Christoph Rabel 8 Years Ago Nice article.I personally prefer to use mod_ajp, the configuration is a lot simpler and it can easily be switched from ajp to http by changing the protocol in the url, if need arises (e.g. for debugging purposes).<VirtualHost *:80> ServerName www.example.com ServerAlias liferay.example.com ProxyPreserveHost On ProxyPass / ajp://localhost:8009</VirtualHost>And that should be it, with a default Liferay installation (ajp on port 8009)For me, mod_jk has just one big advantage: NTLM won't work with mod_ajp, only with mod_jk.About https:This tutorial is really useful to configure https (as of November 2014 at least, the web changes so fast nowadays ...)https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.htmlIt is really difficult to get the cipher string "right". Performance:I usually disable the Zip-Filter in Liferay and compress it in Apache instead.Also it's a good idea to cache static files (Theme images, icons, css) in the reverse proxy. (Or even better: Use a CDN).To find out, what to cache, measure it! e.g. just use http://www.webpagetest.org to get some hints. Please sign in to reply. Reply as... Cancel Olaf Kock Christoph Rabel 8 Years Ago Thanks for the feedback. As of mod_proxy, ajp, jk, I'm agnostic - it's good to use the one you're most familiar with. The most important point is to not run as root in order to bind port 80. And especially thanks for the SSL pointer - it's really hard to find accurate information (or to know if information is accurate or not)Proxy, cache etc. are rather related to performance than to security - but that's another series, currently in planning phase. I'll also be discuss it with Brett Swaim on Radio Liferay. Please sign in to reply. Reply as... Cancel
Olaf Kock Christoph Rabel 8 Years Ago Thanks for the feedback. As of mod_proxy, ajp, jk, I'm agnostic - it's good to use the one you're most familiar with. The most important point is to not run as root in order to bind port 80. And especially thanks for the SSL pointer - it's really hard to find accurate information (or to know if information is accurate or not)Proxy, cache etc. are rather related to performance than to security - but that's another series, currently in planning phase. I'll also be discuss it with Brett Swaim on Radio Liferay. Please sign in to reply. Reply as... Cancel
Liferay Geek 8 Years Ago Thanks for this article. What would be the best configuration if we want to use 2 Apache HTTP Servers in Front of a cluster of 2 Tomcat Servers running Liferay ? Please sign in to reply. Reply as... Cancel Olaf Kock Liferay Geek 8 Years Ago This is rather related to availability/scalability than to security. I wouldn't expect much difference in configuration, but the one correct answer is "it depends". You can have a separate load balancer on top of Apache. You can configure DNS round-robin. Or anything else... Please sign in to reply. Reply as... Cancel Christoph Rabel Liferay Geek 8 Years Ago Well that's actually complicated.I would recommend to use just one Apache and keep a second one as backup on standby. Performance wise one apache should be able to easily handle all requests. At least more, than most backend servers. Configuration is much easier.In any case: You need to stay sticky on one Liferay server. It's really bad to switch servers all the time, performance wise.Apache can handle stickyness quite well, the second example should be helpful:https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html#exampleIf you really want two Apache servers as reverse proxies, I'd still recommend a load balancer in front of them. Using DNS round robin is possible, but be careful. Some clients don't do failover. e.g. Java. Also, at least IE 7 doesn't do failover at all, 50% of all requests will just fail if one proxy is down. I think IE8 (maybe Win 7 only) will do it right. Sadly, these dinosaurs are still out there ... Please sign in to reply. Reply as... Cancel
Olaf Kock Liferay Geek 8 Years Ago This is rather related to availability/scalability than to security. I wouldn't expect much difference in configuration, but the one correct answer is "it depends". You can have a separate load balancer on top of Apache. You can configure DNS round-robin. Or anything else... Please sign in to reply. Reply as... Cancel
Christoph Rabel Liferay Geek 8 Years Ago Well that's actually complicated.I would recommend to use just one Apache and keep a second one as backup on standby. Performance wise one apache should be able to easily handle all requests. At least more, than most backend servers. Configuration is much easier.In any case: You need to stay sticky on one Liferay server. It's really bad to switch servers all the time, performance wise.Apache can handle stickyness quite well, the second example should be helpful:https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html#exampleIf you really want two Apache servers as reverse proxies, I'd still recommend a load balancer in front of them. Using DNS round robin is possible, but be careful. Some clients don't do failover. e.g. Java. Also, at least IE 7 doesn't do failover at all, 50% of all requests will just fail if one proxy is down. I think IE8 (maybe Win 7 only) will do it right. Sadly, these dinosaurs are still out there ... Please sign in to reply. Reply as... Cancel
grounded (You) 8 Years Ago [...] Are you tasked with setting up a webserver that must be accessible in both http and https? When somebody demands that this mixed mode must be possible, here are some arguments why you shouldn't give in (because in general it does not work - at ... [...] Weiterlesen Please sign in to reply. Reply as... Cancel
Thomas Lucas 6 Years Ago Hi Olaf,I followed your recvommendations to set up Apache inf Front of tomcat.In the middle of your article to talk about basic Apache configuration in /etc/apache2/conf/liferay-settingsWe are running apache under debian 4.4.5, so filestructure might be differend. I am not sure, if I have to crate a new file, and if so where do I have to store it (in tomact or apache dir).In fact I did not implement these lines - but nevertheless it seems to work.So my question is, what the excat meaning and purpose of this lines?Thomas Please sign in to reply. Reply as... Cancel Olaf Kock Thomas Lucas 6 Years Ago Hi Thomas,some distributions include everything they find in /etc/apache2/conf.d into a virtual httpd.conf (which is the general configuration file for Apache. This is so that every single file has a single purpose and you can track what the changes are there for. I've checked back: Indeed it might have been rather /etc/apache2/conf.d or, through having a configuration in /etc/apache2/conf-available and linking it in /etc/apache2/conf-enabled to be closer to standard ubuntu - however, the description in this article should be understood as pseudocode.Maintaining a web-facing server is not an easy thing - that's why I don't like to give copy&paste advice and rather accept (or intentionally make) unexact instructions in situations like this blog article. There's a lot of copy-pasteable documentation available on the web.Regarding your question as of the meaning of those lines: The gray ones are boilerplate, just giving some context from one of the random servers that I've grabbed content of. The "Jk" lines are the ones that configure mod_jk - If you decide to use mod_jk you can easily look up the directives if they don't speak for themselves. The google hits that I get on page one for just the directive name are all good.If you decide to go with another option (mod_proxy, mod_proxy_ajp or others) your instructions will vary anyways. When you say that your installation already works without these instructions, odds are that you don't use mod_jk but one of the other modules. It would require deeper insight into your Apache configuration to judge. I'd recommend to ask someone with Apache experience to inspect and bulletproof your installation Please sign in to reply. Reply as... Cancel Thomas Lucas Olaf Kock 6 Years Ago Hi Olaf,Thanks for response. I like the idea to ask an Apache Expert. Do you know one ? Maybe you could give me some of your time. Currently I am yust playing around in test-envirement. But before deploying on production I definitely want advice from expert.But please allow one further question:Which changes are necesarry on tomcat site, especially in server.xml. By default ther is an entry for AJP Connector on Port 8009. What about the entries for port 80 and 443. Are they still necessary? Please sign in to reply. Reply as... Cancel Olaf Kock Thomas Lucas 6 Years Ago Hi Thomas,reviewing your installation would be a consulting gig - public forum- and blogposts wouldn't show enough of the environment. This is possible, but has to go through sales-de (at liferay com)Tomcat's server.xml can go completely unchanged: Apache httpd is covering port 80 by forwarding it to 8009 (through ajp/mod_jk) or 8080 (mod_proxy). There are reasons to change it, but no necessity. I'd hope that - in case you have port 80 and 443 in there, that you don't run tomcat as root in order to get access to those ports. That would be something that needs to be changed asap - see chapter 1 of this blog article series (as well as this one). In case your server gets exploited through any means, you don't want the attacker to have root privileges. Please sign in to reply. Reply as... Cancel Christoph Rabel Thomas Lucas 6 Years Ago Debian 4? I hope that's a typo. Debian 4 doesn't receive security updates for several years anymore. You really should upgrade. There were lots of important bug and security fixes since it was discontinued. About your question:I am not sure how it can possibly work, if you don't create said file. Or add the config to some other file.I believe:Apache is not working at all and you have configured tomcat to serve ports 80 and port 443. Please review the apache logfiles, they are usually located in /var/log/You can check on the commandline using "netstat -tulpn " which service "owns" which ports. You should see lines like the followingtcp6 0 0 :::80 :::* LISTEN 10690/apache2 tcp6 0 0 :::443 :::* LISTEN 10690/apache2Please note the ports 80 & 443 and apache2 (maybe http2).If you see instead something like this, 80 or 443 and java:tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 927/javaWell, in that case you are not using apache at all. Please sign in to reply. Reply as... Cancel Thomas Lucas Christoph Rabel 6 Years Ago Hi Christoph,It is Debian 7.11 (so it is a typo). After hours of reading web-articles I got it running and you are right with your assumptions.So what was the problem:(1) With the Debian Distribution, when installung mode_jk, a separat directory is created. In my case it was /etc/libapache2-mod-jk. In that directory is a configuration file named httpd-jk.conf. All mentiond configuration was already there, so no change is needed !(2) Olaf mentioned, that normally no changes to server.xml on tomcat site is necassary. That is right, when you setup a fresh liferay package. Then http connectors point to ports 8080 or 8443. In our case, they pointed to port 80 and 443 (where 80 was redirected to 443) - and that didnt work- as you assumpted. So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!(3) mode_jk is not mode_proxy_jk (there are some instructions in the net for mode_proxy_jk, but this article here is about mode_jk)(4) workers.properties needs path to tomcat and jvm. In my case I only needed to overwrite standard entries in preconfigured workers.properties. workers.tomcat_home=/var/lib/liferay/product/tomcat and workers.java_home=/home/liferay/local/jdk . I left worker.list to the standard ajp13_worker. So I did not have to change it on other preconfigured places (you only have to give attetion to it, when configuring the virtual hosts).(5) SSL: We already used SSL on tomcat (port 80 was redirected to 443 by server.xml). To terminate SSL at Apache, we only had to add the path to key an cert in Virtual Host and put SSL on (as mentioned in (2) connector for 443 was commented out), so that Apache works on 443 with encryption and tomact on port 8080 without encryption) : SSLEngine On SSLCertificateFile /home/liferay/ssl-keys/www.outsourcing.de.crt SSLCertificateKeyFile /home/liferay/ssl-keys/www.outsourcing.de.key SSLCACertificateFile /home/liferay/ssl-keys/intermediate.crtTo get that working it is necssary to enable SSL on Apache. With our distribution it is just entering a2enmod ssl on console.(6) And the last point. To enforce SSL as done by rewrite rule in the virtualhost example, it is also necessary to enable rewrite on apache as well and that is just by entering a2enmod rewrite.The reason, why we first thought it is working was: When running Apache and tomcat on the same ports (80 and 443)- tomcat throws an exeption at the beginning of startup (what I did not see). After tomcat startup, pages are delivered by tomcat! When I switched APACHE off- no pages were delivered. So Apache was communcating with tomcat, but not in the right way :-) Please sign in to reply. Reply as... Cancel Christoph Rabel Thomas Lucas 6 Years Ago Hmm, not sure about this sentence:"So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!"ajp port 8009 shouldn't redirect to port 8080. Actually, in my productive setups I usually remove even the listener on port 8080 (or make it localhost only) and just use the ajp listener on 8009.Each service should expose the minimal amount of ports possible. Also, not sure what " mod_proxy_jk" is, I guess you mean mod_proxy_ajp.Well, glad you got it running! Please sign in to reply. Reply as... Cancel Thomas Lucas Christoph Rabel 6 Years Ago good point- I will try to remove redirect to 8080.mode_proxy_jk is mode_proxy_ajp (sorry) Please sign in to reply. Reply as... Cancel
Olaf Kock Thomas Lucas 6 Years Ago Hi Thomas,some distributions include everything they find in /etc/apache2/conf.d into a virtual httpd.conf (which is the general configuration file for Apache. This is so that every single file has a single purpose and you can track what the changes are there for. I've checked back: Indeed it might have been rather /etc/apache2/conf.d or, through having a configuration in /etc/apache2/conf-available and linking it in /etc/apache2/conf-enabled to be closer to standard ubuntu - however, the description in this article should be understood as pseudocode.Maintaining a web-facing server is not an easy thing - that's why I don't like to give copy&paste advice and rather accept (or intentionally make) unexact instructions in situations like this blog article. There's a lot of copy-pasteable documentation available on the web.Regarding your question as of the meaning of those lines: The gray ones are boilerplate, just giving some context from one of the random servers that I've grabbed content of. The "Jk" lines are the ones that configure mod_jk - If you decide to use mod_jk you can easily look up the directives if they don't speak for themselves. The google hits that I get on page one for just the directive name are all good.If you decide to go with another option (mod_proxy, mod_proxy_ajp or others) your instructions will vary anyways. When you say that your installation already works without these instructions, odds are that you don't use mod_jk but one of the other modules. It would require deeper insight into your Apache configuration to judge. I'd recommend to ask someone with Apache experience to inspect and bulletproof your installation Please sign in to reply. Reply as... Cancel Thomas Lucas Olaf Kock 6 Years Ago Hi Olaf,Thanks for response. I like the idea to ask an Apache Expert. Do you know one ? Maybe you could give me some of your time. Currently I am yust playing around in test-envirement. But before deploying on production I definitely want advice from expert.But please allow one further question:Which changes are necesarry on tomcat site, especially in server.xml. By default ther is an entry for AJP Connector on Port 8009. What about the entries for port 80 and 443. Are they still necessary? Please sign in to reply. Reply as... Cancel Olaf Kock Thomas Lucas 6 Years Ago Hi Thomas,reviewing your installation would be a consulting gig - public forum- and blogposts wouldn't show enough of the environment. This is possible, but has to go through sales-de (at liferay com)Tomcat's server.xml can go completely unchanged: Apache httpd is covering port 80 by forwarding it to 8009 (through ajp/mod_jk) or 8080 (mod_proxy). There are reasons to change it, but no necessity. I'd hope that - in case you have port 80 and 443 in there, that you don't run tomcat as root in order to get access to those ports. That would be something that needs to be changed asap - see chapter 1 of this blog article series (as well as this one). In case your server gets exploited through any means, you don't want the attacker to have root privileges. Please sign in to reply. Reply as... Cancel
Thomas Lucas Olaf Kock 6 Years Ago Hi Olaf,Thanks for response. I like the idea to ask an Apache Expert. Do you know one ? Maybe you could give me some of your time. Currently I am yust playing around in test-envirement. But before deploying on production I definitely want advice from expert.But please allow one further question:Which changes are necesarry on tomcat site, especially in server.xml. By default ther is an entry for AJP Connector on Port 8009. What about the entries for port 80 and 443. Are they still necessary? Please sign in to reply. Reply as... Cancel Olaf Kock Thomas Lucas 6 Years Ago Hi Thomas,reviewing your installation would be a consulting gig - public forum- and blogposts wouldn't show enough of the environment. This is possible, but has to go through sales-de (at liferay com)Tomcat's server.xml can go completely unchanged: Apache httpd is covering port 80 by forwarding it to 8009 (through ajp/mod_jk) or 8080 (mod_proxy). There are reasons to change it, but no necessity. I'd hope that - in case you have port 80 and 443 in there, that you don't run tomcat as root in order to get access to those ports. That would be something that needs to be changed asap - see chapter 1 of this blog article series (as well as this one). In case your server gets exploited through any means, you don't want the attacker to have root privileges. Please sign in to reply. Reply as... Cancel
Olaf Kock Thomas Lucas 6 Years Ago Hi Thomas,reviewing your installation would be a consulting gig - public forum- and blogposts wouldn't show enough of the environment. This is possible, but has to go through sales-de (at liferay com)Tomcat's server.xml can go completely unchanged: Apache httpd is covering port 80 by forwarding it to 8009 (through ajp/mod_jk) or 8080 (mod_proxy). There are reasons to change it, but no necessity. I'd hope that - in case you have port 80 and 443 in there, that you don't run tomcat as root in order to get access to those ports. That would be something that needs to be changed asap - see chapter 1 of this blog article series (as well as this one). In case your server gets exploited through any means, you don't want the attacker to have root privileges. Please sign in to reply. Reply as... Cancel
Christoph Rabel Thomas Lucas 6 Years Ago Debian 4? I hope that's a typo. Debian 4 doesn't receive security updates for several years anymore. You really should upgrade. There were lots of important bug and security fixes since it was discontinued. About your question:I am not sure how it can possibly work, if you don't create said file. Or add the config to some other file.I believe:Apache is not working at all and you have configured tomcat to serve ports 80 and port 443. Please review the apache logfiles, they are usually located in /var/log/You can check on the commandline using "netstat -tulpn " which service "owns" which ports. You should see lines like the followingtcp6 0 0 :::80 :::* LISTEN 10690/apache2 tcp6 0 0 :::443 :::* LISTEN 10690/apache2Please note the ports 80 & 443 and apache2 (maybe http2).If you see instead something like this, 80 or 443 and java:tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 927/javaWell, in that case you are not using apache at all. Please sign in to reply. Reply as... Cancel Thomas Lucas Christoph Rabel 6 Years Ago Hi Christoph,It is Debian 7.11 (so it is a typo). After hours of reading web-articles I got it running and you are right with your assumptions.So what was the problem:(1) With the Debian Distribution, when installung mode_jk, a separat directory is created. In my case it was /etc/libapache2-mod-jk. In that directory is a configuration file named httpd-jk.conf. All mentiond configuration was already there, so no change is needed !(2) Olaf mentioned, that normally no changes to server.xml on tomcat site is necassary. That is right, when you setup a fresh liferay package. Then http connectors point to ports 8080 or 8443. In our case, they pointed to port 80 and 443 (where 80 was redirected to 443) - and that didnt work- as you assumpted. So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!(3) mode_jk is not mode_proxy_jk (there are some instructions in the net for mode_proxy_jk, but this article here is about mode_jk)(4) workers.properties needs path to tomcat and jvm. In my case I only needed to overwrite standard entries in preconfigured workers.properties. workers.tomcat_home=/var/lib/liferay/product/tomcat and workers.java_home=/home/liferay/local/jdk . I left worker.list to the standard ajp13_worker. So I did not have to change it on other preconfigured places (you only have to give attetion to it, when configuring the virtual hosts).(5) SSL: We already used SSL on tomcat (port 80 was redirected to 443 by server.xml). To terminate SSL at Apache, we only had to add the path to key an cert in Virtual Host and put SSL on (as mentioned in (2) connector for 443 was commented out), so that Apache works on 443 with encryption and tomact on port 8080 without encryption) : SSLEngine On SSLCertificateFile /home/liferay/ssl-keys/www.outsourcing.de.crt SSLCertificateKeyFile /home/liferay/ssl-keys/www.outsourcing.de.key SSLCACertificateFile /home/liferay/ssl-keys/intermediate.crtTo get that working it is necssary to enable SSL on Apache. With our distribution it is just entering a2enmod ssl on console.(6) And the last point. To enforce SSL as done by rewrite rule in the virtualhost example, it is also necessary to enable rewrite on apache as well and that is just by entering a2enmod rewrite.The reason, why we first thought it is working was: When running Apache and tomcat on the same ports (80 and 443)- tomcat throws an exeption at the beginning of startup (what I did not see). After tomcat startup, pages are delivered by tomcat! When I switched APACHE off- no pages were delivered. So Apache was communcating with tomcat, but not in the right way :-) Please sign in to reply. Reply as... Cancel Christoph Rabel Thomas Lucas 6 Years Ago Hmm, not sure about this sentence:"So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!"ajp port 8009 shouldn't redirect to port 8080. Actually, in my productive setups I usually remove even the listener on port 8080 (or make it localhost only) and just use the ajp listener on 8009.Each service should expose the minimal amount of ports possible. Also, not sure what " mod_proxy_jk" is, I guess you mean mod_proxy_ajp.Well, glad you got it running! Please sign in to reply. Reply as... Cancel Thomas Lucas Christoph Rabel 6 Years Ago good point- I will try to remove redirect to 8080.mode_proxy_jk is mode_proxy_ajp (sorry) Please sign in to reply. Reply as... Cancel
Thomas Lucas Christoph Rabel 6 Years Ago Hi Christoph,It is Debian 7.11 (so it is a typo). After hours of reading web-articles I got it running and you are right with your assumptions.So what was the problem:(1) With the Debian Distribution, when installung mode_jk, a separat directory is created. In my case it was /etc/libapache2-mod-jk. In that directory is a configuration file named httpd-jk.conf. All mentiond configuration was already there, so no change is needed !(2) Olaf mentioned, that normally no changes to server.xml on tomcat site is necassary. That is right, when you setup a fresh liferay package. Then http connectors point to ports 8080 or 8443. In our case, they pointed to port 80 and 443 (where 80 was redirected to 443) - and that didnt work- as you assumpted. So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!(3) mode_jk is not mode_proxy_jk (there are some instructions in the net for mode_proxy_jk, but this article here is about mode_jk)(4) workers.properties needs path to tomcat and jvm. In my case I only needed to overwrite standard entries in preconfigured workers.properties. workers.tomcat_home=/var/lib/liferay/product/tomcat and workers.java_home=/home/liferay/local/jdk . I left worker.list to the standard ajp13_worker. So I did not have to change it on other preconfigured places (you only have to give attetion to it, when configuring the virtual hosts).(5) SSL: We already used SSL on tomcat (port 80 was redirected to 443 by server.xml). To terminate SSL at Apache, we only had to add the path to key an cert in Virtual Host and put SSL on (as mentioned in (2) connector for 443 was commented out), so that Apache works on 443 with encryption and tomact on port 8080 without encryption) : SSLEngine On SSLCertificateFile /home/liferay/ssl-keys/www.outsourcing.de.crt SSLCertificateKeyFile /home/liferay/ssl-keys/www.outsourcing.de.key SSLCACertificateFile /home/liferay/ssl-keys/intermediate.crtTo get that working it is necssary to enable SSL on Apache. With our distribution it is just entering a2enmod ssl on console.(6) And the last point. To enforce SSL as done by rewrite rule in the virtualhost example, it is also necessary to enable rewrite on apache as well and that is just by entering a2enmod rewrite.The reason, why we first thought it is working was: When running Apache and tomcat on the same ports (80 and 443)- tomcat throws an exeption at the beginning of startup (what I did not see). After tomcat startup, pages are delivered by tomcat! When I switched APACHE off- no pages were delivered. So Apache was communcating with tomcat, but not in the right way :-) Please sign in to reply. Reply as... Cancel Christoph Rabel Thomas Lucas 6 Years Ago Hmm, not sure about this sentence:"So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!"ajp port 8009 shouldn't redirect to port 8080. Actually, in my productive setups I usually remove even the listener on port 8080 (or make it localhost only) and just use the ajp listener on 8009.Each service should expose the minimal amount of ports possible. Also, not sure what " mod_proxy_jk" is, I guess you mean mod_proxy_ajp.Well, glad you got it running! Please sign in to reply. Reply as... Cancel Thomas Lucas Christoph Rabel 6 Years Ago good point- I will try to remove redirect to 8080.mode_proxy_jk is mode_proxy_ajp (sorry) Please sign in to reply. Reply as... Cancel
Christoph Rabel Thomas Lucas 6 Years Ago Hmm, not sure about this sentence:"So our final configration for server.xml has only 2 connectors one for ajp on port 8009 which redirects to port 8080. And port 8080 without any redirection. No connector for port 443 or 8443!"ajp port 8009 shouldn't redirect to port 8080. Actually, in my productive setups I usually remove even the listener on port 8080 (or make it localhost only) and just use the ajp listener on 8009.Each service should expose the minimal amount of ports possible. Also, not sure what " mod_proxy_jk" is, I guess you mean mod_proxy_ajp.Well, glad you got it running! Please sign in to reply. Reply as... Cancel Thomas Lucas Christoph Rabel 6 Years Ago good point- I will try to remove redirect to 8080.mode_proxy_jk is mode_proxy_ajp (sorry) Please sign in to reply. Reply as... Cancel
Thomas Lucas Christoph Rabel 6 Years Ago good point- I will try to remove redirect to 8080.mode_proxy_jk is mode_proxy_ajp (sorry) Please sign in to reply. Reply as... Cancel
Olaf Kock 5 Years Ago ...and in case you're stuck with http on the layer between Apache httpd and your app server, David Nebinger has documented an alternative way to forward information like the original protocol (http vs https) here: https://web.liferay.com/en/web/user.26526/blog/-/blogs/revisiting-ssl-termination-at-apache-httpd Please sign in to reply. Reply as... Cancel