DEV Community: Jesús G. Calderín The latest articles on DEV Community by Jesús G. Calderín (@jess_garcacaldern_028). https://dev.to/jess_garcacaldern_028 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3517941%2F27f5bf6c-accf-48b9-8e23-e0c31ad244ec.jpg DEV Community: Jesús G. Calderín https://dev.to/jess_garcacaldern_028 en Install SSL server and client certificates in Apache Web Server Jesús G. Calderín Tue, 30 Sep 2025 09:51:39 +0000 https://dev.to/jess_garcacaldern_028/install-ssl-server-and-client-certificates-in-apache-web-server-3j25 https://dev.to/jess_garcacaldern_028/install-ssl-server-and-client-certificates-in-apache-web-server-3j25 <p>SSL (Secure Socket Layer) is the technology behind the <code>https</code> urls you can see when browsing secure sites (which is nearly all of them). It's a protocol that allows server and browser (or more generally, the "agent" or just the "client") to establish a "handshake" prior to start exchanging request and responses. Its two main purposes are to enable the client to reliably identify the server and allow both to communicate via an encrypted channel.</p> <p>During this handshake, the server will present the client with its "certificate", which is a X501-formatted data structure. The way the client will verify that the server is who it claims to be is by checking that this certificate is signed by some organisation it trusts, a list of which it must have available on its side and also checking that the certificate is issued to the same domain we are accessing.</p> <p>Additionally, the server can ask the client to provide him with a "client certificate" for identification purposes. The server can then use this information to grant or block the client from visiting certain areas of the site or executing certain functions.</p> <p>We will see below how to </p> <ul> <li>activate SSL in our Apache Web Server, </li> <li>create a server certificate for our site,</li> <li>instruct the server to ask the client to provide a certificate,</li> <li>create and install a client certificate in our browser</li> </ul> <h2> Prerequisites </h2> <p>1) Verify Linux's builtin Apache Web Server is installed and running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded <span class="o">(</span>/lib/systemd/system/apache2.service<span class="p">;</span> enabled<span class="p">;</span> vendor preset: enabled<span class="o">)</span> Active: active <span class="o">(</span>running<span class="o">)</span> since Sun 2025-09-21 12:43:12 CEST<span class="p">;</span> </code></pre> </div> <p>2) Although not mandatory, I find convenient to map the ip address of the Linux box containing our Apache server to a DNS name of our choosing, for example I will use:<br> <code>test-980.com</code></p> <p>In Windows, you can do this mapping by editing the file</p> <p><code>C:\Windows\System32\drivers\etc\hosts</code></p> <p>and adding your &lt;Apache server ip&gt; + blank-space + &lt;domain name&gt;:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Added by me 172.31.36.52 test-980.com </code></pre> </div> <p>Now when I call that domain from my Windows host, I will get the home page of my Apache Web Server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c">#Before changing C:\Windows\System32\drivers\etc\hosts file:</span><span class="w"> </span><span class="n">PS</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">curl.exe</span><span class="w"> </span><span class="nt">-v</span><span class="w"> </span><span class="nx">http://test-980.com/</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Could</span><span class="w"> </span><span class="nx">not</span><span class="w"> </span><span class="nx">resolve</span><span class="w"> </span><span class="nx">host:</span><span class="w"> </span><span class="nx">test-980.com</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">shutting</span><span class="w"> </span><span class="nx">down</span><span class="w"> </span><span class="nx">connection</span><span class="w"> </span><span class="c">#0</span><span class="w"> </span><span class="n">curl:</span><span class="w"> </span><span class="p">(</span><span class="mi">6</span><span class="p">)</span><span class="w"> </span><span class="n">Could</span><span class="w"> </span><span class="nx">not</span><span class="w"> </span><span class="nx">resolve</span><span class="w"> </span><span class="nx">host:</span><span class="w"> </span><span class="nx">test-980.com</span><span class="w"> </span><span class="c">#After changing C:\Windows\System32\drivers\etc\hosts file:</span><span class="w"> </span><span class="n">PS</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">curl.exe</span><span class="w"> </span><span class="nt">-v</span><span class="w"> </span><span class="nx">http://test-980.com/</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Host</span><span class="w"> </span><span class="nx">test-980.com:80</span><span class="w"> </span><span class="nx">was</span><span class="w"> </span><span class="nx">resolved.</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">IPv6:</span><span class="w"> </span><span class="p">(</span><span class="n">none</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">IPv4:</span><span class="w"> </span><span class="nx">172.31.36.52</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Trying</span><span class="w"> </span><span class="nx">172.31.36.52:80...</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Connected</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">test-980.com</span><span class="w"> </span><span class="p">(</span><span class="mf">172.31</span><span class="o">.</span><span class="nf">36</span><span class="o">.</span><span class="nf">52</span><span class="p">)</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="nx">80</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="kr">using</span><span class="w"> </span><span class="n">HTTP/1.x</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="nx">GET</span><span class="w"> </span><span class="nx">/</span><span class="w"> </span><span class="nx">HTTP/1.1</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">Host:</span><span class="w"> </span><span class="nx">test-980.com</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">User-Agent:</span><span class="w"> </span><span class="nx">curl/8.14.1</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">Accept:</span><span class="w"> </span><span class="o">*</span><span class="nx">/</span><span class="o">*</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="err">&lt;</span><span class="w"> </span><span class="n">HTTP/1.1</span><span class="w"> </span><span class="nx">200</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="n">full</span><span class="w"> </span><span class="nx">content</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">home</span><span class="w"> </span><span class="nx">page</span><span class="w"> </span><span class="nx">follows</span><span class="w"> </span><span class="nx">here</span><span class="w"> </span><span class="o">...</span><span class="w"> </span></code></pre> </div> <p>3) Create a virtual host for my <code>test-980.com</code> site, so we don't mess around with default virtual host in apache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/sites/test-980.com/conf <span class="nv">$ </span><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/sites/test-980.com/www/html <span class="nv">$ </span><span class="nb">sudo </span>vi /var/sites/test-980.com/www/html/index.html <span class="c">#add the content shown in the cat command below</span> <span class="nv">$ </span><span class="nb">cat</span> /var/sites/test-980.com/www/html/index.html &lt;html <span class="nv">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/1999/xhtml"</span><span class="o">&gt;</span> &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;meta http-equiv<span class="o">=</span><span class="s2">"Content-Type"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"text/html; charset=UTF-8"</span> /&gt; &lt;title&gt;test-980.com: It works&lt;/title&gt; &lt;/head&gt; &lt;body&gt; Welcome to test-980.com &lt;/body&gt; &lt;/html&gt; <span class="nv">$ </span><span class="nb">sudo cp</span> /etc/apache2/sites-available/000-default.conf <span class="se">\</span> /var/sites/test-980.com/conf/localhost.conf <span class="nv">$ </span><span class="nb">sudo </span>vi /var/sites/test-980.com/conf/localhost.conf <span class="c">#add the content shown in the cat command below</span> <span class="nv">$ </span><span class="nb">cat</span> /var/sites/test-980.com/conf/localhost.conf &lt;VirtualHost <span class="k">*</span>:80&gt; ServerName test-980.com ServerAdmin webmaster@test-980.com DocumentRoot /var/sites/test-980.com/www/html &lt;Directory /var/sites/test-980.com/www/&gt; Options Indexes FollowSymLinks AllowOverride None Require all granted &lt;/Directory&gt; ErrorLog <span class="k">${</span><span class="nv">APACHE_LOG_DIR</span><span class="k">}</span>/error.log CustomLog <span class="k">${</span><span class="nv">APACHE_LOG_DIR</span><span class="k">}</span>/access.log combined &lt;/VirtualHost&gt; <span class="c">#Make our site available</span> <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> /var/sites/test-980.com/conf/localhost.conf <span class="se">\</span> /etc/apache2/sites-available/local-test-980.com.conf <span class="c">#Maker our site enabled:</span> <span class="nv">$ </span><span class="nb">sudo </span>a2ensite local-test-980.com Enabling site local-test-980.com. To activate the new configuration, you need to run: systemctl reload apache2 <span class="nv">$ </span><span class="nb">sudo </span>systemctl reload apache2 </code></pre> </div> <p>Now, <code>curl</code> will return our new page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>PS&gt; curl.exe http://test-980.com/ <span class="nt">&lt;html</span> <span class="na">xmlns=</span><span class="s">"http://www.w3.org/1999/xhtml"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">http-equiv=</span><span class="s">"Content-Type"</span> <span class="na">content=</span><span class="s">"text/html; charset=UTF-8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>test-980.com: It works<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> Welcome to test-980.com <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>However, we cannnot access our site via <code>https</code> for the moment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ <span class="nb">curl</span>: <span class="o">(</span><span class="m">35</span><span class="o">)</span> <span class="kd">schannel</span>: <span class="kd">next</span> <span class="kd">InitializeSecurityContext</span> <span class="kd">failed</span>: <span class="kd">SEC_E_INVALID_TOKEN</span> <span class="o">(</span><span class="mh">0x80090308</span><span class="o">)</span> <span class="o">-</span> <span class="kd">El</span> <span class="kd">token</span> <span class="kd">proporcionado</span> <span class="kd">a</span> <span class="kd">la</span> <span class="kd">funci</span>ón <span class="kd">no</span> <span class="kd">es</span> <span class="kd">v</span>álido </code></pre> </div> <p>We'll see next how to secure our site via SSL.</p> <h2> Enable SSL on Apache </h2> <p>Run<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>a2ensite default-ssl.conf Enabling site default-ssl. To activate the new configuration, you need to run: systemctl reload apache2 <span class="nv">$ </span><span class="nb">sudo </span>systemctl reload apache2 </code></pre> </div> <p>If we look at the content of <code>/etc/apache2/sites-enabled/default-ssl.conf</code>, we will see that we have done the following:</p> <ul> <li>listen on port 443:</li> </ul> <p><code>&lt;VirtualHost _default_:443&gt;</code></p> <ul> <li>serve the pages under <code>/var/www/html</code>:</li> </ul> <p><code>DocumentRoot /var/www/html</code></p> <ul> <li>use SSL protocol on this virtual host:</li> </ul> <p><code>SSLEngine on</code></p> <ul> <li>send the client the following server certificate:</li> </ul> <p><code>SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem</code></p> <p>So, if we now test <code>https</code>, we will get a warning that the certificate is not trusted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ <span class="nb">curl</span>: <span class="o">(</span><span class="m">60</span><span class="o">)</span> <span class="kd">schannel</span>: <span class="kd">SEC_E_UNTRUSTED_ROOT</span> <span class="o">(</span><span class="mh">0x80090325</span><span class="o">)</span> <span class="o">-</span> <span class="kd">La</span> <span class="kd">cadena</span> <span class="kd">de</span> <span class="kd">certificaci</span>ón <span class="kd">fue</span> <span class="kd">emitida</span> <span class="kd">por</span> <span class="kd">una</span> <span class="kd">entidad</span> <span class="kd">en</span> <span class="kd">la</span> <span class="kd">que</span> <span class="kd">no</span> <span class="kd">se</span> <span class="kd">conf</span>ía. <span class="kd">More</span> <span class="kd">details</span> <span class="kd">here</span>: <span class="kd">https</span>://curl.se/docs/sslcerts.html <span class="nb">curl</span> <span class="kd">failed</span> <span class="kd">to</span> <span class="nb">verify</span> <span class="kd">the</span> <span class="kd">legitimacy</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">server</span> <span class="kd">and</span> <span class="kd">therefore</span> <span class="kd">could</span> <span class="ow">not</span> <span class="kd">establish</span> <span class="kd">a</span> <span class="kd">secure</span> <span class="kd">connection</span> <span class="kd">to</span> <span class="kd">it</span>. <span class="kd">To</span> <span class="kd">learn</span> <span class="nb">more</span> <span class="kd">about</span> <span class="kd">this</span> <span class="kd">situation</span> <span class="kd">and</span> <span class="kd">how</span> <span class="kd">to</span> <span class="kd">fix</span> <span class="kd">it</span><span class="o">,</span> <span class="kd">please</span> <span class="kd">visit</span> <span class="kd">the</span> <span class="kd">webpage</span> <span class="kd">mentioned</span> <span class="kd">above</span>. </code></pre> </div> <p>However, we can force <code>curl</code> to trust the certificate via the <code>-k</code> option:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="na">-k </span><span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ ... <span class="kd">full</span> <span class="kd">content</span> <span class="kd">of</span> <span class="kd">page</span> <span class="na">/var/www/html/index</span>.html <span class="kd">will</span> <span class="kd">follow</span> ... </code></pre> </div> <p>But we don't want the default page in <code>/var/www/html/index.html</code> to be served, but the page in our <code>test-980.com</code> site, so we have to create a virtual host for our site that speaks <code>https</code>. <br> We do it as follows:</p> <ul> <li>copy default ssl conf: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo cp</span> /etc/apache2/sites-available/default-ssl.conf <span class="se">\</span> /var/sites/test-980.com/conf/localhost-ssl.conf </code></pre> </div> <ul> <li>adapt it to our site by adding our domain name in <code>ServerName</code> and our html folder in <code>DocumentRoot</code>: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> /var/sites/test-980.com/conf/localhost-ssl.conf ... ServerName test-980.com ... DocumentRoot /var/sites/test-980.com/www/html </code></pre> </div> <p>We set our site available, enable it and reload Apache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> /var/sites/test-980.com/conf/localhost-ssl.conf <span class="se">\</span> /etc/apache2/sites-available/local-test-980.com-ssl.conf <span class="nv">$ </span><span class="nb">sudo </span>a2ensite local-test-980.com-ssl.conf <span class="nv">$ </span><span class="nb">sudo </span>systemctl reload apache2 </code></pre> </div> <p>If we try again we will get:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">curl.exe</span><span class="w"> </span><span class="nt">-k</span><span class="w"> </span><span class="nx">https://test-980.com/</span><span class="w"> </span><span class="err">&lt;</span><span class="o">!</span><span class="n">DOCTYPE</span><span class="w"> </span><span class="nx">HTML</span><span class="w"> </span><span class="nx">PUBLIC</span><span class="w"> </span><span class="s2">"-//IETF//DTD HTML 2.0//EN"</span><span class="err">&gt;</span><span class="w"> </span><span class="err">&lt;</span><span class="n">html</span><span class="err">&gt;&lt;</span><span class="nx">head</span><span class="err">&gt;</span><span class="w"> </span><span class="err">&lt;</span><span class="n">title</span><span class="err">&gt;</span><span class="nx">403</span><span class="w"> </span><span class="nx">Forbidden</span><span class="err">&lt;</span><span class="nx">/title</span><span class="err">&gt;</span><span class="w"> </span><span class="err">&lt;</span><span class="n">/head</span><span class="err">&gt;&lt;</span><span class="nx">body</span><span class="err">&gt;</span><span class="w"> </span><span class="err">&lt;</span><span class="n">h1</span><span class="err">&gt;</span><span class="nx">Forbidden</span><span class="err">&lt;</span><span class="nx">/h1</span><span class="err">&gt;</span><span class="w"> </span><span class="err">&lt;</span><span class="n">p</span><span class="err">&gt;</span><span class="nx">You</span><span class="w"> </span><span class="nx">don</span><span class="s1">'t have permission to access this resource.&lt;/p&gt; &lt;hr&gt; &lt;address&gt;Apache/2.4.52 (Ubuntu) Server at test-980.com Port 443&lt;/address&gt; &lt;/body&gt;&lt;/html&gt; </span></code></pre> </div> <p>That's because we have to grant access to our home folder in our new ssl conf, in the same way we did in <code>/var/sites/test-980.com/conf/localhost.conf</code>.</p> <p>So, we have to modify <code>localhost-ssl.conf</code> to add the following <code>Directory</code> element:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code>$ more /var/sites/test-980.com/conf/localhost-ssl.conf ... DocumentRoot /var/sites/test-980.com/www/html <span class="nt">&lt;Directory</span> <span class="err">/var/sites/test-980.com/www</span><span class="nt">/&gt;</span> Options Indexes FollowSymLinks AllowOverride None Require all granted <span class="nt">&lt;/Directory&gt;</span> ... </code></pre> </div> <p>and reload:</p> <p><code>$ sudo systemctl reload apache2</code></p> <p>Now, we can get our home page via <code>https</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="na">-k </span><span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ <span class="o">&lt;</span><span class="kd">html</span> <span class="kd">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/1999/xhtml"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">head</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">meta</span> <span class="kd">http</span><span class="na">-equiv</span><span class="o">=</span><span class="s2">"Content-Type"</span> <span class="kd">content</span><span class="o">=</span><span class="s2">"text/html; charset=UTF-8"</span> /&gt; <span class="o">&lt;</span><span class="nb">title</span><span class="o">&gt;</span><span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com: <span class="kd">It</span> <span class="kd">works</span><span class="o">&lt;</span><span class="na">/title</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="na">/head</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">body</span><span class="o">&gt;</span> <span class="kd">Welcome</span> <span class="kd">to</span> <span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com <span class="o">&lt;</span><span class="na">/body</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="na">/html</span><span class="o">&gt;</span> </code></pre> </div> <p>Remember we are able to retrieve the page only because we have instructed <code>curl</code> to ignore (via option <code>k</code>) the fact that the certificate presented (or more precisely, the signer of the certificate) is not trusted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="na">-k </span><span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ <span class="o">&lt;</span><span class="kd">html</span> <span class="kd">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/1999/xhtml"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">head</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">meta</span> <span class="kd">http</span><span class="na">-equiv</span><span class="o">=</span><span class="s2">"Content-Type"</span> <span class="kd">content</span><span class="o">=</span><span class="s2">"text/html; charset=UTF-8"</span> /&gt; <span class="o">&lt;</span><span class="nb">title</span><span class="o">&gt;</span><span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com: <span class="kd">It</span> <span class="kd">works</span><span class="o">&lt;</span><span class="na">/title</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="na">/head</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">body</span><span class="o">&gt;</span> <span class="kd">Welcome</span> <span class="kd">to</span> <span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com <span class="o">&lt;</span><span class="na">/body</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="na">/html</span><span class="o">&gt;</span> #Removing <span class="kd">the</span> <span class="na">-k </span><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ <span class="nb">curl</span>: <span class="o">(</span><span class="m">60</span><span class="o">)</span> <span class="kd">schannel</span>: <span class="kd">SEC_E_UNTRUSTED_ROOT</span> <span class="o">(</span><span class="mh">0x80090325</span><span class="o">)</span> <span class="o">-</span> <span class="kd">La</span> <span class="kd">cadena</span> <span class="kd">de</span> <span class="kd">certificaci</span>ón <span class="kd">fue</span> <span class="kd">emitida</span> <span class="kd">por</span> <span class="kd">una</span> <span class="kd">entidad</span> <span class="kd">en</span> <span class="kd">la</span> <span class="kd">que</span> <span class="kd">no</span> <span class="kd">se</span> <span class="kd">conf</span>ía. <span class="kd">More</span> <span class="kd">details</span> <span class="kd">here</span>: <span class="kd">https</span>://curl.se/docs/sslcerts.html <span class="nb">curl</span> <span class="kd">failed</span> <span class="kd">to</span> <span class="nb">verify</span> <span class="kd">the</span> <span class="kd">legitimacy</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">server</span> <span class="kd">and</span> <span class="kd">therefore</span> <span class="kd">could</span> <span class="ow">not</span> <span class="kd">establish</span> <span class="kd">a</span> <span class="kd">secure</span> <span class="kd">connection</span> <span class="kd">to</span> <span class="kd">it</span>. <span class="kd">To</span> <span class="kd">learn</span> <span class="nb">more</span> <span class="kd">about</span> <span class="kd">this</span> <span class="kd">situation</span> <span class="kd">and</span> <span class="kd">how</span> <span class="kd">to</span> <span class="kd">fix</span> <span class="kd">it</span><span class="o">,</span> <span class="kd">please</span> <span class="kd">visit</span> <span class="kd">the</span> <span class="kd">webpage</span> <span class="kd">mentioned</span> <span class="kd">above</span>. </code></pre> </div> <p>We can tell <code>curl</code> to trust the certificate with the option <code>cacert</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com <span class="na">--cacert </span><span class="se">^ </span>\\wsl.localhost\Ubuntu<span class="o">-</span><span class="m">22</span>.04\etc\ssl\certs\ssl<span class="na">-cert-snakeoil</span>.pem <span class="nb">curl</span>: <span class="o">(</span><span class="m">60</span><span class="o">)</span> <span class="kd">schannel</span>: <span class="kd">CertGetNameString</span><span class="o">()</span> <span class="kd">failed</span> <span class="kd">to</span> <span class="kd">match</span> <span class="kd">connection</span> <span class="nb">hostname</span> <span class="o">(</span><span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com<span class="o">)</span> <span class="kd">against</span> <span class="kd">server</span> <span class="kd">certificate</span> <span class="kd">names</span> <span class="kd">More</span> <span class="kd">details</span> <span class="kd">here</span>: <span class="kd">https</span>://curl.se/docs/sslcerts.html <span class="nb">curl</span> <span class="kd">failed</span> <span class="kd">to</span> <span class="nb">verify</span> <span class="kd">the</span> <span class="kd">legitimacy</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">server</span> <span class="kd">and</span> <span class="kd">therefore</span> <span class="kd">could</span> <span class="ow">not</span> <span class="kd">establish</span> <span class="kd">a</span> <span class="kd">secure</span> <span class="kd">connection</span> <span class="kd">to</span> <span class="kd">it</span>. <span class="kd">To</span> <span class="kd">learn</span> <span class="nb">more</span> <span class="kd">about</span> <span class="kd">this</span> <span class="kd">situation</span> <span class="kd">and</span> <span class="kd">how</span> <span class="kd">to</span> <span class="kd">fix</span> <span class="kd">it</span><span class="o">,</span> <span class="kd">please</span> <span class="kd">visit</span> <span class="kd">the</span> <span class="kd">webpage</span> <span class="kd">mentioned</span> <span class="kd">above</span>. </code></pre> </div> <p>We're not there yet. The reason is that the certificate is issued for a domaine named "DESKTOP-IUMEIDO", which is my computer's name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl x509 <span class="nt">-in</span> /etc/ssl/certs/ssl-cert-snakeoil.pem <span class="nt">-noout</span> <span class="nt">-text</span>|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"Subject:"</span> Subject: CN <span class="o">=</span> DESKTOP-IUMEID0. </code></pre> </div> <p>, whereas our request is sent to a different domain (<code>test-980.com</code>). The client is being presented a certificate signed by someone he now trusts, but that is issued to a domain different that the one we are trying to connect to. This is deemed dangerous, hence the message and the refusal to connect.</p> <p>In next section, we'll see how to create a server certificate for our domain <code>test-980</code></p> <h2> Create SSL server certificate </h2> <p>First, let's generate a key of length 2048:</p> <p><code>$ openssl genrsa -out test-980.com.key 2048</code></p> <p>Now we need to create a <code>certificate sign request</code> or <code>csr</code>. We will be asked to provide information about the owner of the certificate such as it's company name, it's country, etc... Only <code>Common Name</code> is mandatory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl req <span class="nt">-new</span> <span class="se">\</span> <span class="nt">-key</span> test-980.com.key <span class="se">\</span> <span class="nt">-out</span> test-980.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter <span class="s1">'.'</span>, the field will be left blank. <span class="nt">-----</span> Country Name <span class="o">(</span>2 letter code<span class="o">)</span> <span class="o">[</span>AU]:. State or Province Name <span class="o">(</span>full name<span class="o">)</span> <span class="o">[</span>Some-State]:. Locality Name <span class="o">(</span>eg, city<span class="o">)</span> <span class="o">[]</span>:. Organization Name <span class="o">(</span>eg, company<span class="o">)</span> <span class="o">[</span>Internet Widgits Pty Ltd]:. Organizational Unit Name <span class="o">(</span>eg, section<span class="o">)</span> <span class="o">[]</span>:. Common Name <span class="o">(</span>e.g. server FQDN or YOUR name<span class="o">)</span> <span class="o">[]</span>:test-980.com Email Address <span class="o">[]</span>:. Please enter the following <span class="s1">'extra'</span> attributes to be sent with your certificate request A challenge password <span class="o">[]</span>:. An optional company name <span class="o">[]</span>:. </code></pre> </div> <p>Finally, we sign the request with the key generated above. This will generate our certificate and place it in the file specified in <code>out</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl x509 <span class="nt">-req</span> <span class="nt">-days</span> 365 <span class="se">\</span> <span class="nt">-in</span> test-980.com.csr <span class="se">\</span> <span class="nt">-signkey</span> test-980.com.key <span class="se">\</span> <span class="nt">-out</span> test-980.com.crt Certificate request self-signature ok <span class="nv">subject</span><span class="o">=</span>CN <span class="o">=</span> test-980.com </code></pre> </div> <p>If we list our current folder, we will see the 3 files that we have just generated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">ls </span>test-980<span class="k">*</span> test-980.com.crt test-980.com.csr test-980.com.key </code></pre> </div> <p>Our certificate is the <code>crt</code> file.<br> We will now copy the <code>crt</code> and the <code>key</code> files inside our <code>test-980.com</code>'s site configuration folder and reference them in our ssl conf file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo cp </span>test-980.com.crt /var/sites/test-980.com/conf <span class="nv">$ </span><span class="nb">sudo cp </span>test-980.com.key /var/sites/test-980.com/conf <span class="c">#Modify localhost-ssl.conf to point to our new files:</span> <span class="nv">$ </span><span class="nb">cat</span> /var/sites/test-980.com/conf/localhost-ssl.conf|grep SSLCertificate SSLCertificateFile /var/sites/test-980.com/conf/test-980.com.crt SSLCertificateKeyFile /var/sites/test-980.com/conf/test-980.com.key <span class="c">#restart:</span> <span class="nv">$ </span><span class="nb">sudo </span>systemctl stop apache2.service <span class="nv">$ </span><span class="nb">sudo </span>systemctl start apache2.service </code></pre> </div> <p>Let's now copy the server certificate in our windows home folder (notice I've been using all this time my <code>curl</code> tool in Windows) for the sake of legibility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="kd">cp</span> \\wsl.localhost\Ubuntu<span class="o">-</span><span class="m">22</span>.04\var\sites\test<span class="o">-</span><span class="m">980</span>.com\conf\test<span class="o">-</span><span class="m">980</span>.com.crt . </code></pre> </div> <p>If we try again, it should work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com <span class="na">--cacert </span><span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com.crt <span class="o">&lt;</span><span class="kd">html</span> <span class="kd">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/1999/xhtml"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">head</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">meta</span> <span class="kd">http</span><span class="na">-equiv</span><span class="o">=</span><span class="s2">"Content-Type"</span> <span class="kd">content</span><span class="o">=</span><span class="s2">"text/html; charset=UTF-8"</span> /&gt; <span class="o">&lt;</span><span class="nb">title</span><span class="o">&gt;</span><span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com: <span class="kd">It</span> <span class="kd">works</span><span class="o">&lt;</span><span class="na">/title</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="na">/head</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="kd">body</span><span class="o">&gt;</span> <span class="kd">Welcome</span> <span class="kd">to</span> <span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com <span class="o">&lt;</span><span class="na">/body</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="na">/html</span><span class="o">&gt;</span> </code></pre> </div> <h2> Create SSL client certificate </h2> <p>We can instruct our server to require a certificate to the client by editing <code>localhost-ssl.conf</code> as follows:</p> <ul> <li>uncomment the following line:</li> </ul> <p><code>SSLVerifyClient require</code></p> <ul> <li>indicate where our signer certificate is with:</li> </ul> <p><code>SSLCACertificateFile /var/sites/test-980.com/conf/test-980.com.crt</code></p> <p>After restarting the server, we can't access our page anymore:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com <span class="na">--cacert </span><span class="kd">test</span><span class="o">-</span><span class="m">980</span>.com.crt <span class="nb">curl</span>: <span class="o">(</span><span class="m">56</span><span class="o">)</span> <span class="kd">schannel</span>: <span class="kd">failed</span> <span class="kd">to</span> <span class="kd">read</span> <span class="kd">data</span> <span class="kd">from</span> <span class="kd">server</span>: <span class="kd">SEC_E_ILLEGAL_MESSAGE</span> <span class="o">(</span><span class="mh">0x80090326</span><span class="o">)</span> <span class="o">-</span> <span class="kd">This</span> <span class="kd">error</span> <span class="kd">usually</span> <span class="kd">occurs</span> <span class="kd">when</span> <span class="kd">a</span> <span class="kd">fatal</span> <span class="kd">SSL</span><span class="na">/TLS </span><span class="kd">alert</span> <span class="kd">is</span> <span class="kd">received</span> <span class="o">(</span><span class="kd">e</span>.g. <span class="kd">handshake</span> <span class="kd">failed</span><span class="o">)</span>. <span class="kd">More</span> <span class="kd">detail</span> <span class="kd">may</span> <span class="kd">be</span> <span class="kd">available</span> <span class="k">in</span> <span class="kd">the</span> <span class="kd">Windows</span> <span class="kd">System</span> <span class="kd">event</span> <span class="kd">log</span>. </code></pre> </div> <p>The message is quite cryptic but it is due to our <code>curl</code> client not providing a certificate.</p> <p>Let's then create a client certificate for <code>James Bond</code> and sign it with our <code>test-980.com</code> server certificate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#Step 1: generate key</span> <span class="nv">$ </span>openssl genpkey <span class="nt">-algorithm</span> RSA <span class="nt">-out</span> james.bond.key <span class="c">#Step 2: generate request</span> <span class="nv">$ </span>openssl req <span class="nt">-new</span> <span class="nt">-key</span> james.bond.key <span class="nt">-out</span> james.bond.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter <span class="s1">'.'</span>, the field will be left blank. <span class="nt">-----</span> Country Name <span class="o">(</span>2 letter code<span class="o">)</span> <span class="o">[</span>AU]:. State or Province Name <span class="o">(</span>full name<span class="o">)</span> <span class="o">[</span>Some-State]:. Locality Name <span class="o">(</span>eg, city<span class="o">)</span> <span class="o">[]</span>:. Organization Name <span class="o">(</span>eg, company<span class="o">)</span> <span class="o">[</span>Internet Widgits Pty Ltd]:. Organizational Unit Name <span class="o">(</span>eg, section<span class="o">)</span> <span class="o">[]</span>:. Common Name <span class="o">(</span>e.g. server FQDN or YOUR name<span class="o">)</span> <span class="o">[]</span>:BOND.James Email Address <span class="o">[]</span>:. Please enter the following <span class="s1">'extra'</span> attributes to be sent with your certificate request A challenge password <span class="o">[]</span>:. An optional company name <span class="o">[]</span>:. <span class="c">#Step 3: generate the certificate and sign it with our test-980.com server </span> <span class="c">#certificate (notice that all files in the command are assumed to be in </span> <span class="c">#current folder):</span> <span class="nv">$ </span>openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> james.bond.csr <span class="nt">-CA</span> test-980.com.crt <span class="se">\</span> <span class="nt">-CAkey</span> test-980.com.key <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> james.bond.crt <span class="se">\</span> <span class="nt">-days</span> 365 <span class="se">\</span> <span class="nt">-sha256</span> Certificate request self-signature ok <span class="nv">subject</span><span class="o">=</span>CN <span class="o">=</span> BOND.James <span class="c">#Step 4: optional</span> <span class="c">#If we want to import it in our browser or test it via curl in Windows, </span> <span class="c">#we might need to convert it to .pfx format:</span> <span class="nv">$ </span>openssl pkcs12 <span class="nt">-export</span> <span class="nt">-out</span> james.bond.pfx <span class="se">\</span> <span class="nt">-inkey</span> james.bond.key <span class="se">\</span> <span class="nt">-in</span> james.bond.crt Enter Export Password: mypwd Verifying - Enter Export Password: mypwd </code></pre> </div> <p>Now let's copy the <code>.pfx</code> in our Windows machine and try again by providing our client certificate and the password wiht the <code>--cert</code> option:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">PS</span><span class="o">&gt;</span> <span class="nb">curl.exe</span> <span class="kd">https</span>://test<span class="o">-</span><span class="m">980</span>.com/ <span class="se">^ </span><span class="na">--cacert </span>./test<span class="o">-</span><span class="m">980</span>.com.crt <span class="se">^ </span><span class="na">--cert </span><span class="kd">james</span>.bond.pfx:mypwd <span class="nb">curl</span>: <span class="o">(</span><span class="m">35</span><span class="o">)</span> <span class="kd">schannel</span>: <span class="kd">next</span> <span class="kd">InitializeSecurityContext</span> <span class="kd">failed</span>: <span class="kd">SEC_E_INTERNAL_ERROR</span> <span class="o">(</span><span class="mh">0x80090304</span><span class="o">)</span> <span class="o">-</span> <span class="kd">No</span> <span class="kd">es</span> <span class="kd">posible</span> <span class="kd">ponerse</span> <span class="kd">en</span> <span class="kd">contacto</span> <span class="kr">con</span> <span class="kd">la</span> <span class="kd">autoridad</span> <span class="kd">de</span> <span class="kd">seguridad</span> <span class="kd">local</span> </code></pre> </div> <p>It's not working but it should :( . You might want to check <a href="https://learn.microsoft.com/en-au/answers/questions/2138549/curl-(35)-schannel-acquirecredentialshandle-failed" rel="noopener noreferrer">this article</a> for the reasons behind and try your luck, but I rather have my balls torched than messing around with my Windows registry. I will use my Chrome browser instead.</p> <p>To import the client certificate in Chrome, go to <code>chrome://certificate-manager/clientcerts</code> and from there I'm sure you'll manage.</p> <p>Now, when accessing our site via https, we will be asked to select a client certificate:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F82ykhyxwed8u0rzifkd8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F82ykhyxwed8u0rzifkd8.png" alt=" " width="784" height="552"></a></p> <p>If you select it and click OK, you'll be granted access to the site:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0tw86sgiss887e2pghuy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0tw86sgiss887e2pghuy.png" alt=" " width="657" height="302"></a></p> devops security tutorial Set up a reverse proxy in Linux Jesús G. Calderín Tue, 23 Sep 2025 21:23:29 +0000 https://dev.to/jess_garcacaldern_028/set-up-a-reverse-proxy-in-linux-4ce9 https://dev.to/jess_garcacaldern_028/set-up-a-reverse-proxy-in-linux-4ce9 <p>A "reverse proxy" is just a web server that is placed in-between one or more application servers (the "back-end") and their clients, so that the back-end is only accessible via requests sent to the proxy. The latter will in turn decide whether to forward the request to the backend, to which server it should send it and many other considerations. The proxy is not only isolating the servers from the clients but providing added value like caching static content, load-balancing, etc...</p> <p>It's called "reverse" in contrast with "forward proxies", that are placed in front of clients to provide them as well with different functionalities.</p> <p>The distinction is blurry but overall, we can say that a reverse-proxy is intended to serve servers and a forward-proxy to serve clients.</p> <p>This little guide refers to a reverse-proxy.</p> <h2> Prerequisites </h2> <p>1) Install and configure a <a href="https://dev.to/jess_garcacaldern_028/setup-tomcat-cluster-in-linux-407k">Tomcat cluster</a>, and set the following environment variables in ~/.bashrc:</p> <p><code>$TOMCAT1_HOME=&lt;your tomcat1 home folder&gt;</code><br> <code>$TOMCAT2_HOME=&lt;your tomcat2 home folder&gt;</code></p> <p>2) Verify Linux's builtin apache is installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded <span class="o">(</span>/lib/systemd/system/apache2.service<span class="p">;</span> enabled<span class="p">;</span> vendor preset: enabled<span class="o">)</span> Active: active <span class="o">(</span>running<span class="o">)</span> since Sun 2025-09-21 12:43:12 CEST<span class="p">;</span> </code></pre> </div> <h2> Create a new website </h2> <p>Specify in .bashrc the home folder of our new website:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-n</span> 3 ~/.bashrc <span class="nb">export </span><span class="nv">TOMCAT1_HOME</span><span class="o">=</span><span class="s2">"/apps/myapp/clus1/tomcat1"</span> <span class="nb">export </span><span class="nv">TOMCAT2_HOME</span><span class="o">=</span><span class="s2">"/apps/myapp/clus1/tomcat2"</span> <span class="nb">export </span><span class="nv">MYSITE_HOME</span><span class="o">=</span><span class="s2">"/var/sites/mysite"</span> <span class="nv">$ </span><span class="nb">source</span> ~/.bashrc </code></pre> </div> <p>, and also set it in <em>/etc/apache2/envvars</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-n</span> 1 /etc/apache2/envvars <span class="nb">export </span><span class="nv">MYSITE_HOME</span><span class="o">=</span>/var/sites/mysite </code></pre> </div> <p>Create our new website's <em>conf</em> and <em>www/html</em> folders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="nv">$MYSITE_HOME</span>/conf <span class="nv">$ </span><span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="nv">$MYSITE_HOME</span>/www/html </code></pre> </div> <p>Create an <em>index.html</em> inside <em>$MYSITE_HOME/www/html</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>$ cat $MYSITE_HOME/www/html/index.html <span class="cp">&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;</span> <span class="nt">&lt;html</span> <span class="na">xmlns=</span><span class="s">"http://www.w3.org/1999/xhtml"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">http-equiv=</span><span class="s">"Content-Type"</span> <span class="na">content=</span><span class="s">"text/html; charset=UTF-8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>MySite Default Page: It works<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> Welcome to MySite <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Create a virtual host for our site </h3> <p>We copy the default conf from built-in apache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo cp</span> /etc/apache2/sites-available/000-default.conf <span class="se">\</span> <span class="nv">$MYSITE_HOME</span>/conf/localhost.conf </code></pre> </div> <p>, and add the following lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code>$ cat $MYSITE_HOME/conf/localhost.conf <span class="nt">&lt;VirtualHost</span> <span class="err">*:80</span><span class="nt">&gt;</span> ServerName localhost ServerAdmin webmaster@localhost DocumentRoot ${MYSITE_HOME}/www/html <span class="nt">&lt;Directory</span> <span class="err">${MYSITE_HOME}/www</span><span class="nt">/&gt;</span> Options Indexes FollowSymLinks AllowOverride None Require all granted <span class="nt">&lt;/Directory&gt;</span> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <span class="nt">&lt;/VirtualHost&gt;</span> </code></pre> </div> <h3> Enable our site </h3> <p>We first make our site available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> <span class="nv">$MYSITE_HOME</span>/conf/localhost.conf <span class="se">\</span> /etc/apache2/sites-available/local-localhost.conf </code></pre> </div> <p>, and then we enable it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>a2ensite local-localhost Enabling site local-localhost. To activate the new configuration, you need to run: systemctl reload apache2 </code></pre> </div> <p>Finally, stop and restart apache:</p> <p><code>$ sudo systemctl stop apache2</code><br> <code>$ sudo systemctl start apache2</code></p> <p>, and test that our new site works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>$ curl http://localhost <span class="cp">&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;</span> <span class="nt">&lt;html</span> <span class="na">xmlns=</span><span class="s">"http://www.w3.org/1999/xhtml"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">http-equiv=</span><span class="s">"Content-Type"</span> <span class="na">content=</span><span class="s">"text/html; charset=UTF-8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>MySite Default Page: It works<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> Welcome to MySite <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h2> Set up mod_jk </h2> <p>There are two modules that I know for our apache web server to communicate with our backend Tomcat servers: <em>mod_proxy</em> and <em>mod_jk</em>.<br> I'm going to use the <em>mod_jk</em> plugin, which will communicate via the AJP protocol.</p> <h3> Enable AJP </h3> <p>First thing is to enable the AJP connectors in our Tomcats, which are disabled by default.<br> For that, we need to go to <em>server.xml</em> and uncomment the AJP connector element:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code>$ cat $TOMCAT1_HOME/conf/server.xml <span class="c">&lt;!-- Define an AJP 1.3 Connector on port 8009 --&gt;</span> <span class="nt">&lt;Connector</span> <span class="na">protocol=</span><span class="s">"AJP/1.3"</span> <span class="na">address=</span><span class="s">"localhost"</span> <span class="na">port=</span><span class="s">"8009"</span> <span class="na">redirectPort=</span><span class="s">"8443"</span> <span class="na">maxParameterCount=</span><span class="s">"1000"</span> <span class="na">secretRequired=</span><span class="s">"false"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p><strong>N.B:</strong></p> <ul> <li>I had to add <em>secretRequired="false"</em> </li> <li>The defaul value in <em>address</em> is "::1", but that doesn't work for me, so I set it to "localhost", although "127.0.0.1" will also do.</li> </ul> <p>Do the same for tomcat2 but don't forget to use a different port, cause both tomcats are on the same machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="c">&lt;!-- Define an AJP 1.3 Connector on port 9009 --&gt;</span> <span class="nt">&lt;Connector</span> <span class="na">protocol=</span><span class="s">"AJP/1.3"</span> <span class="na">address=</span><span class="s">"127.0.0.1"</span> <span class="na">port=</span><span class="s">"9009"</span> <span class="na">redirectPort=</span><span class="s">"8443"</span> <span class="na">maxParameterCount=</span><span class="s">"1000"</span> <span class="na">secretRequired=</span><span class="s">"false"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>After restarting the tomcats, we should see both AJP ports in use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>netstat <span class="nt">-nlp</span>|grep <span class="nt">-E</span> <span class="s2">"8009|9009"</span> tcp6 0 0 127.0.0.1:8009 :::<span class="k">*</span> LISTEN 60789/java tcp6 0 0 127.0.0.1:9009 :::<span class="k">*</span> LISTEN 120768/java </code></pre> </div> <p>So our situation is that our <em>examples</em> application is available via our tomcats:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}</span><span class="se">\n</span><span class="s2">"</span> http://localhost:8080/examples/ 200 <span class="nv">$ </span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}</span><span class="se">\n</span><span class="s2">"</span> http://localhost:9080/examples/ 200 </code></pre> </div> <p>but not yet via our apache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}</span><span class="se">\n</span><span class="s2">"</span> http://localhost/examples/ 404 </code></pre> </div> <p>That's what we will try to achieve with mod_jk: that requests for <em>examples</em> app are forwarded to the tomcats.</p> <h3> Configure and enable mod_jk </h3> <p>First we copy the default mod_jk conf:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo cp</span> /etc/apache2/mods-available/jk.conf <span class="nv">$MYSITE_HOME</span>/conf/jk.conf <span class="nv">$ </span><span class="nb">sudo cp</span> /etc/apache2/mods-available/jk.load <span class="nv">$MYSITE_HOME</span>/conf/jk.load </code></pre> </div> <p>Now we create 2 files inside $MYSITE_HOME/conf:</p> <ul> <li> <strong>workers.properties</strong>: will contain pointers to our tomcat AJP connectors and will define a load-balancer type worker.</li> <li> <strong>uriworkermap.properties</strong>: will contain the mapping from <em>/examples</em> uri to our load-balancer. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">$</span> <span class="err">cat</span> <span class="err">$MYSITE_HOME/conf/workers.properties</span> <span class="py">worker.list</span><span class="p">=</span><span class="s">worker1, worker2, lb</span> <span class="c"># Set properties for worker1 (our tomcat1 server) </span><span class="py">worker.worker1.type</span><span class="p">=</span><span class="s">ajp13</span> <span class="py">worker.worker1.host</span><span class="p">=</span><span class="s">localhost</span> <span class="py">worker.worker1.port</span><span class="p">=</span><span class="s">8009</span> <span class="c"># Set properties for worker2 (our tomcat2 server) </span><span class="py">worker.worker2.type</span><span class="p">=</span><span class="s">ajp13</span> <span class="py">worker.worker2.host</span><span class="p">=</span><span class="s">localhost</span> <span class="py">worker.worker2.port</span><span class="p">=</span><span class="s">9009</span> <span class="py">worker.lb.type</span><span class="p">=</span><span class="s">lb</span> <span class="py">worker.lb.balance_workers</span><span class="p">=</span><span class="s">worker1, worker2</span> <span class="err">$</span> <span class="err">cat</span> <span class="err">$MYSITE_HOME/conf/uriworkermap.properties</span> <span class="c"># Send everything for context /examples to load-balancer worker </span><span class="err">/examples/*=lb</span> </code></pre> </div> <p>Now we point to these 2 files in our <em>jk.conf</em> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="nv">$MYSITE_HOME</span>/conf/jk.conf ... JkWorkersFile <span class="k">${</span><span class="nv">MYSITE_HOME</span><span class="k">}</span>/conf/workers.properties ... JkMountFile <span class="k">${</span><span class="nv">MYSITE_HOME</span><span class="k">}</span>/conf/uriworkermap.properties </code></pre> </div> <p>The configuration is finished.</p> <p>Next, we make our module available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> <span class="nv">$MYSITE_HOME</span>/conf/jk.conf <span class="se">\</span> /etc/apache2/mods-available/local-jk.conf <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> <span class="nv">$MYSITE_HOME</span>/conf/jk.load <span class="se">\</span> /etc/apache2/mods-available/local-jk.load </code></pre> </div> <p>We now have to disable the default mod_jk cause only one <em>JkWorkersFile</em> is permitted:</p> <p><code>$ sudo a2dismod jk</code></p> <p>Next, enable our custom jk and reload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>a2enmod local-jk <span class="nv">$ </span><span class="nb">sudo </span>systemctl reload apache2 </code></pre> </div> <p>Now, the forwarding should work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>$ curl http://localhost/examples/ <span class="cp">&lt;!DOCTYPE HTML&gt;</span><span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Apache Tomcat Examples<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span> <span class="nt">&lt;h3&gt;</span>Apache Tomcat Examples<span class="nt">&lt;/H3&gt;</span> <span class="nt">&lt;p&gt;&lt;/p&gt;</span> <span class="nt">&lt;ul&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"servlets"</span><span class="nt">&gt;</span>Servlets examples<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"jsp"</span><span class="nt">&gt;</span>JSP Examples<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"websocket/index.xhtml"</span><span class="nt">&gt;</span>WebSocket Examples<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;&lt;/html&gt;</span> </code></pre> </div> <p>Next, we will test that load-balancing, sticky sessions and fail-over are all working as expected:</p> <h3> Testing load-balancing </h3> <p>To test that sessions are balanced, we can use servlet <em>SessionExample</em> in the <em>examples</em> app.</p> <p>I have modified the following file</p> <p><code>$TOMCAT_HOME/webapps/examples/WEB-INF/classes/LocalStrings.properties</code></p> <p>in both tomcats to include the literal "1" and "2" respectively at the end of the following property:</p> <p><code>sessions.title=Sessions Example Tomcat</code></p> <p>, so I can easily identify to which tomcat requests are being forwarded.</p> <p>Running different requests should bounce alternatively (or nearly) between tomcat1 and tomcat2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"&lt;title&gt;Sessions Example"</span> &lt;title&gt;Sessions Example Tomcat 1&lt;/title&gt; <span class="nv">$ </span>curl http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"&lt;title&gt;Sessions Example"</span> &lt;title&gt;Sessions Example Tomcat 2&lt;/title&gt; <span class="nv">$ </span>curl http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"&lt;title&gt;Sessions Example"</span> &lt;title&gt;Sessions Example Tomcat 1&lt;/title&gt; <span class="nv">$ </span>curl http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"&lt;title&gt;Sessions Example"</span> &lt;title&gt;Sessions Example Tomcat 2&lt;/title&gt; </code></pre> </div> <h3> Testing sticky sessions </h3> <p>For sticky sessions to work, we have to set the <em>jvmRoute</em> attribute in the engine element in tomcat's <em>server.xml</em> to the name of the respective node from <em>workers.properties</em> file (worker1 and worker2 in our case):</p> <p><code>&lt;Engine jvmRoute="worker1" name="Catalina" ...&gt;</code><br> <code>&lt;Engine jvmRoute="worker2" name="Catalina" ...&gt;</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">grep</span> <span class="nt">-r</span> <span class="nt">--include</span><span class="o">=</span><span class="s2">"server.xml"</span> <span class="s2">"jvmRoute="</span> /apps/myapp/clus1 /tomcat2/conf/server.xml: &lt;Engine <span class="nv">name</span><span class="o">=</span><span class="s2">"Catalina"</span> <span class="nv">defaultHost</span><span class="o">=</span><span class="s2">"localhost"</span> <span class="nv">jvmRoute</span><span class="o">=</span><span class="s2">"worker2"</span><span class="o">&gt;</span> /tomcat1/conf/server.xml: &lt;Engine <span class="nv">name</span><span class="o">=</span><span class="s2">"Catalina"</span> <span class="nv">defaultHost</span><span class="o">=</span><span class="s2">"localhost"</span> <span class="nv">jvmRoute</span><span class="o">=</span><span class="s2">"worker1"</span><span class="o">&gt;</span> </code></pre> </div> <p>To test that requests belonging to the same session "stick" to the same server, we can send the cookie JSESSIONID filled with the ID returned by the first request and check both that ID returned is the same and receiving tomcat too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"Session ID"</span> <span class="nt">-B</span> 1 &lt;h3&gt;Sessions Example Tomcat 1&lt;/h3&gt; Session ID: 160ECEE2FE688B6649DC109F03EA1C7B.worker1 <span class="nv">$ </span>curl <span class="nt">--cookie</span> <span class="s2">"JSESSIONID=160ECEE2FE688B6649DC109F03EA1C7B.worker1"</span><span class="se">\</span> http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"Session ID"</span> <span class="nt">-B</span> 1 &lt;h3&gt;Sessions Example Tomcat 1&lt;/h3&gt; Session ID: 160ECEE2FE688B6649DC109F03EA1C7B.worker1 </code></pre> </div> <h3> Testing fail-over </h3> <p>We will proceed with the following sequence</p> <ul> <li>send a request</li> <li>note which tomcat served it and which session ID is returned</li> <li>stop that tomcat</li> <li>send another request for the same session via JESSIONID cookie</li> <li>verify that the other tomcat has served it and the JESSSIONID returned is the same </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"&lt;h3&gt;Sessions Example"</span> <span class="nt">-A</span> 1 &lt;h3&gt;Sessions Example Tomcat 1&lt;/h3&gt; Session ID: 2D3B488194BBC78479370196455D4384.worker1 <span class="nv">$ </span>/apps/myapp/clus1/tomcat1/shutdown.sh Using CATALINA_BASE: /apps/myapp/clus1/tomcat1 Using CATALINA_HOME: /opt/apache-tomcat-9.0.109 Using CATALINA_TMPDIR: /apps/myapp/clus1/tomcat1/temp Using JRE_HOME: /opt/jdk1.8.0_451 Using CLASSPATH: /opt/apache-tomcat-9.0.109/bin/bootstrap.jar: /opt/apache-tomcat-9.0.109/bin/tomcat-juli.jar Using CATALINA_OPTS: <span class="nv">$ </span>curl <span class="nt">--cookie</span> <span class="s2">"JSESSIONID=2D3B488194BBC78479370196455D4384.worker1"</span><span class="se">\</span> http://localhost/examples/servlets/servlet/SessionExample|<span class="se">\</span> <span class="nb">grep</span> <span class="s2">"&lt;h3&gt;Sessions Example"</span> <span class="nt">-A</span> 1 &lt;h3&gt;Sessions Example Tomcat 2&lt;/h3&gt; Session ID: 2D3B488194BBC78479370196455D4384.worker2 </code></pre> </div> networking tutorial devops linux Setup Tomcat cluster in Linux Jesús G. Calderín Sat, 20 Sep 2025 17:45:29 +0000 https://dev.to/jess_garcacaldern_028/setup-tomcat-cluster-in-linux-407k https://dev.to/jess_garcacaldern_028/setup-tomcat-cluster-in-linux-407k <h2> Prerequisites </h2> <h3> Install Java </h3> <p>And set JAVA_HOME variable accordingly in <em>~/.bashrc</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">JAVA_HOME</span><span class="o">=</span>/opt/jdk1.8.0_451 </code></pre> </div> <h3> Install Tomcat </h3> <p>And set CATALINA_HOME accordingly in <em>~/.bashrc</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">CATALINA_HOME</span><span class="o">=</span>/opt/apache-tomcat-9.0.109 </code></pre> </div> <h2> Create two instances of our Tomcat </h2> <p>(Kudos to <a href="https://stackoverflow.com/users/2617995/goran-vasic" rel="noopener noreferrer">Goran Vasic</a>)</p> <p>They will be the two nodes of our cluster.</p> <p>First, we create one empty directory for our first tomcat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">mkdir</span> <span class="nt">-p</span> /apps/myapp/clus1/tomcat1/ </code></pre> </div> <p>Then, we copy inside the following folders from CATALINA_HOME:</p> <ul> <li>/conf</li> <li>/webapps </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cp</span> <span class="nt">-R</span> <span class="nv">$CATALINA_HOME</span>/conf /apps/myapp/clus1/tomcat1/ <span class="nv">$ </span><span class="nb">cp</span> <span class="nt">-R</span> <span class="nv">$CATALINA_HOME</span>/webapps /apps/myapp/clus1/tomcat1/ </code></pre> </div> <p>We will also need to create an empty <em>logs</em> folder.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">mkdir</span> <span class="nt">-p</span> /apps/myapp/clus1/tomcat1/logs </code></pre> </div> <p>Finally, we create start and stop scripts that set our CATALINA_BASE accordingly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> /apps/myapp/clus1/tomcat1/startup.sh <span class="nb">export </span><span class="nv">CATALINA_BASE</span><span class="o">=</span><span class="s2">"/apps/myapp/clus1/tomcat1"</span> <span class="nb">cd</span> <span class="nv">$CATALINA_HOME</span>/bin <span class="nv">TITLE</span><span class="o">=</span>tomcat1 ./startup.sh <span class="nv">$TITLE</span> <span class="nv">$ </span><span class="nb">cat</span> /apps/myapp/clus1/tomcat1/shutdown.sh <span class="nb">export </span><span class="nv">CATALINA_BASE</span><span class="o">=</span><span class="s2">"/apps/myapp/clus1/tomcat1"</span> <span class="nb">cd</span> <span class="nv">$CATALINA_HOME</span>/bin ./shutdown.sh </code></pre> </div> <p>We now turn the files executable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">chmod </span>u+x /apps/myapp/clus1/tomcat1/startup.sh <span class="nv">$ </span><span class="nb">chmod </span>u+x /apps/myapp/clus1/tomcat1/shutdown.sh </code></pre> </div> <p>And test them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>/apps/myapp/clus1/tomcat1/startup.sh Using CATALINA_BASE: /apps/myapp/clus1/tomcat1 Using CATALINA_HOME: /opt/apache-tomcat-9.0.109 Using CATALINA_TMPDIR: /apps/myapp/clus1/tomcat1/temp Using JRE_HOME: /opt/jdk1.8.0_451 Using CLASSPATH: /opt/apache-tomcat-9.0.109/bin/bootstrap.jar:/opt/apache-tomcat-9.0.109/bin/tomcat-juli.jar Using CATALINA_OPTS: Tomcat started. <span class="nv">$ </span>/apps/myapp/clus1/tomcat1/shutdown.sh Using CATALINA_BASE: /apps/myapp/clus1/tomcat1 Using CATALINA_HOME: /opt/apache-tomcat-9.0.109 Using CATALINA_TMPDIR: /apps/myapp/clus1/tomcat1/temp Using JRE_HOME: /opt/jdk1.8.0_451 Using CLASSPATH: /opt/apache-tomcat-9.0.109/bin/bootstrap.jar:/opt/apache-tomcat-9.0.109/bin/tomcat-juli.jar Using CATALINA_OPTS: </code></pre> </div> <p>We now need to create the same start/shutdown scripts for <strong>tomcat2</strong>, but bear in mind that since we are running our tomcats on the same machine, we need to use different listening and shutdown ports in each of them, otherwise the start and stop will fail. In my case, I'm going to replace default 8080 by 9080 in tomcat2's <em>$CATALINA_BASE/conf/server.xml</em> listening port:</p> <p><code>&lt;Connector port="9080" protocol="HTTP/1.1"<br> connectionTimeout="20000"<br> redirectPort="8443"<br> maxParameterCount="1000"<br> /&gt;</code></p> <p>, and replace 8005 by 9005 in shutdown's port:</p> <p><code>&lt;Server port="9005" shutdown="SHUTDOWN"&gt;<br> &lt;Listener className="org.apache.catalina.startup.VersionLoggerListener" /&gt;...</code></p> <p>After starting both tomcats, we can see the ports they are using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>netstat <span class="nt">-nlp</span>|grep <span class="nt">-E</span> <span class="s1">'8080|9080'</span> tcp6 0 0 :::8080 :::<span class="k">*</span> LISTEN 20941/java tcp6 0 0 :::9080 :::<span class="k">*</span> LISTEN 21014/java <span class="nv">$ </span>lsof <span class="nt">-i</span> <span class="nt">-P</span> |grep 20941 java 20941 TCP <span class="k">*</span>:8080 <span class="o">(</span>LISTEN<span class="o">)</span> java 20941 TCP localhost:8005 <span class="o">(</span>LISTEN<span class="o">)</span> <span class="nv">$ </span>lsof <span class="nt">-i</span> <span class="nt">-P</span> |grep 21014 java 21014 TCP <span class="k">*</span>:9080 <span class="o">(</span>LISTEN<span class="o">)</span> java 21014 TCP localhost:9005 <span class="o">(</span>LISTEN<span class="o">)</span> </code></pre> </div> <h2> Activate the cluster </h2> <p>We just need to uncomment the <em>Cluster</em> element under <em>Engine</em> in both tomcat's <em>$CATALINA_BASE/conf/server.xml</em> file:</p> <p><code>&lt;Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/&gt;</code></p> <p>, and restart.<br> This will make them multicast their membership to default 228.0.0.4 and port 45564, and will listen on the first port available between 4000-4100:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>netstat <span class="nt">-nlp</span>|grep 45564 udp6 0 0 :::45564 :::<span class="k">*</span> 13411/java udp6 0 0 :::45564 :::<span class="k">*</span> 13273/java <span class="nv">$ </span>lsof <span class="nt">-i</span> <span class="nt">-P</span> |grep 13411 java 13411 TCP <span class="k">*</span>:9080 <span class="o">(</span>LISTEN<span class="o">)</span> java 13411 TCP DESKTOP-IUMEID0.:4001 <span class="o">(</span>LISTEN<span class="o">)</span> java 13411 UDP <span class="k">*</span>:45564 java 13411 TCP localhost:42728-&gt;DESKTOP-IUMEID0.:4000 <span class="o">(</span>ESTABLISHED<span class="o">)</span> java 13411 TCP DESKTOP-IUMEID0.:4001-&gt;localhost:36104 <span class="o">(</span>ESTABLISHED<span class="o">)</span> java 13411 TCP localhost:9005 <span class="o">(</span>LISTEN<span class="o">)</span> <span class="nv">$ </span>lsof <span class="nt">-i</span> <span class="nt">-P</span> |grep 13273 java 13273 TCP <span class="k">*</span>:8080 <span class="o">(</span>LISTEN<span class="o">)</span> java 13273 TCP DESKTOP-IUMEID0.:4000 <span class="o">(</span>LISTEN<span class="o">)</span> java 13273 UDP <span class="k">*</span>:45564 java 13273 TCP localhost:8005 <span class="o">(</span>LISTEN<span class="o">)</span> java 13273 TCP DESKTOP-IUMEID0.:4000-&gt;localhost:42728 <span class="o">(</span>ESTABLISHED<span class="o">)</span> java 13273 TCP localhost:36104-&gt;DESKTOP-IUMEID0.:4001 <span class="o">(</span>ESTABLISHED<span class="o">)</span> </code></pre> </div> <p>In the output above, we can see that both tomcats are communicating with each other via the ports 4000 and 4001 respectively:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>java 13411 TCP localhost:42728-&gt;DESKTOP-IUMEID0.:4000 <span class="o">(</span>ESTABLISHED<span class="o">)</span> java 13411 TCP DESKTOP-IUMEID0.:4001-&gt;localhost:36104 <span class="o">(</span>ESTABLISHED<span class="o">)</span> java 13273 TCP DESKTOP-IUMEID0.:4000-&gt;localhost:42728 <span class="o">(</span>ESTABLISHED<span class="o">)</span> java 13273 TCP localhost:36104-&gt;DESKTOP-IUMEID0.:4001 <span class="o">(</span>ESTABLISHED<span class="o">)</span> </code></pre> </div> <p>N.B: <em>DESKTOP-IUMEID0</em> is just the name of my computer.</p> <p>So that's it. Both tomcats now belong to the same cluster.</p> <h2> Enable session replication </h2> <p>The cluster is not very useful unless its nodes can replicate sessions between them. This would allow a session that was established in one node to be recoverable on the other node when the former dies out.<br> To test session replication, I will use the <em>examples</em> webapp that comes with out-of-the-box tomcat.</p> <p>The session replication is enabled by simply adding</p> <p><code>&lt;distributable/&gt;</code></p> <p>under element <em>web-app</em> of <em>$CATALINA_BASE/webapps/examples/WEB-INF/web.xml</em> in both tomcats:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;web-app</span> <span class="na">xmlns=</span><span class="s">"http://xmln..."</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3...."</span> <span class="na">xsi:schemaLocation=</span><span class="s">"http:..."</span> <span class="na">version=</span><span class="s">"4.0"</span> <span class="na">metadata-complete=</span><span class="s">"true"</span><span class="nt">&gt;</span> <span class="nt">&lt;distributable/&gt;</span> ...... </code></pre> </div> <h3> Test session replication </h3> <p>After restarting we can use <em>curl</em> to establish a session in tomcat1 by sending a request to servlet <em>SessionExample</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl http://localhost:8080/examples/servlets/servlet/SessionExample &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; .... &lt;h3&gt;Sessions Example&lt;/h3&gt; Session ID: 104F520BB401ED856048700D302D255A ... The following data is <span class="k">in </span>your session:&lt;br&gt; .... &lt;/html&gt; </code></pre> </div> <p>We can now use the cookie JESSIONID to verify that the session also exists in tomcat2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">--cookie</span> <span class="s2">"JSESSIONID=104F520BB401ED856048700D302D255A"</span> <span class="se">\</span> http://localhost:9080/examples/servlets/servlet/SessionExample &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; .... &lt;h3&gt;Sessions Example&lt;/h3&gt; Session ID: 104F520BB401ED856048700D302D255A ... The following data is <span class="k">in </span>your session:&lt;br&gt; .... &lt;/html&gt; </code></pre> </div> <p>We will now put some data into the session via tomcat2 and verify if it is replicated in tomcat1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#update the session via TOMCAT 2 (note that port=9080)</span> <span class="nv">$ </span>curl <span class="nt">--data</span> <span class="s2">"dataname=james&amp;datavalue=bond"</span> <span class="se">\</span> <span class="nt">--cookie</span> <span class="s2">"JSESSIONID=104F520BB401ED856048700D302D255A"</span> <span class="se">\</span> http://localhost:9080/examples/servlets/servlet/SessionExample &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; .... &lt;h3&gt;Sessions Example&lt;/h3&gt; Session ID: 104F520BB401ED856048700D302D255A ... The following data is <span class="k">in </span>your session:&lt;br&gt; james <span class="o">=</span> bond ... &lt;/html&gt; <span class="c">#recover the updated session via TOMCAT 1 (note that port=8080)</span> <span class="nv">$ </span>curl <span class="nt">--cookie</span> <span class="s2">"JSESSIONID=104F520BB401ED856048700D302D255A"</span> <span class="se">\ </span> http://localhost:8080/examples/servlets/servlet/SessionExample &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; .... &lt;h3&gt;Sessions Example&lt;/h3&gt; Session ID: 104F520BB401ED856048700D302D255A ... The following data is <span class="k">in </span>your session:&lt;br&gt; james <span class="o">=</span> bond ... &lt;/html&gt; </code></pre> </div> <p>So now we have a cluster of 2 tomcats that can replicate sessions between them. Not very useful, though, if we have to manually change the URL's and the JESSIONID cookie whenever one tomcat dies out or is responding slowly.</p> <p>I'll soon cover how to front these tomcats with a web server that will provide us with new important functionalities:</p> <ul> <li> <u>request forwarding</u>: web server will act as a reverse-proxy</li> <li> <u>load balancing</u>: it will distribute the requests between the tomcats according, for example, to how busy they are</li> <li> <u>sticky sessions</u>: it will always forward the requests pertaining to the same server session to the node that initiated it</li> <li> <u>fail-over</u>: it will detect when one tomcat is down and refrain from sending it any requests until it is up again</li> </ul> devops tutorial linux java