Tomcat biasanya tidak berjalan sebagai server web, tetapi berjalan sebagai aplikasi. Opsi terbaik adalah meletakkan Tomcat berada di bawah server web yang memiliki kemampuan menangani koneksi HTTP dengan lebih baik, seperti Apache.
Tomcat dan Apache
Aplikasi yang dibangun pada server Tomcat relatif lebih aman apabila diletakkan di belakang Apache2/Nginx atau dengan kata lain menggunakan reverse proxy untuk mengakses aplikasi. Aplikasi pada server Tomcat tidak dapat diakses secara langsung, kecuali melalui reverse proxy.
— Tomcat Di Belakang Apache
IP Apache
Server Apache 1
Server Apache 2
Tomcat HTTPS Port
Server Tomcat 1
Server Tomcat 2
Apache
Kondisi:
- Terpasang modul proxy
- Terpasang modul evasive dan/atau security
#filename: /etc/apache2/ssl.conf Protocols h2 h2c http/1.1 SSLEngine on SSLCertificateFile /etc/ssl/site.crt SSLCertificateKeyFile /etc/ssl/site.key SSLCertificateChainFile /etc/ssl/site.ca-bundle
#filename: /etc/apache2/sites-available/tomcat_proxy.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName ErrorLog ${APACHE_LOG_DIR}/1st_error.log
Include ssl.conf
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
ProxyPreserveHost Off
ProxyPass / timeout=1200 KeepAlive=On
ProxyPassReverse / Header add Content-Security-Policy "upgrade-insecure-requests"
RequestHeader set Content-Security-Policy "upgrade-insecure-requests"
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName ErrorLog ${APACHE_LOG_DIR}/2nd.log
Include include/ssl.conf
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
ProxyPreserveHost Off
ProxyPass / timeout=1200 KeepAlive=On
ProxyPassReverse / Header add Content-Security-Policy "upgrade-insecure-requests"
RequestHeader set Content-Security-Policy "upgrade-insecure-requests"
</VirtualHost>
</IfModule>Tomcat
<?xml version='1.0' encoding='utf-8'?>
<!-- filename: /etc/tomcat8/server.xml -->
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<!-- http di redirect ke https -->
<Executor name="threadPool-http" namePrefix="http-pool-"/>
<Connector port="8080" executor="threadPool-http" protocol="org.apache.coyote.http11.Http11Nio2Protocol" redirectPort="9993" />
<!-- https -->
<Executor name="threadPool-https" namePrefix="https-pool-"/>
<Connector port="" executor="threadPool-https" protocol="org.apache.coyote.http11.Http11Nio2Protocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/etc/ssl/site.pfx" keystorePass="yourpasswordhere" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />
<Engine name="Catalina" defaultHost="localhost">
<!-- tomcat1st -->
<Host name="localhost" appBase="webapps" undeployOldVersions="true" unpackWARs="true" autoDeploy="true">
</Host>
<!-- tomcat2nd -->
<Host name="" appBase="tomcat2nd" unpackWARs="true" autoDeploy="true" undeployOldVersions="true">
</Host>
</Engine>
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="" />
</Service>
</Server>Firewall
Akses 8080 dan ke server Tomcat (example.tom) hanya boleh dari server Apache2 (example.apa), selain itu di-drop.
Alternatif
Menggunakan protocol AJP. Untuk keamanannya dapat dicari di internet.
Demikian, semoga bermanfaat. [bst]
