Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication. Technically, the term “SSL” now refers to the Transport Layer Security (TLS) protocol, which is based on the original SSL specification.
TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999 and updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It builds on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications[4]
SSL with Tomcat is not as widely supported by other software: Projects like Let’s Encrypt provide no native way of interacting with Tomcat. Furthermore, the Java keystore format requires conventional certificates to be converted before use, which complicates automation.
tested with:
hostnamectl Operating System: CentOS Linux 7 (Core) Kernel: Linux 3.10.0-693.17.1.el7.x86_64 Architecture: x86-64 nginx -v nginx version: nginx/1.12.2
config firewall to allow port 80:
firewall-cmd --get-active-zones
public
interfaces: eth0
for example, if your zone is public and you want to open port 80:
firewall-cmd --zone=public --add-port=80/tcp --permanent
reload the firewall for changes to take effect:
firewall-cmd --reload
to check scan port from client:
nmap -v -p 0-65535 -sS 192.168.0.94
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
now nginx setup:
yum install nginx acme-client libressl; # install nginx and stuff for let's encrypt nginx -v; # check nginx version nginx version: nginx/1.12.2 systemctl enable nginx; # enable nginx autostart # backup config before editing cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup; echo "" > /etc/nginx/nginx.conf; # empty config # make docker container use default port 8080 # make docker container use fixed ip 172.18.0.3 docker run -d --name=example-app -p 8080:8080 --net=example-net --ip 172.18.0.3 -e DB_HOST=example-db -e DB_NAME=example -e DB_USER=example -e DB_PASSWORD=examplepwd tomcat/tomcat docker start example-db example-app; # start tomcat docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9ac973cb4e2a tomcat/tomcat "catalina.sh run" 41 minutes ago Up 23 minutes 8080/tcp example-app docker exec -it 9ac973cb4e2a bash; # "login" bash-4.3# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:03 inet addr:172.18.0.3 <- ip address of tomcat docker server vim /etc/nginx/nginx.conf; # config nginx worker_processes 1; events { worker_connections 1024; } http { sendfile on; upstream 172.18.0.3 { server 172.18.0.3:8080; } server { listen 80; location / { proxy_pass http://172.18.0.3; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; } } } # check the logs during access - what is going on and wrong? find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} + ==> /var/log/audit/audit.log <== type=AVC msg=audit(1517792924.946:444): avc: denied { name_connect } for pid=3935 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1517792924.946:444): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=563b0ede41a0 a2=10 a3=7ffe6d8103b0 items=0 ppid=3934 pid=3935 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1517792924.946:444): proctitle=6E67696E783A20776F726B65722070726F63657373 ==> /var/log/nginx/error.log <== 2018/02/04 20:08:44 [crit] 3935#0: *1 connect() to 172.18.0.3:8080 failed (13: Permission denied) while connecting to upstream, client: 192.168.0.222, server: , request: "GET / HTTP/1.1", upstream: "http://172.18.0.3:8080/", host: "192.168.0.94" ==> /var/log/nginx/access.log <== 192.168.0.222 - - [04/Feb/2018:20:08:44 -0500] "GET / HTTP/1.1" 502 173 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0" grep httpd /var/log/audit/audit.log | audit2why # gives explanation how to allow setsebool -P httpd_can_network_connect 1
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!