Installing multiple SSL certificates with multiple domains on single portal

Fórumok

Brian Scott Schupbach, módosítva 11 év-val korábban

Installing multiple SSL certificates with multiple domains on single portal

Expert Bejegyzések: 329 Csatlakozás dátuma: 2008.10.23. Legújabb bejegyzések

Is it possible to install multiple SSL certificates for multiple domains using a single portal? I'm using tomcat 7. If it is possible, any tips on setting this up would be greatly appreciated.

Thanks,

Brian

parikshit sharma, módosítva 7 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 53 Csatlakozás dátuma: 2012.10.18. Legújabb bejegyzések

Hi Brian,

Are you able to find solution?

Olaf Kock, módosítva 7 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 6403 Csatlakozás dátuma: 2008.09.23. Legújabb bejegyzések

The portal can deal with any number of domains. Your webserver can do so as well. Look up SNI (Server Name Indication) for a method that does not require a separate IP address for every single domain.

The answer to "is it possible" is: yes. The answer to "can you give any tips" is: Check the documentation for the web- or application server of your own choice. The setup is independent of Liferay and solely depends on the infrastructure you have deployed. Unless you mention one of the few usecases where Liferay might be part of the game...

parikshit sharma, módosítva 7 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 53 Csatlakozás dátuma: 2012.10.18. Legújabb bejegyzések

Hi Olaf,
Thank you for the valuable input and Yes I checked the SNI, but I found that it has limitation when it comes to tomcat 7 , I don't have any web server (apache or nginx) , I need to manage multiple SSL certificates on the basis of domain name at application server (i.e. bundled tomcat 7). Do you have any suggestion for this approach?

Thanks

Olaf Kock, módosítva 7 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 6403 Csatlakozás dátuma: 2008.09.23. Legújabb bejegyzések

parikshit sharma:

Do you have any suggestion for this approach?

Like aptitude install apache2 or aptitude install tomcat8? You're not limited to the bundles, you can also install Liferay on a lot of other platforms.

If SNI doesn't work with tomcat7: Use a different version. If you can't: Install a webserver. Installing a webserver is a good idea anyway - mod_rewrite has saved my bacon a few times: Immediate fixes for nasty problems.

By the way: In the case of SSL I consider it a security best practice to handle the encryption on a different server than your appserver - technically all your appserver-installed applications would be able to read the private key material. Having them in another process (not necessarily another host) provides a whole additional layer of protection.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Hey hi Olaf,

I have query basically I have two sites in liferay and out of two one has ssl and its secure and other was not secure so can i run the secure app with https protocol and other which is not secure on http.

any guidance would be greatly appreciated.

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Well, you could add two connectors, one for https and one for http. Both sites will be available on both connectors. Of course, depending on your certificate, https will only work without warning for one domain.

If you want to do ssl you REALLY should use a webserver like Apache or Nginx in front of tomcat.

Oh, btw.: AFAIK Tomcat 8.5 should support SNI. But I am not sure if Liferay works with Tomcat 8.5. So it probably is not an option anyway. And using a webserver is better anyway.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Christoph Rabel:

Well, you could add two connectors, one for https and one for http. Both sites will be available on both connectors. Of course, depending on your certificate, https will only work without warning for one domain.

If you want to do ssl you REALLY should use a webserver like Apache or Nginx in front of tomcat.

Oh, btw.: AFAIK Tomcat 8.5 should support SNI. But I am not sure if Liferay works with Tomcat 8.5. So it probably is not an option anyway. And using a webserver is better anyway.

Hi Christoph ,
Thank you for the quick reply Yes I checked Liferay is not working with Tomcat 8.5.

Christoph Rabel:

Not sure if this is still an open question, since it was asked a while ago, but:
The best solution is using a webserver, but: You could also buy either a wildcard certificate or create multiple aliases for your certificate. Currently these are your only options with Liferay and Tomcat.

A wildcard certificate is best if you have several subdomains, e.g.:
de.mydomain.com
en.mydomain.com
fr.mydomain.com
...
something.mydomain.com

It's more expensive, it pays of at some number of subdomains.

Alias domains are more flexible, but fixed, your certificate could work for:
www.mydomain1.com
www.mydomain1.net
www.mydomain2.com.

and for this suggestion like we dint have wildcard certificate we have separate certificate for each site so now we try to have two SSL with us and try to configure this with tomcat as separate connector for each.let c it work.

Olaf:

Mixing http and https is never a good idea. After all, both sites - when pointing to the same Liferay instance - share the same user accounts (passwords!) when logging in. These days, https should be the norm, http the exception. Especially as certificate are basically free.

Hey Thanks for your comment Olaf,

Mixing http and https is never a good idea

Yes you are right so we dint follow this will go with https protocols for both site with separate ssl certificates.

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

and for this suggestion like we dint have wildcard certificate we have separate certificate for each site so now we try to have two SSL with us and try to configure this with tomcat as separate connector for each.let c it work.

Not sure if you know that, but you can't bind two connectors on the same IP and port. So you probably need two IPs. While I saw it quite often on testsystems or internal systems that ssl is run on port 8443 or something like that, it is really uncommon in the internet. People and browsers expect https 443.

Of course, if this is an intranet site, adding virtual IPs is usually not much of a hassle.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Thanks Christoph Rabel,

"Not sure if you know that, but you can't bind two connectors on the same IP and port. So you probably need two IPs. While I saw it quite often on testsystems or internal systems that ssl is run on port 8443 or something like that, it is really uncommon in the internet. People and browsers expect https 443."

Now we have two connector in server.xml with different ip but only one connector working at time and next one is not working.

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Now we have two connector in server.xml with different ip but only one connector working at time and next one is not working.

But that should work. It works for sure for http, but it should work for https too.
Please show us the Connector configuration in your server.xml. Also: What error message do you see in the logfile?

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Hi Christoph Rabel .

"Please show us the Connector configuration in your server.xml""

please check...

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
address="ip1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/ec2-user/tomcat1.keystore"
keystorePass="*******" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
address="ip1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/ec2-user/tomcat3.keystore"
keystorePass="******" />

TIA...

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Looks ok to me. I don't see a problem. Looks good on first glance.
Are there any errors?

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Christoph Rabel:

Looks ok to me. I don't see a problem. Looks good on first glance.
Are there any errors?

Hi Christoph,

there is no error but Altima's only first connector get execute and next one is not working.

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Hmm.
I tested it just now and it works for me. Just one thing:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
address="ip1"
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
address="ip1"

I guess this is just a copy and paste error, but you are using different IPs here? Just making sure.
This here works for me:
(Http11NioProtocol or Http11Protocol might make a difference but it shouldn't)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" address='127.0.0.1'
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile='/home/crabel/.keystore2'
clientAuth="false" sslProtocol="TLS" />

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" address='123.123.123.123'
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile='/home/crabel/.keystore'
clientAuth="false" sslProtocol="TLS"

I just replaced my IP with 123...

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Hey Christoph thank for you time I really appreciate,

Christoph Rabel:

"I guess this is just a copy and paste error, but you are using different IPs here?"["/quote]
In our case we have two web application on same instance so there is only one IP but with connector we set two domain you check .

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" address='www.domainone.com'
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/x.keystore"
clientAuth="false" sslProtocol="TLS" keystorePass="changeit" />

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" address='www.domaintwo.com'
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/y.keystore"
clientAuth="false" sslProtocol="TLS" keystorePass="changeit" />

but again first connector is working fine accepts second one.

TIA...

Andrew Jardine, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 2416 Csatlakozás dátuma: 2010.12.22. Legújabb bejegyzések

Hey Scott,

I just wanted to add something here, but I am not sure if it will help to be honest. I remember a while back (about 2 years now) working with one of y clients who was struggling to get this going as well. I wasn't the one that did the implementation in the end so I don't really have all the details, but I seem to recall that they ended up having to do something at the JVM level for this. I honestly can't recollect the details but is was something to do with JSSE or whatever. I remember at the time thinking that it seemed like a lot more work, and a bit obtuse for something that should be so simple -- but in the end I think it solved the issue.

I just did a quick google + scan and found that this page might have some relevant details: http://blog.kunicki.org/blog/2015/09/10/ssl-client-certificates-on-the-jvm/

.. but I am with everyone else on this thread. Use Apache or Nginx -- if nothing else you will remove the burden from your app server.

EDIT: I think I just remembered. It had to do with using LDAPS for the open sso connection. So maybe it's not relevant to the issue you are having after all.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Andrew Jardine:

Hey Scott,

I just wanted to add something here, but I am not sure if it will help to be honest. I remember a while back (about 2 years now) working with one of y clients who was struggling to get this going as well. I wasn't the one that did the implementation in the end so I don't really have all the details, but I seem to recall that they ended up having to do something at the JVM level for this. I honestly can't recollect the details but is was something to do with JSSE or whatever. I remember at the time thinking that it seemed like a lot more work, and a bit obtuse for something that should be so simple -- but in the end I think it solved the issue.

I just did a quick google + scan and found that this page might have some relevant details: http://blog.kunicki.org/blog/2015/09/10/ssl-client-certificates-on-the-jvm/

.. but I am with everyone else on this thread. Use Apache or Nginx -- if nothing else you will remove the burden from your app server.

EDIT: I think I just remembered. It had to do with using LDAPS for the open sso connection. So maybe it's not relevant to the issue you are having after all.

Hey Andrew Thanks for you comment but in our case that wont be longer use.

Christoph Rabel:

I don't understand why you want to do that.......................

Hey Christoph Thanks you so much for every reply I appreciate your efforts,

And finally that redirection done between apache to tomcat with proxy settings.

The way to connect Apache to Tomcat is to use a proxy.
we used a 'Liferay7' project that we created in Eclipse to demonstrate various aspects of Java web development. This project features a myapp public web site that's mapped to 'test' on the URL string. I'll go ahead and fire up my ‘Liferay7’ project in Eclipse.

I'll verify that ‘Liferay7’ is running by hitting the http://localhost:8080/web/myapp, test in a browser.
Next, go into Tomcat server.xml file and uncomment the 8082 proxy Connector.
<Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" />
Stop and restart 'Tomcat' in Eclipse. After that, try hitting the myapp in a browser. However, this time hit it on port 8082 (http://localhost:8082/web/myapp ).

Now, it's time to set up Apache. In Apache httpd.conf configuration file, uncomment:
This two module are helping to have proxy and http mod open for tomcat.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

In apache httpd.conf file,

add ProxyPass and ProxyPassReverse entries.

In the example below, requests to Apache's /myapp-proxy path get mapped to Tomcat's port 8082 connector running on the same machine, with the http://localhost:8082/web/myapp project specified as the project that we get mapped to.
ProxyPass /myapp-proxy http://localhost:8082/web/myapp
ProxyPassReverse /myapp-proxy http://localhost:8082/web/myapp

We can check make sure the syntax of httpd.conf is correct using the -t switch on httpd.exe:
C:\Apache2.2.4\bin>httpd.exe –t
Syntax OK
C:\Apache2.2.4\bin>

Next, stop and start Apache. After that, hit http://localhost/myapp-proxy test in a browser window.

Now the request to Apache's /myapp-proxy path gets mapped to http://localhost:8082/web/myapp and which is exactly the behaviour we were hoping for. The request to Apache gets sent to Tomcat. Tomcat processes the request and returns the response, which we see in the browser window.

Jack Bakker, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Master Bejegyzések: 978 Csatlakozás dátuma: 2010.01.03. Legújabb bejegyzések

This thread is becoming noisy and will show poor guidance for those who might be hacking along following others hacking along... and so on ...

There are much info out there on Apache <-> Liferay including with apache handling ssl, and then connecting to tomcat with mod jk, or with a proxy approach.

For you Liferay experts out there, what is the best documentation on this you have found ?

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Yes, full ack. There is a lot of confusion here, with several changes of plans. I understand the OP was a bit desperate to get it working, but I fear people who follow this thread will be confused too.

For you Liferay experts out there, what is the best documentation on this you have found ?

Well, I think Olafs post is pretty good:
https://web.liferay.com/web/olaf.kock/blog/-/blogs/securing-liferay-chapter-3-port-issues-and-http-https

People should probably also read the comments. I personally think that mod_ajp is most often sufficient and easier to configure, but mod_jk is certainly an excellent option.

Jack Bakker, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Master Bejegyzések: 978 Csatlakozás dátuma: 2010.01.03. Legújabb bejegyzések

Christoph Rabel:

For you Liferay experts out there, what is the best documentation on this you have found ?

Well, I think Olafs post is pretty good:
https://web.liferay.com/web/olaf.kock/blog/-/blogs/securing-liferay-chapter-3-port-issues-and-http-https

+1

(I think pointing people to best documentation is a good practice especially when forum troubleshooting goes off the rails)

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

ProxyPass /myapp-proxy http://localhost:8082/web/myapp
ProxyPassReverse /myapp-proxy http://localhost:8082/web/myapp

With this method you connect Apache and Tomcat using http. That's possible, sure.

But please note:
- AJP is preferable because it is faster and more efficient
- NTLM (you said, you will need it) might or might not work. I had some tickets to resolve where it worked "most of the time". But I never used a Windows Apache to do that and since it works differently process/thread wise than the linux versions, I can't tell for sure.

I would advise other readers of this thread to try to connect using ajp. mod_ajp is quite simple to implement. mod_jk is more powerful, but more difficult to configure.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Christoph Rabel:

ProxyPass /myapp-proxy http://localhost:8082/web/myapp
ProxyPassReverse /myapp-proxy http://localhost:8082/web/myapp

With this method you connect Apache and Tomcat using http. That's possible, sure.

But please note:
- AJP is preferable because it is faster and more efficient
- NTLM (you said, you will need it) might or might not work. I had some tickets to resolve where it worked "most of the time". But I never used a Windows Apache to do that and since it works differently process/thread wise than the linux versions, I can't tell for sure.

I would advise other readers of this thread to try to connect using ajp. mod_ajp is quite simple to implement. mod_jk is more powerful, but more difficult to configure.

Hello Christoph
With same mod_proxy setting technique can you please mention further guideline to implement multiple SSL with my multiple public web sites.
As you mention the above doc https://web.liferay.com/web/olaf.kock/blog/-/blogs/securing-liferay-chapter-3-port-issues-and-http-https.
but it has limited guidelines to implement mod_proxy_http.

Other options: mod_proxy_http

Another quite popular configuration is to communicate http to tomcat. This has some drawback, e.g. all requests to tomcat will originate on Apache, tomcat will have no idea where in the world they came from. Also, tomcat will believe that its hostname is tomcat.example.com - this is true, but in a properly firewalled network, this address will not be available from the outside. We'll need to hack this with a few more options:

If you prefer proxying through http, look up ProxyPreserveHost On, which will make the original hostname, www.example.com, available to tomcat. Also, you want to configure Liferay's portal-ext.properties to have the proper ports. Check this in the original portal.properties that you already read during the previous chapter:

#
# Set the HTTP and HTTPs ports when running the portal in a J2EE server that
# is sitting behind another web server like Apache. Set the values to -1 if
# the portal is not running behind another web server like Apache.
#
web.server.http.port=-1
web.server.https.port=-1

(you probably want to set these ports to 80 and 443)

All of this is not necessary with AJP - everything is readily communicated to tomcat.
https and mod_proxy_http

With mod_proxy_http you'll need more work to let tomcat know that you're communicating https. You'll typically terminate the https connection on Apache and just forward to tomcat through http. For this reason tomcat doesn't know about the encryption - it never sees any encrypted connection.

A neat hack that you can use here is: Introduce another HTTP connector on tomcat that you'll purely use for proxy requests from your https virtual host. Add the secure="true" attribute to let tomcat know that the original requests on this connector have been encrypted. The relevant part of your server.xml might look like this:

<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" URIEncoding="UTF-8" />

<Connector executor="tomcatThreadPool"
port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" URIEncoding="UTF-8"
secure="true"/>

Now you only need to make sure that nobody but the encrypted VirtualHost on Apache does connect to 8081 and tomcat assumes that requests coming in on 8081 have indeed been encrypted - but doesn't need to handle any encryption itself.

TIA..

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

It's quite simple, I have already posted it down there. Enable mod_proxy_ajp and mod_proxy.
For http this should be sufficient:

<VirtualHost *:80>
ServerName yourhost.domain.com

ProxyPreserveHost On
ProxyPass / ajp://localhost:8009
</VirtualHost>

Of course, the ajp connector on port 8009 has to be enabled (it is by default).
For SSL with SNI you just need to add two apache virtualhosts on port 443 with the appropriate certificates.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Christoph Rabel:

It's quite simple, I have already posted it down there. Enable mod_proxy_ajp and mod_proxy.
For http this should be sufficient:

<VirtualHost *:80>
ServerName yourhost.domain.com

ProxyPreserveHost On
ProxyPass / ajp://localhost:8009
</VirtualHost>

Of course, the ajp connector on port 8009 has to be enabled (it is by default).
For SSL with SNI you just need to add two apache virtualhosts on port 443 with the appropriate certificates.

Hey Christoph

Thanks again,we followed all the process but while setting apache virtualhosts we have to mention the
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
so those certificates is for apache or tomcat becuase we have tomcat ssl ceritificate with us but those certificates are looks for apache so i think we should generate new certificates for apache right?.

Tia...

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

You can use the Tomcat certificates too. But you have to export them from the keystore. I don't recall how it is done, but you should be able to find some guides in the internet. Your options are essentially:

- Export the key from the keystore
- Create a new key and a new certificate

No idea what's easier for you.

Olaf Kock, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 6403 Csatlakozás dátuma: 2008.09.23. Legújabb bejegyzések

scott E mitchell:

I have query basically I have two sites in liferay and out of two one has ssl and its secure and other was not secure so can i run the secure app with https protocol and other which is not secure on http.

Mixing http and https is never a good idea. After all, both sites - when pointing to the same Liferay instance - share the same user accounts (passwords!) when logging in. These days, https should be the norm, http the exception. Especially as certificate are basically free.

Olaf

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Not sure if this is still an open question, since it was asked a while ago, but:
The best solution is using a webserver, but: You could also buy either a wildcard certificate or create multiple aliases for your certificate. Currently these are your only options with Liferay and Tomcat.

A wildcard certificate is best if you have several subdomains, e.g.:
de.mydomain.com
en.mydomain.com
fr.mydomain.com
...
something.mydomain.com

It's more expensive, it pays of at some number of subdomains.

Alias domains are more flexible, but fixed, your certificate could work for:
www.mydomain1.com
www.mydomain1.net
www.mydomain2.com

Fernando Fernandez, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Expert Bejegyzések: 396 Csatlakozás dátuma: 2007.08.22. Legújabb bejegyzések

Christoph Rabel:

(...)
A wildcard certificate is best if you have several subdomains, e.g.:
(...)
It's more expensive, it pays of at some number of subdomains.
(...)

When cost is an issue you can use letsencrypt certificates.

I've been using them in Liferay setups, with apache->AJP->tomcat->liferay62.

HTH

Fernando

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Usually not an option:
While letsencrypt works fine with Apache, the short lifetime of the certificate is a problem with tomcat since you need to restart the server when you change the certificate. Apache needs a split second, Liferay needs minutes.

Apache + SSL is simply a far superior configuration than Tomcat + SSL. Of course, there is some extra effort to setup apache webserver, but IMHO it pays of very fast.

Jack Bakker, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Master Bejegyzések: 978 Csatlakozás dátuma: 2010.01.03. Legújabb bejegyzések

I also find many advantages having apache or nginx in front of Liferay/Tomcat - to handle SSL and much more.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Jack Bakker:

I also find many advantages having apache or nginx in front of Liferay/Tomcat - to handle SSL and much more.

Hey Jack,

Thank for reply but actually I have install the apache in front of tomcat and having some issue actually we have apache service on port 80 and at same time we have tomcat running on same port so we have some configuration problem so if possible can you please guide us regarding proper way to have apache or nginx in front of Liferay/Tomcat .

that would be the great help from you! TIA....

Fernando Fernandez, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Expert Bejegyzések: 396 Csatlakozás dátuma: 2007.08.22. Legújabb bejegyzések

scott E mitchell:

Thank for reply but actually I have install the apache in front of tomcat and having some issue actually we have apache service on port 80 and at same time we have tomcat running on same port so we have some configuration problem so if possible can you please guide us regarding proper way to have apache or nginx in front of Liferay/Tomcat .

Since Tomcat is not in front of your users you can change the port it binds to. Try the default 8080 in both websites. You can use apache for the https offloading for the secure website.

Here's an apache conf for the https offloading virtualhost, using AJP as the connector between apache and tomcat. This works very well for me.


<virtualhost 10.10.10.10:443>
        ServerName "your.server.com"
        ServerAlias your.server.com
        DocumentRoot /var/www/ysdc

        SSLEngine on
        SSLProxyEngine On
        SSLCertificateFile /etc/letsencrypt/live/your.server.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/your.server.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/your.server.com/chain.pem

        ProxyRequests On
        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/
</virtualhost>

HTH

Fernando

Jack Bakker, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Master Bejegyzések: 978 Csatlakozás dátuma: 2010.01.03. Legújabb bejegyzések

scott E mitchell:

actually I have install the apache in front of tomcat and having some issue actually we have apache service on port 80 and at same time we have tomcat running on same port so we have some configuration problem so if possible can you please guide us regarding proper way to have apache or nginx in front of Liferay/Tomcat .

apache would listen to 80 and 443, where you'd have multiple virtualhost blocks for each domain you are dealing with

I would start without SSL to learn, then after you get that right add multiple virtualhost blocks for each https domain ; you could use SNI to avoid having an ip per ssl virtualhost config

apache would connect to tomcat with mod_jk (my preference) or you could use mod_proxy
googling apache in front of tomcat will get you lots of hits ; also David has a blog on this here

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Hello Jack,
Thank for you guidance.

Jack Bakker:

apache would listen to 80 and 443, where you'd have multiple virtualhost blocks for each domain you are dealing with

I would start without SSL to learn, then after you get that right add multiple virtualhost blocks for each https domain ; you could use SNI to avoid having an ip per ssl virtualhost config

apache would connect to tomcat with mod_jk (my preference) or you could use mod_proxy
googling apache in front of tomcat will get you lots of hits ; also David has a blog on this here

I have stated with apache and mod_jk in front of tomcat and we find the process to handle all the end to end configuration but there must be some configuration error please check.

Install program - installed Liferay 7.0 GA3 portal bundled Tomcat on Windows, Apache web server (httpd) httpd-2.4.26-Win64-VC15,
mod_jk Tomcat connector od_jk-1.2.42-win64-VC15.zip

I connect apache to tomcat using the mod_jk module

1. To connect Apache to Tomcat using the mod_jk module. To begin with, set up Tomcat. In Tomcat's server.xml file, uncomment the AJP connector, as shown below.

<Connector port="8009" redirectPort="8443" protocol="AJP/1.3" />
2. Change the default port from server.xml to 8080 for Liferay 7.0 GA3.

3. The Apache web server doesn't come with the mod_jk connector by default, so download it. I downloaded the mod_jk Tomcat connector

Link: https://www.apachelounge.com/download/
od_jk-1.2.42-win64-VC15.zip

4. I placed mod_jk.so in my C:\Apache24\modules directory.

5. Next, I created a worker.properties file in C:\Apache24\conf\ as shown below:

worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13

6. After that, I modified httpd.conf by adding the following code for mod_jk. We load the mod_jk module that we placed in the modules directory using the LoadModule directive. We mount the myapp web project that we have running in Eclipse.

httpd.conf mod_jk modification
LoadModule jk_module modules/mod_jk.so

<IfModule jk_module>

JkWorkersFile conf/workers.properties
JkLogFile logs/mod_jk.log
JkLogStampFormat "[%b %d %Y - %H:%M:%S] "
JkRequestLogFormat "%w %V %T"
JkLogLevel info

JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

Alias /myapp "E:/Tools/liferay/workspace/myapp/"

<Directory "E:/Tools/liferay/workspace/myapp/">
AllowOverride None
Allow from all
</Directory>

<Location /*/WEB-INF/*>
deny from all
</Location>

JkMount /myapp/* myworker

</IfModule>

We can verify the syntax of these modifications via:
Restart Apache to make these Apache changes take effect.
Now that Apache's restarted, let's first verify that we can hit the ‘myapp’ project directly running on Tomcat on port 8080 via http://localhost:8080/web/myapp it is running and if we go with only localhost:80 it show "It works!" apache is running fine.
But once we hit only http://localhost/myapp it’s shown an error like.
Can you please guide me if any step is missing or incorrect any configuration or software version.

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

Good choice :-)

You should read this blog post:
https://web.liferay.com/web/olaf.kock/blog/-/blogs/securing-liferay-chapter-3-port-issues-and-http-https

scott E mitchell:

Alias /nimblebi "E:/Tools/liferay/workspace/nimblebi/"
<Directory "E:/Tools/liferay/workspace/nimblebi/">
AllowOverride None
Allow from all
</Directory>

<Location /*/WEB-INF/*>
deny from all
</Location>

This block doesn't make any sense for me. It might make sense, if you want to deliver static files from there.

scott E mitchell:

JkMount /nimblebi/* myworker

That won't work. You need to sent all requests to tomcat. It's described in the blog above.

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Hey Christoph Thank you so much Men for reply ,

Christoph Rabel:

Good choice :-)

You should read this blog post:
https://web.liferay.com/web/olaf.kock/blog/-/blogs/securing-liferay-chapter-3-port-issues-and-http-https

I'm to reading this blog there is more information regarding my query.

scott E mitchell:

Alias /myapp "E:/Tools/liferay/workspace/myapp/"
<Directory "E:/Tools/liferay/workspace/myapp/">
AllowOverride None
Allow from all
</Directory>

<Location /*/WEB-INF/*>
deny from all
</Location>

This block doesn't make any sense for me. It might make sense, if you want to deliver static files from there.

And here we actually try to get the liferay directory and set alias for that as myapp if any correction and mistake you feel so please reply emoticon

scott E mitchell:

JkMount /myapp/* myworker

That won't work. You need to sent all requests to tomcat. It's described in the blog above.

Yes that jkmount is wrong that should be "JkMount /myapp/* ajp13_worker"

because our worker.Property file is
"worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13"
if possible so please mention the versions of respective software?
please check and reply with your suggestion
Tia...

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

scott E mitchell:

Christoph Rabel:

scott E mitchell:

...

This block doesn't make any sense for me. It might make sense, if you want to deliver static files from there.

And here we actually try to get the liferay directory and set alias for that as nimblebi if any correction and mistake you feel so please reply

I don't understand why you want to do that. You do not need to access the Liferay directory from Apache at all.
You connect Apache through AJP (mod_jk) to Tomcat.
Apache -> AJP -> Tomcat

scott E mitchell:

Christoph Rabel:

scott E mitchell:

JkMount /nimblebi/* myworker

That won't work. You need to sent all requests to tomcat. It's described in the blog above.

Yes that jkmount is wrong that should be "JkMount /nimblebi/* ajp13_worker"

It is still wrong. It doesn't make sense to map /nimblebi/ to /. It only makes sense if you have set a proxy.path in Liferay and I am quite sure, you didn't.
You need to map /* to /* and / to /
JkMount /* ajp13_worker
JkMount / ajp13_worker

scott E mitchell:

if possible so please mention the versions of respective software?
please check and reply with your suggestion
Tia...

The software version makes no difference here. It should work with all current versions.
Do you need NTLM authentication?
Yes -> Ok, you need to get mod_jk working.
No -> mod_proxy_ajp instead. It's easier to configure. Less options.

Basically:
Enable mod_proxy_ajp and mod_proxy.

<VirtualHost *:80>
ServerName yourhost.domain.com

ProxyPreserveHost On
ProxyPass / ajp://localhost:8009
</VirtualHost>

When this works, it is the most simple configuration, you can add more complicated configuration like ssl or loadbalancing or caching or ...

scott E mitchell, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Junior Member Bejegyzések: 41 Csatlakozás dátuma: 2016.10.01. Legújabb bejegyzések

Hello Christoph

I don't understand why you want to do that. You do not need to access the Liferay directory from Apache at all.
You connect Apache through AJP (mod_jk) to Tomcat.
Apache -> AJP -> Tomcat

Yes you are right and that was done by setting server.xml right?

It is still wrong. It doesn't make sense to map /myapp/ to /. It only makes sense if you have set a proxy.path in Liferay and I am quite sure, you didn't.
You need to map /* to /* and / to /
JkMount /* ajp13_worker
JkMount / ajp13_worker

And we have set proxy.path in portal-ext file as well and jkmount like that JkMount / ajp13_worker

Do you need NTLM authentication?
Yes -> Ok, you need to get mod_jk working.

No now we have not think about it but yes we need to get mod_jk working.

TIA....

Christoph Rabel, módosítva 6 év-val korábban

RE: Installing multiple SSL certificates with multiple domains on single po

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések

scott E mitchell:

I don't understand why you want to do that. You do not need to access the Liferay directory from Apache at all.
You connect Apache through AJP (mod_jk) to Tomcat.
Apache -> AJP -> Tomcat

Yes you are right and that was done by setting server.xml right?

In server.xml you just need to enable ajp connector. It is enabled by default, so you probably have to do nothing.

And we have set proxy.path in portal-ext file as well and jkmount like that JkMount / ajp13_worker

Ah, ok. Then I am wrong. If you have set proxy.path then sending /nimblebi to / is fine.

No now we have not think about it but yes we need to get mod_jk working.

Ok. But I have no idea where you are stuck. Your description of your problem:
"But once we hit only http://localhost/nimblebi it’s shown an error like."

is pretty unclear.
What error do you get? What do you see in the browser? (also with Development Tools, F12)
What errors do you see in apache logfile?