Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

Tomcat 10 Security Guide

In this guide, you will learn how to secure Apache Tomcat 10 by running an Apache or Nginx reverse proxy**.
You will manage TLS certificates with Let's Encrypt and close Tomcat off from the internet.

Technical Summary

Main topic: Secure publishing Tomcat 10 with TLS
Purpose:

  • Blocking unencrypted HTTP traffic
  • Isolating Tomcat directly from the internet

Steps followed:

  • Apache or Nginx reverse proxy configuration
  • Let's Encrypt TLS integration
  • Restrict Tomcat access to localhost

Note: TLS configuration should be done on Apache or Nginx instead of Tomcat.

Prerequisites

  • Ubuntu 20.04 server instance
  • sudo authorized user
  • Apache Tomcat 10 must be installed
  • Domain name and DNS A record must be ready
  • Let's Encrypt certificate must be configured

Example domain name: app.ornek.com

1. Using Reverse Proxy with Apache

1.1 Apache VirtualHost Configuration

1. Open the TLS-enabled VirtualHost file.

sudo nano /etc/apache2/sites-enabled/app-ornek-com-le-ssl.conf
  • This file handles HTTPS traffic.

2. Add the following lines:


ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
  • This configuration points Apache to Tomcat.

3. Required Apache Modules


sudo a2enmod proxy
  • This command turns on reverse proxy support.

sudo a2enmod proxy_http
  • This command enables HTTP traffic proxy.

sudo apache2ctl configtest
  • This command controls the configuration.

sudo systemctl restart apache2

  • Apache applies the configuration.

  • Tomcat is now behind TLS.

2. Using Reverse Proxy with Nginx

2.1 Upstream Definition

1. Open Nginx configuration.


sudo nano /etc/nginx/sites-available/app-ornek-com
  • Add to the beginning of the file:

upstream tomcat {
    server 127.0.0.1:8080;
}
  • This block defines the Tomcat connection.

2 TLS Server Block Editing

  • Update location/block on port 443.

location / {
    include proxy_params;
    proxy_pass http://tomcat;
}
  • This redirect forwards HTTPS traffic to Tomcat.

sudo nginx -t
  • This command tests the configuration.

sudo systemctl restart nginx

  • Nginx applies the configuration.

  • Tomcat can be accessed via TLS.

3. Turning Off Direct Access to Tomcat

  • We will make Tomcat accessible only from the local interface.

sudo nano /opt/tomcat/conf/server.xml
  • Find the Connector below:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
  • Add the address parameter:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           address="127.0.0.1"
           redirectPort="8443" />
  • This setting closes Tomcat off to the internet.

sudo systemctl restart tomcat
  • Only Apache or Nginx can access it.

Frequently Asked Questions (FAQ)

1. Why don't we use TLS on Tomcat? Apache and Nginx better support current TLS standards.

2. Should Apache or Nginx be preferred? Both are safe. Nginx is lighter.

3. Is the 8080 port closed to the internet? Yes. It only listens on localhost.

4. Does Let's Encrypt automatically renew? Yes. It is periodically refreshed with Certbot.

Result

Tomcat 10 now runs behind a secure reverse proxy. TLS enabled, direct access disabled.

You can safely publish your Java applications on the GenixNode infrastructure.