4

I have a running YouTrack instance deployed using Tomcat 7 and it works fine on http://example.com:8080/youtrack

Apache is already configured to support SSL for the main domain (I have .pem file). Both https://example.com and http://example.com are accessible without any problems.

The port 8443 is already used by some other service (https://example.com:8443 shows me Plesk admin panel).

Now I'd like to set up YouTrack to use https://youtrack.example.com

How can I achieve this?

Do I need to configure Tomcat to support SSL (generate separate key etc.), or just proxy the requests from Apache to Tomcat?

I guess the first step would be to configure YouTrack to be accessible on https://example.com:8444/youtrack, then proxy the requests using Apache's mod_proxy.

How can I do this?

My /var/lib/tomcat7/conf/server.conf is default, without any changes: http://pastie.org/9385045

My /usr/share/tomcat7/bin/setenv.sh contains the entry to change the YouTrack default URL: -Djetbrains.youtrack.baseUrl=http://youtrack.example.com

Virtual hosts configuration:

$ cat /etc/apache2/sites-enabled/default

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/default
    <Directory />
            Options FollowSymLinks
            AllowOverride All
    </Directory>
    <Directory /var/www/default>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

SSL host:

$ cat /etc/apache2/sites-enabled/default-ssl

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com

DocumentRoot /var/www/default
<Directory />
    Options FollowSymLinks
    AllowOverride All
</Directory>
<Directory /var/www/default>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

SSLEngine on


SSLCertificateFile    /etc/ssl/certs/mailserver.pem
SSLCertificateKeyFile /etc/ssl/private/mailserver.pem

#SSLVerifyClient require
#SSLVerifyDepth  10

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>
Sfisioza
  • 592
  • 2
  • 7
  • 18

2 Answers2

2

Looks like a better choice over mod_proxy would be mod_jk.

See Working with mod_jk.

takeshin
  • 1,431
  • 3
  • 19
  • 28
1

You don't need configure SSL for tomcat, just use the Apache to proxy the request to http://example.com:8080/youtrack via mod_proxy.

First generate/purchase the certificate for new domain youtrack.example.com. Then add this entry in your config.

<VirtualHost *:443>
    ServerName youtrack.example.com

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine on

    SSLCertificateFile    /your/ssl/public/path/mailserver.pem
    SSLCertificateKeyFile /your/ssl/private/path/mailserver.pem

    ProxyPass / http://example.com:8080/youtrack/
    ProxyPassReverse / http://example.com:8080/youtrack/

</VirtualHost>

More info: here and here

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • This loads the HTML I want to see, but all links are prefixed with `/youtrack` eg. `example.com/youtrack/login` instead of `example.com/login` – Sfisioza Jul 18 '14 at 00:35
  • There are two possibilities in above problem, either you use (1) [mod_substitute](http://serverfault.com/questions/366662/solution-for-reverse-proxying-onto-urls-that-are-not-amenable-to-being-relocated) or (2) you find out how to change the youtrack BaseURL – masegaloeh Jul 18 '14 at 00:45
  • `mod_substitute` won't work in this case, as the prefix affects not only the HTML code. I change the youtrack url in `/usr/share/tomcat7/bin/setenv.sh` adding `-Djetbrains.youtrack.baseUrl=` to JAVA_OPTS. – Sfisioza Jul 18 '14 at 00:55
  • Everything works ok under `youtrack.example.com/youtrack/`. How to get rid the trailing path? The app is currently deployed on `/youtrack` path. I'd probably need `/` instead, but I don't know how to change it in Tomcat. – Sfisioza Jul 18 '14 at 01:02
  • Maybe related to this issue [Base URL couldn't be applied if it's passed as a Java parameter](http://youtrack.jetbrains.com/issue/JT-21648?_ga=1.57297002.116128773.1398266183) and [little discussion here](http://forum.jetbrains.com/thread/YouTrack-1159) – masegaloeh Jul 18 '14 at 01:13
  • Still not working. Maybe I can set up the subdomain using Tomcat instead of the Apache proxy? – Sfisioza Jul 21 '14 at 12:07
  • Maybe that solution will work. Unfortunately I have no experience with Tomcat. If you can setup subdomain via Tomcat, then change`ProxyPass` and `ProxyPassReverse` parameter in my answer become `/ http://youtrack.example.com:8080/` – masegaloeh Jul 22 '14 at 07:36