It’s a great idea to run your Spring Boot app with an Apache front-end. It’s an even better idea to configure that Apache Web Server to use secure socket layer (SSL).
Why? Besides the obvious security benefits of using SSL, you’ll also get a little bit of a bump in your search rank.
We’ve already seen how to set up your Spring Boot app behind an Apache Web Server. This article will build on top of that.
As with the previous tutorial, we’re still assuming Apache 2.4 and Spring Boot 1.5.4. Your configuration requirements might vary slightly if you’re using something different.
Get an SSL Certificate
The first thing you need to do is to get an SSL certificate. Unfortunately, this will cost you some money. 🙁
Keep in mind, though, if you’re serious about giving users a secure experience, an SSL certificate is a great investment. Consider it part of the cost of doing business online.
There are a number of vendors that you can choose for your SSL certificate. One of the best is SSL.com.
For the purposes of this tutorial, we’ll go over how to use a certificate provided by SSL.com. You should be able to follow along even if you’re using a different vendor, though.
Create the Key File
Somewhere during the process of purchasing an SSL certificate, you’re going to be presented with a key in text format. You’ll need to manually copy and paste that key into a text file with a .key extension.
Where you place that file is up to you, but it’s a good idea to put it with the other SSL files that you’ll download in the next step. For careydevelopment.us, the key file is in /etc/ssl.
Grab the SSL Files
Once you’ve put the key file on your server, you’re still not quite done. You need to install other SSL files.
The screenshot below is a view of the careydevelopment.us certificate on SSL.com.
Note where the arrows are pointing. Those are download links that will give you the files you need to install.
The first download is a zip file that contains both the CRT file and client file. Explode that zip and grab those files.
The second download contains intermediate certificates.
Again, if you’re using a vendor different from SSL.com, you should be able to download files similar to what you’re seeing here.
Place those files in the same place you put the key file. Take another look at the screenshot in the previous section and you’ll see all the files there.
Configure Apache to Use SSL
Next, you’re going to need to do some work in your httpd.conf file. Fortunately, you don’t need to do that much work.
Recall from the previous tutorial that you added the following lines to httpd.conf:
|
1
2
3
4
5
|
<VirtualHost *:80> ServerName yourdomain.com ProxyPass / ajp://localhost:9090/ ProxyPassReverse / ajp://localhost:9090/</VirtualHost> |
Now, you’re going to replace that with the following code;
|
1
2
3
4
|
What’s that all about? In a nutshell, it’s forcing visitors to use the HTTPS protocol when they visit your site. That way, if somebody tries to use plain old HTTP (non-secured) to visit your site, the visitor is forwarded to the HTTPS (secred) version of your site.
Obviously, you’ll want to replace “yourdomain.com” in the above block with your own domain name.
You still need to do a little more work in httpd.conf, though. Add the following lines:
|
1
2
3
4
5
6
7
8
9
|
<VirtualHost *:443> ServerName yourdomain.com SSLEngine on SSLCertificateFile /etc/ssl/careydevelopment_us.crt SSLCertificateKeyFile /etc/ssl/careydevelopment-us.key SSLCertificateChainFile /etc/ssl/careydevelopment_us.ca-bundle ProxyPass / ajp://localhost:9090/ ProxyPassReverse / ajpp://localhost:9090/</VirtualHost> |
That’s where the SSL magic happens.
First, the *:443 declaration listens for HTTPS connections. That’s because 443 is the default port for HTTPS.
The ServerName directive is self-explanatory. Once again, you’ll want to replace “yourdomain.com” with your own domain name.
The SSLEngine directive accomplishes exactly what you think it does: it turns on SSL for the host.
The next directives specify the locations of the certificate file, key file, and chain file respectively. You can see each of those files in the File Manager screenshot from a couple of sections back.
In your case, you’ll obviously want to map those to the locations of your own files.
The last two lines are nothing new to you if you followed the previous tutorial. They specify AJP communications between Apache and your Spring Boot app.
Testing It Out
Once you’re done editing the httpd.conf file, save it and restart your Apache server. It should start without any problems.
If you do see an error, check the log. The Apache log is pretty good about telling you exactly what went wrong.
After Apache has started successfully, fire up your favorite browser and point your URL to:
https://yourdomain.com
You should go straight to your Spring Boot app. Even better, you should see an indication in your browser URL bar that your connection is secure:
Wrapping It Up
If you want to see this setup in action, feel free to visit the Demos web app. That’s a Spring Boot app that runs behind an Apache server and follows the exact instructions you see here.
Keep in mind that there are varying “degrees” of SSL security as well, For this tutorial (and this site), we chose the cheapest. If you want to open your wallet, you can get a certificate that will show your organization name where you see the word “Secure” in the image above.
Of course, the type of SSL certificate you get will depend on your security requirements and how much you need to use SSL to market your brand.
Have fun!