What is the correct way of having apache redirect to https AND tomcat (port 8080) at the same time

Question

I know similar questions have been asked a lot already, and I feel like I read all of them 12 times. Every time the answer is slightly different, and I tried virtually all combinations, but still cannot get it to work...

So, I have an Apache and a Tomcat running in a Freenas Jail (so running FreeBSD). I used Certbot to get an SSL certificate for my domain. Lets call that example.com. In my router, I opened ports 80 and 443.

Now, I want users to just enter either 'www.example.com' or 'example.com' in their browser, and land on 'https://www.example.com' and port 8080. I found that to accomplish this, I need to configure my apache Virtual Hosts file. However, as I said, I found many different things to put in there, and none of them seem to be exactly the right ones. Here is what I have now:

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  #  ProxyPreserveHost On
  #  ProxyRequests Off
  #  ProxyPass / http://localhost:8080/
  #  ProxyPassReverse / http://localhost:8080/
  #  Redirect permanent / https://www.example.com/
</VirtualHost>

<VirtualHost _default_:443>
  SSLEngine on

  SSLCertificateFile /usr/local/etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /usr/local/etc/letsencrypt/live/example.com/chain.pem

  ServerName www.example.com
  ServerAlias example.com

  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/

</VirtualHost>

I also added this into the Tomcat server.xml:

 <Connector className="org.apache.catalina.connector.http.HttpConnector"
            port="8080"
            proxyName="www.example.com"
            proxyPort="80"/>

So, my questions are these:

• Does it matter which one has www, ServerName or ServerAlias? Because I've seen both.-
• Should I have Apache listen on port 80 or 433?
• How can I verify if Apache and tomcat are listening on the right ports? Before, I had this in a CentOS VPS, and there it was with 'netstat -tulpn'. (I didnt have SSL yet back then)
• At one point, I had it almost working: entering example.com was properly redirected to https://www.example.com/ on port 8080 because I reached the website runnning in Tomcat. If I removed then the 's' in the URL, it did not redirect to https again. Also, I should have saved that exact config because I cannot find it back...

I will be so thankful for any answer I get. Thanks a lot in advance.

Reygok

Answer 1

Let's go through your questions:

Does it matter which one has www, ServerName or ServerAlias?

Use in server name the canonical hostname, in alias aliases pointing to your CNAME. Choose which name you want to advertise to the users.

Should I have Apache listen on port 80 or 443?

You must do both because Let's Encrypt requires port 80 to be open, so HTTPd has to do Listen *:80 and Listen *:443.

How can I verify if Apache and tomcat are listening on the right ports?

FreeBSD magic: sockstat -46

Now to your setup:

Assumptions: HTTPd and Tomcat run on the same host and Tomcat listens on localhost.

Tomcat's server.xml:

<Connector address="localhost" port="8080" redirectPort="443" ... />

I never needed the proxy* attributes, just used this in the <Host />:

<Valve className="org.apache.catalina.valves.RemoteIpValve" />

the access log valve will require: requestAttributesEnabled="true"

HTTPd:

<VirtualHost *:80>
  Redirect permanent / https://{hostname}/
</VirtualHost>

<VirtualHost *:443>
  ProxyPreserveHost On
  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/
  RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

In your web.xml you set to have Tomcat to redirect to HTTP to HTTPS: http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/securityConfiguration/modifyingWebxmlEnableHTTPS.htm