Skip to content

Apache Tomcat via Apache HTTPD

If your Tomcat instance uses a different port than 80 and you want to be reachable via Apache, you can base your Apache configuration on the following example which pipes all EntryStore traffic via Apache to Tomcat. This way you avoid having to expose port 8080 and risk not being reachable in restrictive networks. The configuration of SSL is also easier this way.

The configuration has also some extra settings to manipulation the expiration times of different file-types.

<VirtualHost *:80>
  ServerAdmin admin@domain.tld
  ServerName domain.tld
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin admin@domain.tld
  ServerName domain.tld
  DocumentRoot /srv/domain.tld/entryscape/

  RedirectMatch 404 /\.git

  AliasMatch ^/((?!(store|rowstore|config|libs|nls|style.css)).*)$ /srv/domain.tld/entryscape/index.html

  HostnameLookups off
  ErrorLog /var/log/apache2/error-domain.tld.log
  CustomLog /var/log/apache2/access-domain.tld.log combined

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder on
  SSLCompression off
  SSLSessionTickets off

  Header always set Strict-Transport-Security "max-age=31536000"
  Header always set X-Frame-Options SAMEORIGIN
  Header always set X-Content-Type-Options nosniff

  RewriteEngine on
  RewriteRule ^/store/(.+)$ http://domain.tld:8080/entrystore/$1 [P]
  ProxyPassReverse /store/ http://domain.tld:8080/entrystore/

  ExpiresActive On
  <Directory "/srv/domain.tld/entryscape*">
    Options FollowSymLinks MultiViews
    AllowOverride All
    Require all granted

    ExpiresDefault A1800
    <FilesMatch "\.(gif|jpg|png|svg)$">
      Header set Cache-Control "max-age=10800"
    </FilesMatch>
  </Directory>

  <Location /store/>
    SetOutputFilter DEFLATE
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
    Header append Vary User-Agent env=!dont-vary
    ExpiresDefault A60
  </Location>

</VirtualHost>