I am trying re-setup my website using Tomcat 8.0.3 on Ubuntu 22.04. The openjdk version is 1.8.0_382. I haven't been able to complete the SSL installation for weeks. I tried keytool first, but had trouble with the port 443: https://stackoverflow.com/questions/77435703/openssl-connectionrefusederror-errno-111 Then I realized it would make more sense to use Apache2 and mod_jk. Currently, there does not seem to be any problem with Apache2 installation, but I still cannot perform the redirection.
My configuration is as follows:
# /etc/apache2/mods-available/jk.load
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
# /etc/apache2/apache2.conf
Include /etc/apache2/mods-available/jk.conf
# /etc/apache2/mods-available/jk.conf
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
# /etc/libapache2-mod-jk/workers.properties
workers.tomcat_home=/opt/tomcat
workers.java_home=/usr/lib/jvm/java-8-openjdk-amd64/bin/java
worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker
# /etc/apache2/sites-available/example.com.conf
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
JkMountCopy On
JkMount /* ajp13_worker
# /etc/apache2/sites-available/example2.com.conf
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example2.com
DocumentRoot /var/www/example2.com/public_html
JkMountCopy On
JkMount /* ajp13_worker
SSLCertificateFile /root/.acme.sh/example.com_ecc/fullchain.cer
SSLCertificateKeyFile /root/.acme.sh/example.com_ecc/example.com.key
SSLCACertificateFile /root/.acme.sh/example.com_ecc/ca.cer
# /opt/tomcat/server.xml
<Connector port="8009" address="::1" protocol="AJP/1.3" redirectPort="8443" secretRequired="false" />
<!--APR library loader. Documentation at /docs/apr.html
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-->
<Engine name="Catalina" defaultHost="localhost" jvmRoute="ajp13_worker">
I had created the certificates using acme.sh.
I checked the ufw firewall status.
The Apache2 configuration seems OK. The VirtualHost one too.
curl -I https://example.com gives HTTP/1.1 200 OK.
There is no error in mod_jk.log.
This is the Apache2 error log:
# less /var/log/apache2/error.log
[mpm_event:notice] [pid 333218:tid 139942839801728] AH00494: SIGHUP received. Attempting to restart
[mpm_event:notice] [pid 333218:tid 139942839801728] AH00489: Apache/2.4.52 (Ubuntu) mod_jk/1.2.48 OpenSSL/3.0.2 configured -- resuming normal operations
[core:notice] [pid 333218:tid 139942839801728] AH00094: Command line: '/usr/sbin/apache2'
And finally, Catalina.out sometimes starts without any problems, sometimes it gives the following error. The problem must be caused by Tomcat, but I couldn't find a permanent solution to it.
# tail /opt/tomcat/logs/catalina.out
INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8443"]
INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8443"]
INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-0:0:0:0:0:0:0:1 8009"]
INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-0:0:0:0:0:0:0:1 8009"]
INFO [http-nio-8080-exec-10] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
INFO [http-nio-8080-exec-1] org.apache.coyote.http11.AbstractHttp11Processor.process
Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
What's the problem that I can't see or solve? Any idea will be appreciated.
SOLUTION:
The problem was due to iptables redirection. There are two points to consider at this point. First, to delete prerouting records, you need to use a command like this: iptables -t nat -D PREROUTING... Second, the commands needed to permanently save the change. What worked for me were the following:
# /sbin/iptables-save > /etc/iptables/rules.v4
# /sbin/ip6tables-save > /etc/iptables/rules.v6