# vhost-proxy-ajp.template
#
# Apache vhost configuration template for a frontend to a Java app server.
# It terminates SSL connection and forward traffic to backend Java app server
# using the ajp prorocol. Incomming http request will be redirectred to https
#
# It manages SSL connections including certificates.
# Initially, a self-signed certificate is active.
# Includes proxy configuration to Tomcat or Wildfly application server
# Version 2.0
#==> To adjust the template in vi/vim copy each line
# and replace the second part accordingly
# : %s/SHORT_DESCR/real_short_descr/g e.g. my-domain production server
# : %s/FQN_NAME/your_domain/g e.g. my-domain.tld
# : %s/BASE_NAME/your_shortname/g e.g. my-domain
# : %s/OPTIONAL_ALIAS/your_alias/g e.g. www.my-domain.tld
# : %s/SERVER_FQN_INTERNAL/the_backend/g e.g. my-backend.lan
# afterwards delete these lines
# LetsEncrypt certificates should be managed by Apache md module.
#==> To activate, remove the leading '#' character and comment out
# the default distribution provided certificates further down.
#==> Adjust the mail address as appropriate!
#MDContactEmail root@FQN_NAME
#MDCertificateAgreement accepted
#MDomain FQN_NAME
# Secure virtual WEB host configuration for
# SHORT_DESCR
# The site can be accessed by https/ssl only. Without a valid certificate
# you have to use a self-signed certificate as a quick temporary fix.
ServerName FQN_NAME
ServerAlias OPTIONAL_ALIAS
#==> Adjust the mail address as appropriate!
ServerAdmin root@localhost
# ##########################################################################
# NOTE: We re-route any traffic to the insecure port to this secure site!
# ##########################################################################
# Optional: Ensure that all registered domain names are rewritten to the
# official base name
#RewriteEngine On
#RewriteCond %{HTTP_HOST} !^www\.SERVER_SHORT_NAME\.uni-bremen\.de [NC]
#RewriteCond %{HTTP_HOST} !^$
#RewriteRule ^(.*)$ https://FQN_NAME$1 [R=301,L]
# ===============================================================
# Certificates configuration
# ===============================================================
SSLEngine on
# we rely on Fedora's choice of defaults regarding protocols &cipher suites
# DEFAULT distribution provided, needed for initial startup.
#==> Comment OUT when module md created a certificate or you use custom
# certificates.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Letsencrypt certificates
# Preferably, the Apache md module should manage these (see above).
# Otherwise, insert certbot managed certificate configuration here.
#SSLCertificateFile /etc/letsencrypt/live/DOMAIN_NAME/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN_NAME/chain.pem
# Custom certificates add here
#SSLCertificateFile /etc/???
#SSLCertificateKeyFile /etc/???
#SSLCertificateChainFile /etc/???
# ===============================================================
# AJP proxy configuration
# ===============================================================
# Turn off default forward proxy worker
# SEE https://httpd.apache.org/docs/2.2/mod/mod_proxy.html
ProxyRequests Off
ProxyVia Off
# According to Apache Doku should remain default (off)
#ProxyPreserveHost On
ProxyErrorOverride On
ProxyTimeout 60
# Proxy originating client information handling
# =============================================
# Goal: Make the originating request client's data available
# to the backend.
# In Fedora works this on the proxy side without additional
# configuration. The proxy module automatically sets the
# required X-HEADER entries that the backend can access.
# Optional: customized error page it proxy is unreachable
# Add the page to the document root accordingly
ErrorDocument 503 /errorpages/error503.html
ProxyPass /errorpages !
# Don't proxy lets encrypt
# Note: letsencrypt/certbot version 2.6.0 can deal with https
# and selfsigned certificates.
ProxyPass /.well-known !
# NOTE: If previously a different directive, e.g. index.html exist, Apache
# searches for that one first! Multiple directives are concatenated
# and don't replace each other!
# Be careful if there are several index files with different extensions
# in the file tree.
DirectoryIndex index.jsp
ProxyPass /index.html !
# Adjust as appropriate
ProxyPass /css.d !
ProxyPass /dav !
ProxyPass /download !
ProxyPass /favicon.ico !
ProxyPass /image.d !
# If we use a balancer:
#Include conf.vhosts.d/SERVER_SHORT_NAME-balancer.inc
# Finally do the work
# For Tomcat 9 and later ot Wildfly add shared secret for encryption
ProxyPass / ajp://SERVER_FQN_INTERNAL:PORT/
ProxyPassReverse / ajp://SERVER_FQN_INTERNAL:PORT/
# In case of a balancer, replace by
#Include conf.vhosts.d/BASE_NAME-balancer.inc
# ===============================================================
# Directory Locations
# ===============================================================
DirectoryIndex index.jsp index.html
DocumentRoot /srv/BASE_NAME/htdocs
# Specific to default 2.4 configuration:
# Enable access to server-specific base file location
AllowOverride None
# Allow open access:
Require all granted
# Further relax access to the default document root
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server:
# Allow open access:
Require all granted
# ===============================================================
# Optional: Protect access to start page (and subsequent pages)
# ===============================================================
#
# AuthType Basic
# AuthName "Zugang zur Start Seite"
# AuthUserFile /srv/BASE_NAME/.htpasswd
# Require valid-user
#
# ===============================================================
# Logging configuration
# ===============================================================
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
# NOTE: fail2ban searches for ~/logs/*acccess_log and ~/logs/*error_log
# to access log files to watch and analyze!
ErrorLog logs/BASE_NAME-ssl_error_log
CustomLog logs/BASE_NAME-ssl_access_log combined
LogLevel warn
# INSECURE virtual WEB host configuration for
# SHORT_DESCR
ServerName FQN_NAME
ServerAlias OPTIONAL_ALIAS
ServerAdmin root@FQN_NAME
# ##########################################################################
# NOTE: We re-route everything to the secure site!
# We retain all aliase names for now.
# There is no need for an exception for Let's Encrypt anymore.
# Version 2.x can deal with self-signed certificates and https
# ##########################################################################
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# ===============================================================
# Logging configuration
# ===============================================================
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
# NOTE: fail2ban searches for ~/logs/*acccess_log and ~/logs/*error_log
# to access log files to watch and analyze!
ErrorLog logs/BASE_NAME-error_log
CustomLog logs/BASE_NAME-access_log combined