Howto

Setting up an Apache Web Server as a proxy in front of SignServer
Setting up an Apache Web Server with mod_jk in front of SignServer

Setting up an Apache Web Server as a proxy in front of SignServer

This section will show you how to use an Apache Web Server Proxy in front of SignServer.
The resulting server will

Make the TSA available through the nice url http://tsa.company.com/

This example was created on Ubuntu 64-bit Server 8.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.

Start by installing SignServer as normal. If you intend to have the CA on the same machine as the proxy you should modify $SIGNSERVER_HOME/signserver_build.properties to only listen to localhost

  httpsserver.bindaddress.pubhttp=127.0.0.1
  httpsserver.bindaddress.pubhttps=127.0.0.1
  httpsserver.bindaddress.privhttps=127.0.0.1

Install the Apache web server and enable required modules:

  $sudo su
  #apt-get install apache2
  #cd /etc/apache2/mods-enabled/
  #ln -s ../mods-available/proxy.load proxy.load
  #ln -s ../mods-available/proxy_http.load proxy_http.load
  #ln -s ../mods-available/rewrite.load rewrite.load

A sample configuration how to fix up nice URLs for OCSP so that you can point your TSA clients to http://tsa.company.com/ instead of http://tsa.company.com:8080/signserver/process?workerId=1.
This configuration combines mod_proxy with mod_rewrite to be able to set the workerName or workerId, so you can have different TSAs available on different URLs.

<VirtualHost tsa.company.com:80>
  ServerName tsa.company.com
  ServerAlias tsa.company.com
  CustomLog /var/log/apache2/access.log combined

  RewriteEngine on
  RewriteLogLevel 5
  RewriteLog "/var/log/apache2/rewrite.log
  RewriteRule ^/$ /?workerName=TSA [PT]
  
  ProxyRequests Off
  <Proxy *>
      Order deny,allow
      Allow from all
  </Proxy>
  ProxyPass / http://127.0.0.1:8080/signserver/process
  ProxyPassReverse / http://127.0.0.1:8080/signserver/process
</VirtualHost>

Setting up an Apache Web Server with mod_jk in front of SignServer

Instead of using a mod_proxy you can use mod_jk which uses a JK connector between apache and tomcat. You can easily combine it with mod_rewrite to change URLs.

This section will show you how to use an Apache with mod_jk in front of SignServer. mod_jk have many features and by using it you can virtually do anything you want with hosts, ports and URLs.

This example was created on Ubuntu 64-bit Server 8.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.

# sudo apt-get install apache2 libapache2-mod-jk
# vim /etc/libapache2-mod-jk/workers.properties
-----
worker.list=jboss

# Define a worker using ajp13
worker.jboss.port=8009
worker.jboss.host=127.0.0.1
worker.jboss.type=ajp13
-----

# cd /etc/apache2/mods-enabled
# ln -s ../mods-available/rewrite.load rewrite.load
# vim /etc/apache2/sites-available/tsa.primekey.se
-----
<VirtualHost tsa.company.com:80>
  ServerAdmin webmaster@company.com
  ServerName tsa.company.com
  ServerAlias tsa.company.com

  JkLogFile /var/log/apache2/mod_jk.log
  JkLogLevel debug
  JkMount /* jboss
  JkMount / jboss
</VirtualHost>
-----

# vim /etc/apache2/mods-available/jk.load
-----
LoadModule /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
-----

Finally restart apache and you can run:

# cd dist-client/timestampclient
# java -jar timeStampClient.jar http://tsa.company.com/signserver/process?workerName=TSA