Setting up Apache HTTPD in front of Tomcat
I prefer, for a number of reasons, to put Apache httpd in front of Tomcat (even though there's a load balancer in front of the CAS servers as well. I'm sure there's ways around this, but I like the flexibility that it provides me, and I also have had other applications on the CAS servers that are not running on Tomcat and still need to be accessible (including SimpleSAML for applications we haven't moved to Azure or directly into CAS yet).
For now, I'm not going to go over full configuration of Apache httpd here. I will eventually (hopefully by end of Spring 2021) put up my steps and Ansible playbooks to get httpd running, but for now - I'll mention the Tomcat/httpd specific portion.
We use AJP for communication between Apache httpd and Apache Tomcat. Configuring this is in two steps, one on the httpd server and one on Tomcat.
On the httpd server
Create a configuration file in /etc/httpd/conf.d. We call ours 'cas-ajp.conf' but it doesn't matter as long as it ends in .conf. The contents of which are below:
**roles/apache-tomcat/templates/cas-ajp.conf
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass /cas ajp://localhost:8009/cas
ProxyPassReverse /cas ajp://localhost:8009/cas
On the Tomcat server
Edit /etc/tomcat/server.xml and define an AJP port:
<!-- Define an AJP 1.3 Connector on port 8009
See https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html for more on the 'secretRequired'
and 'secret' options. Since I'm only exposing this to localhost via host firewall -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secretRequired="false"/>
The Tomcat portion is already in the Tomcat server.xml that is linked to from the Tomcat/Ansible section.