Setting up HTTPS for UniTime

Table of Contents

Setting up HTTPS for UniTime

Based on the instructions from the following websites:

1. Enable AJP connector on Tomcat

Edit /etc/tomcat8/server.xml (e.g., using sudo vi /etc/tomcat8/server.xml) and uncomment the following line

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

To disable access using, the following line needs to be commented out in /etc/tomcat8/server.xml.

<Connector port="8080" protocol="HTTP/1.1"
        redirectPort="8443" />

Restart Tomcat

sudo /etc/init.d/tomcat8 restart

To change the URL to avoid /UniTime, the UniTime.war needs to be renamed to ROOT.war

cd /var/lib/tomcat8/webapps
sudo rm -rf ROOT
sudo mv UniTime.war ROOT.war

When this is done while Tomcat is running, this should also undeploy and remove /var/lib/tomcat8/webapps/UniTime and replace it with /var/lib/tomcat8/webapps/ROOT (containing the unzipped content of the UniTime WAR file). If done when tomcat is not running, also remove /var/lib/tomcat8/webapps/UniTime folder (/var/lib/tomcat8/webapps/ROOT will get created during the first deployment of ROOT.war).

2. Install Apache2

sudo apt install apache2

Add AJP Proxy mod

sudo a2enmod proxy_ajp
sudo systemctl restart apache2

Contigure HTTP access

Create /etc/apache2/sites-available/unitime.conf file with the following content

<VirtualHost *:80>
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Enable unitime.conf instead of the default 000-default.conf

sudo a2ensite unitime.conf
sudo a2dissite 000-default.conf
sudo systemctl reload apache2

Verify UniTime works by accessing

3. Install Cerbot (to request/update Let’s Encrypt certificate)

sudo apt install python-certbot-apache

Setup certificate

sudo certbot --apache -d

I have used the following options:

Enter email address (used for urgent renewal and security notices):
Agree on the terms, No on sharing the email with EEF.
Please choose whether or not to redirect HTTP traffic to HTTPS: selected Redirect (option 2)

Verify auto-renewal

sudo systemctl status certbot.timer

Verify that UniTime is running and can be accessed using

Note: Please note that this creates a new configuration unitime-le-ssl.conf with the following content (under /etc/apache2/sites-available, no edit is needed)

<VirtualHost *:443>
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLEngine On

And the unitime.conf was updated with the following rules added (redirecting HTTP access to HTTPS):

RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]