions="true" unpackWARs="true" autoDeploy="true">
        </Host>

        <!-- tomcat2nd -->
        <Host name="" appBase="tomcat2nd" unpackWARs="true" autoDeploy="true" undeployOldVersions="true">
        </Host>
      </Engine>

      <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="" />
  </Service>
</Server>

Firewall

Akses 8080 dan ke server Tomcat (example.tom) hanya boleh dari server Apache2 (example.apa), selain itu di-drop.

Alternatif

Menggunakan protocol AJP. Untuk keamanannya dapat dicari di internet.

Demikian, semoga bermanfaat. [bst]

By basit

Biro Pengembangan Teknologi Dan Sistem Informasi

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.