Apache configuration

You can use Apache in front of MTG-Applications to terminate the TLS connection and/or as a loadbalancer.

You can use your distribution’s default package or use the MTG-httpd-Package (recommended).

The default config for the MTG-httpd-package can be found in /etc/opt/apache2/

SSL/TLS configuration

If you have multiple applications running on the same machine, you can bind the application to the loopback network interface and use the following apache configuration to terminate TLS:

SSLEngine on
SSLCertificateFile /etc/opt/apache2/ssl.cert/server.crt
SSLCertificateKeyFile /etc/opt/apache2/ssl.key/server.key.private
SSLCACertificateFile /etc/opt/apache2/ca/ca.crt
SSLOptions +ExportCertData +StrictRequire +StdEnvVars

<Location /<CONTEXT>/>
 SSLRequireSSL
</Location>

JkMount /<CONTEXT>* <ajp_worker_name>
JkMount /<CONTEXT>/* <ajp_worker_name>

Where:

  • SSLOptions: sets additional required options for SSL

  • server.crt / server.key.private: is the apache web server certificate/key

  • ca.crt: is the certificate of the certificate issuer of the server certificate

  • CONTEXT: is the context, which should be used by the application. Matches server.servlet.context-path in application.properties (standalone applications) or Context path in the tomcat server.xml

  • ajp_worker_name: matches the mod_jk handler name defined in workers.properties

Some applications require mutual TLS-Authentication (client certificates). In this case, the apache location-config looks as follows:

<Location /<CONTEXT>>
    SSLRequireSSL
    SSLVerifyClient optional
    SSLVerifyDepth 2
</Location>

Where :

  • SSLVerifyClient: optionally enforces TLS-Client authentication

  • SSLVerifyDepth: max count of intermediate-CAs

mod_jk configuration

mod_jk is used to communicate with a tomcat servlet runner via AJP. Most MTG-Server applications run either in a central tomcat instance or bring their own tomcat (standalone applications). Check the product/package description for more details.

The mod_jk needs to be loaded in the httpd.conf: LoadModule jk_module modules/mod_jk.so

The following configuration example shows how to configure mod_jk in Apache httpd:

 JkWorkersFile /etc/opt/apache2/workers.properties
 JkLogFile /var/log/apache/mod_jk.log
 JkLogLevel warn
 JkOptions +ForwardKeySize +ForwardURIProxy -ForwardDirectories
 JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
 JkShmFile /usr/local/apache2/logs/mod_jk.shm

Where:

  • JkWorkersFile : is the path to the workers.properties

  • JkLogFile : is the path to the logfile for the mod_jk-module

  • JkLogLevel : is the log volume of mod_jk

  • JkOptions : adds additional options for mod_jk

  • JkLogStampFormat : defines the log format

  • JkShmFile: defines the path to the state file

The referenced workers.properties file could look like:

worker.list=firstworker,secondworker

worker.firstworker.type=ajp13
worker.firstworker.host=127.0.0.1
worker.firstworker.port=8009
worker.firstworker.max_packet_size=65536

worker.secondworker.type=ajp13
worker.secondworker.host=127.0.0.1
worker.secondworker.port=8010
worker.secondworker.secret=PASSWORD2
worker.secondworker.max_packet_size=65536

  • Match the worker port to the defined server.port in the application.properties (standalone applications) or the AJP-Connector port of your running tomcat instance.

  • Match the secret to the defined tomcat.ajp.secret in the application.properties (standalone applications), or the AJP-Connector secret of your running tomcat instance.

  • The value of max_packet_size must be set to 65536 because the messages become larger than the default value of 8192.