This section will show you how to use an Apache Web Server Proxy in front of EJBCA. The resulting server will
- Display EJBCA public web at https://ca-server.company.local/
- Redirect all HTTP-requests to HTTPS, except for OCSP and CRL.
- Require a client SSL certificate when accessing https://ca-server.company.local/adminweb/
- Be able to loadbalance requests
- Still answer to requests on https://ca-server.company.local/ejbca/*
This example was created on Ubuntu 64-bit Server 7.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.
Start by installing EJBCA as normal. If you intend to have the CA on the same machine as the proxy you should modify $EJBCA_HOME/conf/web.properties to only listen to localhost Continue reading “Setting up an Apache Web Server as a proxy in front of EJBCA” »
You have created a Web application using a JBoss application server and you are going to put it in production. Great!
But deploying your application with JBoss serving the Web requests directly may not be the optimal solution. First because the Tomcat web server embedded within JBoss is not the best server to serve static files and second because configuring Tomcat and JBoss for best performance and security is in general a complex and tedious task.
Instead, it is a good practice to use an Apache server (2.0 or 2.2) in front of your JBoss/Tomcat. This Apache server can serve static files, take care of your SSL security and manage for you all the details of HTTP headers (Expires and other headers) and more….
In a production environment, you should not put your JBoss application as a Web front-end. Instead, you should use an Apache server and configure it to redirect specific Web application requests to your J2EE server. There are many many advantages in doing this:
When you need it, you can activate SSL on Apache without having to change your application.
The Apache SSL implementation is faster compared to the Tomcat implementation (and a lot easier to configure!).
You can have a better control of HTTP headers. No need to develop any servlet filter for that.
You can get compression out of the box. No need to develop another servlet filter either (no need to configure Tomcat connector either!).
I assume here that the Apache server is already installed with the following modules and these modules are enabled. Continue reading “Deploying a J2EE application behind an Apache server in a production environment” »