notes on https access to ESL

HTTPS access to Tomcat, with or without Apache as an intermediary. 

Leve and I did some experimenting on dean3, which has a working ESL deployment (rsync from dean keeps it up).  Here are the salient findings and the configuration snippets that had desired effects (desired for testing purposes, not necessarily production).  The first is of most interest, allowing Apache to handle the SSL connection from clients, but still getting content from Tomcat.

ssl.conf (the one to try on dean at a convenient time):

Https connections handled by Apache, but response generated by Tomcat through AJP protocol.  Within the default VirtualHost container
(<VirtualHost _default_:443>):
JkMount /apps/* ajp13w
JkMount /*.jsp ajp13w
JkMount /*.jspx ajp13w
JkMount /*/servlet/* ajp13w


To require a secure (SSL) connection when communicating *directly*with Tomcat (no Apache intermediary for instance):
        <web-resource-name>secured page</web-resource-name>


For Tomcat to listen on port 8443 for SSL connections (but of course we do not want to expose Tomcat to Nessus scans and the like, so not something we are likely to use):

   <Connector port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystorePass="changeit" keystoreType="PKCS12"
           clientAuth="false" sslProtocol="SSLv3"/>

(Note that sslProtocol="SSLv3" is not a good idea and would almost certainly get flagged by Nessus - would try "TLS" instead.)


Notes to self:

typical port usage:

port 8005: Tomcat shutdown port (why does this exist?)

port 8009: Tomcat AJP port (what Apache talks to)

port 8080: Tomcat HTTP port (what http clients talk to, if talking directly to Tomcat without Apache) - we could probably disable this - it is not accessible except from localhost

port 8443: Tomcat HTTPS port (what https clients talk to, if talking directly to Tomcat without Apache) - this one is not turned on in STAR's configuration to date