SOLVED Apache2 and Tomcat9 Configuration

[bobc02]

I'm trying to configure Apache2 (WHM managed) and Tomcat9 (not managed) on CentOS 7, to work together.

When you browse my website: example.com you are NOT taken to the DocumentRoot /home/example/example_web that I specify in post_virtualhost_global.conf, instead you are taken to public_html.
If you browse to my website using the SSL port - example.com:8443 - you are taken to /home/example/example_web, but the SSL certificate doesn't work.

I include the files involved below.

I appreciate any help I can get on this.

tomcat9 server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->

<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">
    <Connector port="8080"
               protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
              
    <Connector port="8443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               keystoreFile="/home/.keystore"
               keystorePass="********"
               sslProtocol="TLS"
               clientAuth="false"
               maxThreads="200" />
              
    <Connector port="8009"
               protocol="AJP/1.3"
               redirectPort="8443"
               enableLookups="false" />

    <Engine name="Catalina" defaultHost="example.com">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="example.com" appBase="/home/example/example_web" unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
         <Alias>www.example.com</Alias>
         <Context path="" reloadable="true" docBase="/home/example/example_web" />
         <Context path="/manager" docBase="/usr/local/tomcat/users/example/tomcat/webapps/manager"
                  privileged="true" antiResourceLocking="false" antiJARLocking="false" reloadable="true" />
                    
         <Valve className="org.apache.catalina.valves.AccessLogValve"
                directory="logs"
                prefix="localhost_access_log" suffix=".txt"
                pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>
</Server>

httpd.conf:

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#   DO NOT EDIT. AUTOMATICALLY GENERATED.  USE INCLUDE FILES IF YOU NEED TO MAKE A CHANGE
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
#   Direct modifications to the Apache configuration file WILL be lost upon subsequent
#   regeneration of this configuration file, or an Apache update.
#
#   To have your modifications retained, you should create/edit administrator-specific
#   include files:
#
#       /etc/apache2/conf.d/includes/pre_main_global.conf
#       /etc/apache2/conf.d/includes/pre_virtualhost_global.conf
#       /etc/apache2/conf.d/includes/post_virtualhost_global.conf
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

##################################################
##################################################
#
# cPanel & WHM controlled Apache configuration
#
##################################################
##################################################

Include "/etc/apache2/conf.modules.d/*.conf"

# Administrator locations for safely altering httpd.conf
Include "/etc/apache2/conf.d/includes/pre_main_global.conf"

# These are hard-coded values that are required by cPanel & WHM
PidFile /run/apache2/httpd.pid
User nobody
Group nobody
ExtendedStatus On
LogLevel warn
# You can change this by using WHM, and navigating to the 'Basic WebHost Manager® Setup' -> 'Contact Information' interface.
ServerAdmin [email protected]

# You can change this by using WHM, and navigating to the 'Networking Setup' => 'Change Hostname' interface.
ServerName dev.example.com

# You can change this by using WHM, and navigating to the 'Apache Configuration' -> 'Global Configuration' interface.
TraceEnable Off
ServerSignature Off
ServerTokens ProductOnly
FileETag None

<Directory "/">
  
      AllowOverride All
  
    Options ExecCGI FollowSymLinks IncludesNOEXEC Indexes
</Directory>

StartServers 5
<IfModule prefork.c>
    MinSpareServers 5
    MaxSpareServers 10
</IfModule>

ServerLimit 256
MaxRequestWorkers 150
MaxConnectionsPerChild 10000
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 100
Timeout 300


<IfModule rewrite_module>
# Global DCV Exclude - Rewrites
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/pki-validation/(?:\ Ballot169)? [OR]
RewriteCond %{REQUEST_URI} ^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$ [OR]
RewriteCond %{REQUEST_URI} ^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$

# Exclude proxy subdomains as we need rewrites to capture the DCV requests
RewriteCond %{HTTP_HOST} !^(?:autoconfig|autodiscover|cpanel|cpcalendars|cpcontacts|webdisk|webmail|whm)\.
RewriteRule ^ - [END]
</IfModule>

<LocationMatch "(^/\.well-known/pki-validation/(?: Ballot169)?|^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$|^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?: Sectigo DCV)?$)">
# Global DCV Exclude - Location
Satisfy Any
Order Allow,Deny
Allow from all
</LocationMatch>



# You can change this by using WHM, and navigating to the 'Apache Configuration' -> 'DirectoryIndex Priority' interface.
<IfModule dir_module>
    DirectoryIndex index.php index.php5 index.php4 index.php3 index.perl index.pl index.plx index.ppl index.cgi index.jsp index.jp index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.htm default.html default.htm home.html home.htm index.js
</IfModule>

# You can change this by using WHM, and navigating to the 'Apache Configuration' -> 'Memory Usage Restrictions' interface.

# This setting is required by cPanel & WHM in order to provide access to a default webpage when none exists
<Directory "/var/www/html">
    Options All
    AllowOverride None
    Require all granted
</Directory>

# Required cPanel security policy: Disallow remote access to .htaccess, .htpasswd, .user.ini, and php.ini files
<FilesMatch "^(\.ht(access|passwds?)|\.user\.ini|php\.ini)$">
    Require all denied
</FilesMatch>

# PHP error_log protection
<Files ~ "^error_log$">
   <RequireAll>
       Require all denied
   </RequireAll>
</Files>

<IfModule alias_module>
    ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?kpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?securecontrolpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
    ScriptAliasMatch ^/?webmail$ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?webmail/ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi

    Alias /bandwidth /usr/local/bandmin/htdocs/
    Alias /img-sys /usr/local/cpanel/img-sys/
    Alias /java-sys /usr/local/cpanel/java-sys/
    Alias /mailman/archives /usr/local/cpanel/3rdparty/mailman/archives/public/
    Alias /pipermail /usr/local/cpanel/3rdparty/mailman/archives/public/
    Alias /sys_cpanel /usr/local/cpanel/sys_cpanel/

    ScriptAlias /cgi-sys /usr/local/cpanel/cgi-sys/
    ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin/
  
</IfModule>

# This can be configured in the cPanel 'Leech Protection' interface.
<IfModule rewrite_module>
    RewriteEngine on
    RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
    Mutex file:/run/apache2 rewrite-map
</IfModule>

<IfModule mime_module>
    TypesConfig conf/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddType application/x-tar .tgz
    AddType text/vnd.wap.wml .wml
    AddType image/vnd.wap.wbmp .wbmp
    AddType text/vnd.wap.wmlscript .wmls
    AddType application/vnd.wap.wmlc .wmlc
    AddType application/vnd.wap.wmlscriptc .wmlsc

    # These extensions are used to redirect incoming requests to WHM
    AddHandler cgi-script .cgi .pl .plx .ppl .perl

    # This is used for custom error documents
    AddHandler server-parsed .shtml
</IfModule>

# You can change this by using WHM, and updating the 'Tweak Settings' -> 'System' -> 'Allow server-info' option.
<IfModule status_module>
    # This is used by the WHM 'Apache Status' application
    <Location /whm-server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1 ::1
        <IfModule security2_module>
            SecRuleEngine Off
        </IfModule>
    </Location>

</IfModule>

# Required cPanel security policy: disable userdir when mod_ruid2 or mpm_itk or mod_passenger are loaded
<IfModule userdir_module>
    UserDir public_html

    <IfModule ruid2_module>
        UserDir disabled
    </IfModule>
    <IfModule mpm_itk.c>
        UserDir disabled
    </IfModule>
    <IfModule mod_passenger.c>
        UserDir disabled
    </IfModule>
</IfModule>

<IfModule mod_log_config.c>
    LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedvhost
    <IfModule logio_module>
        LogFormat "%v %{%s}t %I .\n%v %{%s}t %O ." bytesvhost
    </IfModule>
    LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b" common
    LogFormat "%{Referer}i -> %U" referer
    LogFormat "%{User-agent}i" agent
    <IfModule logio_module>
        CustomLog "|/usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=dev.example.com --suffix=-bytes_log" bytesvhost
    </IfModule>
    CustomLog "|/usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=dev.example.com --mainout=/etc/apache2/logs/access_log" combinedvhost
</IfModule>


# The Listen port can be updated using 'Tweak Settings' -> 'System',
# However, if you have any Apache Reserved IPs, then this Tweak setting will
# be ignored. Instead, each IP on your system (excluding Apache Reserved IPs)
# will be listed here.
Listen 0.0.0.0:80

<IfModule ssl_module>
    # cipher and protocol directives can be set in WHM under 'Apache Configuration' -> 'Global Configuration'
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLProtocol TLSv1.2
    SSLPassPhraseDialog  builtin

    <IfModule socache_shmcb_module>
        SSLUseStapling on
        SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000)

        # Prevent browsers from failing if an OCSP server is temporarily broken.
        SSLStaplingReturnResponderErrors off
        SSLStaplingErrorCacheTimeout 60
        SSLStaplingFakeTryLater off
        SSLStaplingResponderTimeout 3
        SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000)
    </IfModule>
    <IfModule !socache_shmcb_module>
        SSLSessionCache dbm:/run/apache2/ssl_gcache_data_dbm
    </IfModule>

    SSLSessionCacheTimeout  300
    Mutex                   file:/run/apache2 ssl-cache
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin

    # The Listen port can be updated using 'Tweak Settings' -> 'System',
    # However, if you have any Apache Reserved IPs, then this Tweak setting will
    # be ignored. Instead, each IP on your system (excluding Apache Reserved IPs)
    # will be listed here.
    Listen 0.0.0.0:443

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
</IfModule>

Include "/etc/apache2/conf.d/*.conf"

Include "/etc/apache2/conf.d/includes/account_suspensions.conf"
Include "/etc/apache2/conf.d/includes/errordocument.conf"

# Administrator locations for safely globally altering all virtualhost configurations
Include "/etc/apache2/conf.d/includes/pre_virtualhost_global.conf"

ProxyPass /___proxy_subdomain_ws_cpanel  ws://127.0.0.1:2082 max=1 retry=0
ProxyPass /___proxy_subdomain_ws_whm     ws://127.0.0.1:2086 max=1 retry=0
ProxyPass /___proxy_subdomain_ws_webmail ws://127.0.0.1:2095 max=1 retry=0


##################################################
##################################################
#
# Define default vhosts for shared IPs
#
##################################################
##################################################

<VirtualHost 127.0.0.1:80>
    ServerName dev.example.com
    DocumentRoot /var/www/html
    ServerAdmin [email protected]
    # Global DCV Rewrite Exclude
    <IfModule rewrite_module>
    RewriteOptions Inherit
    </IfModule>


    <Directory "/var/www/html">
      AllowOverride All
    </Directory>


    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>

</VirtualHost>

<VirtualHost 162.253.xxx.xxx:80>
    ServerName dev.example.com
    DocumentRoot /var/www/html
    ServerAdmin [email protected]
    # Global DCV Rewrite Exclude
    <IfModule rewrite_module>
    RewriteOptions Inherit
    </IfModule>


    <Directory "/var/www/html">
      AllowOverride All
    </Directory>


    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>

</VirtualHost>


##################################################
##################################################
#
# Define default vhosts for unbound IPs
#
##################################################
##################################################

<VirtualHost *>
    ServerName dev.example.com
    DocumentRoot /var/www/html
    ServerAdmin [email protected]
    # Global DCV Rewrite Exclude
    <IfModule rewrite_module>
    RewriteOptions Inherit
    </IfModule>


    <Directory "/var/www/html">
      AllowOverride All
    </Directory>


    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>

</VirtualHost>

##################################################
##################################################
#
# Define the virtual host configurtion for user domains
#
##################################################
##################################################

# BEGIN: HTTP vhosts list

<VirtualHost 162.253.xxx.xxx:80>
  ServerName example.com
    <IfModule rewrite_module>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/\.well-known/(pki-validation|cpanel-dcv)/
    RewriteRule ^ - [END]

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  </IfModule>
    ServerAlias mail.example.com mail.tanglemydata.com mail.tanglemydata.dev tanglemydata.com tanglemydata.dev www.example.com www.tanglemydata.com www.tanglemydata.dev
  DocumentRoot /home/example/public_html
  ServerAdmin [email protected]
  UseCanonicalName Off

  ## User example # Needed for Cpanel::ApacheConf
  <IfModule userdir_module>
    <IfModule !mpm_itk.c>
      <IfModule !ruid2_module>
        <IfModule !mod_passenger.c>
          UserDir disabled
          UserDir enabled example
        </IfModule>
      </IfModule>
    </IfModule>
  </IfModule>

  # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
  # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
  # the user's .htaccess file.  For more information, please read:
  #    http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
  <IfModule include_module>
    <Directory "/home/example/public_html">
      SSILegacyExprParser On
    </Directory>
  </IfModule>

 

  <IfModule suphp_module>
    suPHP_UserGroup example example
  </IfModule>
  <IfModule suexec_module>
    <IfModule !mod_ruid2.c>
      SuexecUserGroup example example
    </IfModule>
  </IfModule>
  <IfModule ruid2_module>
    RMode config
    RUidGid example example
  </IfModule>
  <IfModule mpm_itk.c>
    # For more information on MPM ITK, please read:
    #   http://mpm-itk.sesse.net/
    AssignUserID example example
  </IfModule>
  <IfModule mod_passenger.c>
    PassengerUser example
    PassengerGroup example
  </IfModule>

  <IfModule alias_module>
    ScriptAlias /cgi-bin/ /home/example/public_html/cgi-bin/
  </IfModule>


    # Global DCV Rewrite Exclude
    <IfModule rewrite_module>
        RewriteOptions Inherit
    </IfModule>



  # To customize this VirtualHost use an include file at the following location
  # Include "/etc/apache2/conf.d/userdata/std/2_4/example/example.com/*.conf"
</VirtualHost>
# END: HTTP vhosts list

# BEGIN: HTTPS vhosts list

<VirtualHost 162.253.xxx.xxx:443>
  ServerName example.com
  ServerAlias mail.example.com mail.tanglemydata.com mail.tanglemydata.dev tanglemydata.com tanglemydata.dev www.example.com www.tanglemydata.com www.tanglemydata.dev webdisk.example.com webmail.example.com cpanel.example.com
  DocumentRoot /home/example/public_html
  ServerAdmin [email protected]
  UseCanonicalName Off

  ## User example # Needed for Cpanel::ApacheConf
  <IfModule userdir_module>
    <IfModule !mpm_itk.c>
      <IfModule !ruid2_module>
        <IfModule !mod_passenger.c>
          UserDir disabled
          UserDir enabled example
        </IfModule>
      </IfModule>
    </IfModule>
  </IfModule>

  # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
  # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
  # the user's .htaccess file.  For more information, please read:
  #    http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
  <IfModule mod_include.c>
    <Directory "/home/example/public_html">
      SSILegacyExprParser On
    </Directory>
  </IfModule>

 
  <Proxymatch ^https?://127\.0\.0\.1:(2082|2083|2077|2078|2079|2080|2086|2087|2095|2096)/>
       <IfModule security2_module>
          SecRuleEngine Off
       </IfModule>
  </Proxymatch>

  <IfModule mod_suphp.c>
    suPHP_UserGroup example example
  </IfModule>
  <IfModule suexec_module>
    <IfModule !mod_ruid2.c>
      SuexecUserGroup example example
    </IfModule>
  </IfModule>
  <IfModule ruid2_module>
    RMode config
    RUidGid example example
  </IfModule>
  <IfModule mpm_itk.c>
    # For more information on MPM ITK, please read:
    #   http://mpm-itk.sesse.net/
    AssignUserID example example
  </IfModule>
  <IfModule mod_passenger.c>
    PassengerUser example
    PassengerGroup example
  </IfModule>

  <IfModule alias_module>
    ScriptAlias /cgi-bin/ /home/example/public_html/cgi-bin/
  </IfModule>
  <IfModule ssl_module>
    SSLEngine on
  
    SSLCertificateFile /var/cpanel/ssl/apache_tls/example.com/combined

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    <Directory "/home/example/public_html/cgi-bin">
      SSLOptions +StdEnvVars
    </Directory>
  </IfModule>




  # To customize this VirtualHost use an include file at the following location
  # Include "/etc/apache2/conf.d/userdata/ssl/2_4/example/example.com/*.conf"

    <IfModule headers_module>
    RequestHeader set X-HTTPS 1
    </IfModule>

    RewriteEngine On
            RewriteCond %{HTTP_HOST} =cpanel.example.com [OR]
            RewriteCond %{HTTP_HOST} =cpanel.example.com:443
        RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

        RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
        ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0
            RewriteCond %{HTTP_HOST} =webdisk.example.com [OR]
            RewriteCond %{HTTP_HOST} =webdisk.example.com:443
        RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

        RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
        ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0
            RewriteCond %{HTTP_HOST} =webmail.example.com [OR]
            RewriteCond %{HTTP_HOST} =webmail.example.com:443
        RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

        RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
        ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0

            RewriteCond %{HTTP:Upgrade} websocket   [nocase]
                RewriteCond %{HTTP_HOST} =cpanel.example.com [OR]
                RewriteCond %{HTTP_HOST} =cpanel.example.com:443

            RewriteRule ^/(.*) /___proxy_subdomain_ws_cpanel/$1 [PT]
            RewriteCond %{HTTP:Upgrade} websocket   [nocase]
                RewriteCond %{HTTP_HOST} =webmail.example.com [OR]
                RewriteCond %{HTTP_HOST} =webmail.example.com:443

            RewriteRule ^/(.*) /___proxy_subdomain_ws_webmail/$1 [PT]
</VirtualHost>
# END: HTTPS vhosts list

##################################################
##################################################
#
# Define the main cPanel & WHM proxy subdomains
#
##################################################
##################################################

# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS
<VirtualHost 162.253.xxx.xxx:80 127.0.0.1:80>
    ServerName proxy-subdomains-vhost.localhost
    ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.*

    DocumentRoot /var/www/html
    ServerAdmin [email protected]

    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>
    <Proxy "*">
        <IfModule security2_module>
            SecRuleEngine Off
        </IfModule>
    </Proxy>

    <Directory "/var/www/html">
      AllowOverride All
    </Directory>




    ScriptAlias /.cpanel/dcv /usr/local/cpanel/cgi-priv/get_local.cgi

    RewriteEngine On

                    RewriteCond %{REQUEST_URI} ^/\.well-known/pki-validation/(?:\ Ballot169)? [OR]
                    RewriteCond %{REQUEST_URI} ^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$ [OR]
                    RewriteCond %{REQUEST_URI} ^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
                RewriteRule ^ /.cpanel/dcv [passthrough]

    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^cpanel\.
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
    ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^webmail\.
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
    ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^whm\.
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_whm/$1 [PT]
    ProxyPass "/___proxy_subdomain_whm" "http://127.0.0.1:2086" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^webdisk\.

    RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
    ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^cpcalendars\.

    RewriteRule ^/(.*) /___proxy_subdomain_cpcalendars/$1 [PT]
    ProxyPass "/___proxy_subdomain_cpcalendars" "http://127.0.0.1:2079" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^cpcontacts\.

    RewriteRule ^/(.*) /___proxy_subdomain_cpcontacts/$1 [PT]
    ProxyPass "/___proxy_subdomain_cpcontacts" "http://127.0.0.1:2079" max=1 retry=0




                    RewriteCond %{HTTP_HOST} ^cpanel\.
    RewriteCond %{HTTP:Upgrade} websocket   [nocase]
    RewriteRule ^/(.*) /___proxy_subdomain_ws_cpanel/$1 [PT]

        RewriteCond %{HTTP_HOST} ^webmail\.
    RewriteCond %{HTTP:Upgrade} websocket   [nocase]
    RewriteRule ^/(.*) /___proxy_subdomain_ws_webmail/$1 [PT]

        RewriteCond %{HTTP_HOST} ^whm\.
    RewriteCond %{HTTP:Upgrade} websocket   [nocase]
    RewriteRule ^/(.*) /___proxy_subdomain_ws_whm/$1 [PT]
  

    UseCanonicalName Off

    <IfModule security2_module>
        SecRuleEngine On
    </IfModule>
</VirtualHost>


# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS
<VirtualHost 162.253.xxx.xxx:443 127.0.0.1:443>
    ServerName dev.example.com

    ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.*

    DocumentRoot /var/www/html
    ServerAdmin [email protected]

    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>
    <Proxy "*">
        <IfModule security2_module>
            SecRuleEngine Off
        </IfModule>
    </Proxy>

    <Directory "/var/www/html">
      AllowOverride All
    </Directory>




    RewriteEngine On

    <IfModule ssl_module>
        SSLEngine on



        SSLCertificateFile /var/cpanel/ssl/cpanel/mycpanel.pem
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/mycpanel.pem
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/mycpanel.pem

    </IfModule>

  
  

    <IfModule headers_module>
    RequestHeader set X-HTTPS 1
    </IfModule>

    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^cpanel\.
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
    ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^webmail\.
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
    ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^whm\.
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_whm/$1 [PT]
    ProxyPass "/___proxy_subdomain_whm" "http://127.0.0.1:2086" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^webdisk\.

    RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
    ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^cpcontacts\.

    RewriteRule ^/(.*) /___proxy_subdomain_cpcontacts/$1 [PT]
    ProxyPass "/___proxy_subdomain_cpcontacts" "http://127.0.0.1:2079" max=1 retry=0


    RewriteCond %{HTTP_HOST} !^dev.example.com$
    RewriteCond %{HTTP_HOST} ^cpcalendars\.

    RewriteRule ^/(.*) /___proxy_subdomain_cpcalendars/$1 [PT]
    ProxyPass "/___proxy_subdomain_cpcalendars" "http://127.0.0.1:2079" max=1 retry=0




                    RewriteCond %{HTTP_HOST} ^cpanel\.
    RewriteCond %{HTTP:Upgrade} websocket   [nocase]
    RewriteRule ^/(.*) /___proxy_subdomain_ws_cpanel/$1 [PT]

        RewriteCond %{HTTP_HOST} ^webmail\.
    RewriteCond %{HTTP:Upgrade} websocket   [nocase]
    RewriteRule ^/(.*) /___proxy_subdomain_ws_webmail/$1 [PT]

        RewriteCond %{HTTP_HOST} ^whm\.
    RewriteCond %{HTTP:Upgrade} websocket   [nocase]
    RewriteRule ^/(.*) /___proxy_subdomain_ws_whm/$1 [PT]
  

    UseCanonicalName Off

    <IfModule security2_module>
        SecRuleEngine On
    </IfModule>
</VirtualHost>

# Administrator locations for safely altering virtualhost configuration
Include "/etc/apache2/conf.d/includes/post_virtualhost_global.conf"

##################################################
##################################################
#
# Define the Domain Forwarding virtual hosts
#
##################################################
##################################################

# Domain forwarding is currently disabled.
# You can set this by logging into WHM, and navigating to the 'DNS Functions' => 'Setup/Edit Domain Forwarding' interface.


##################################################
##################################################
#
# Default SSL Hostname Virtual Host
#
##################################################
##################################################
<VirtualHost 127.0.0.1:443 162.253.xxx.xxx:443 *:443>
    ServerName dev.example.com
    DocumentRoot /var/www/html

    ServerAdmin [email protected]
    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>
    <Directory "/var/www/html">
        AllowOverride All
    </Directory>
    <IfModule ssl_module>
        SSLEngine on
      

        SSLCertificateFile /var/cpanel/ssl/cpanel/mycpanel.pem
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/mycpanel.pem
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/mycpanel.pem

    </IfModule>

    UseCanonicalName Off

    <IfModule security2_module>
        SecRuleEngine On
    </IfModule>
</VirtualHost>

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#   DO NOT EDIT. AUTOMATICALLY GENERATED.  USE INCLUDE FILES IF YOU NEED TO MAKE A CHANGE
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

post_virtualhost_global.conf:

<virtualhost 127.0.0.1:8443 162.253.xxx.xxx:8443 *:8443>
    ServerName example.com
    ServerAlias example.com
    ServerAdmin [email protected]
  
    DocumentRoot "/home/example/example_web"
    <Directory /home/example/example_web>
        AllowOverride All
        Allow from all
    </Directory>    
  
    <IfModule ssl_module>
        SSLEngine on
      
        SSLCertificateFile /home/example/mycerts/237494542.crt
        SSLCertificateKeyFile /home/example/mycerts/237494542_private_key.txt
        SSLCertificateChainFile /home/example/mycerts/237494542.ca-bundle

    </IfModule>

    UseCanonicalName Off

    <IfModule security2_module>
        SecRuleEngine On
    </IfModule>
  
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/

</virtualhost>

workers.properties (I don't think this is working because the stdout and stderr aren't created):

# workers.properties
#
workers.tomcat_home=/usr/local/tomcat/default
workers.java_home=/usr/java/default
ps=/
worker.list=ajp13, example
#worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.inprocess.type=jni
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr
worker.example.port=8443

 

[bobc02]

I'm the OP, with log info that I forgot to post.

Apache2 error_log is showing proxy issues (below). It's complaining about missing LoadModules, but I had tried adding four modules to post_virtualhost_global.conf, but Apache2 reported that all of them were already loaded, so I took them out.

Apache2 error_log:

[Tue Jun 04 02:09:25.428602 2019] [proxy:warn] [pid 28110] [client 24.xx.xx.85:53691] AH01144: No protocol handler was valid for the URL / (scheme 'ajp'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue Jun 04 02:09:25.428702 2019] [proxy:warn] [pid 28110] [client 24.xx.xx.85:53691] AH01144: No protocol handler was valid for the URL /500.shtml (scheme 'ajp'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue Jun 04 02:09:25.733311 2019] [proxy:warn] [pid 28112] [client 24.xx.xx.85:53693] AH01144: No protocol handler was valid for the URL /favicon.ico (scheme 'ajp'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue Jun 04 02:09:25.733418 2019] [proxy:warn] [pid 28112] [client 24.xx.xx.85:53693] AH01144: No protocol handler was valid for the URL /500.shtml (scheme 'ajp'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

 

[cPanelMichael]

Hello @bobc02,

EasyApache 4 only supports Tomcat version 8.5 at this time. We document Tomcat installation steps and usage notes on the link below:

Tomcat - EasyApache 4 - cPanel Documentation

As I understand, you're attempting to manually install Tomcat version 9. This is an unsupported workaround and is not recommended due to the potential for errors and functionality issues. Can you share some information about the specific features or changes in Tomcat 9 that are leading you to attempt a manual installation?

Thank you.

 

[bobc02]

Hello @bobc02,

EasyApache 4 only supports Tomcat version 8.5 at this time. We document Tomcat installation steps and usage notes on the link below:

Tomcat - EasyApache 4 - cPanel Documentation

As I understand, you're attempting to manually install Tomcat version 9. This is an unsupported workaround and is not recommended due to the potential for errors and functionality issues. Can you share some information about the specific features or changes in Tomcat 9 that are leading you to attempt a manual installation?

Thank you.

Hello cPanelMichael,

The reason for wanting Tomcat9 is because I am preparing to launch a production Java app on the Jelastic Cloud, using Tomcat9. For development, and test, I have been using a cPanel Plesk server running Tomcat 8.5.20, which I am now wanting to migrate to VPS. I think it's important to keep dev, and test, using the same Tomcat version as prod, once you're in production.

Although I am new to WHM, I have used and liked cPanel for years. I have had very little need to interact with cPanel control of Tomcat 8.5 directly - instead it's all been at the SSH level. What I like most about cPanel is the Domain Management, DNS Records, MySQL control, and easy config of email accounts. I don't have much need for Analytics, etc, in dev and test, although the cPanel tools are fantastic.

Thanks for the EasyApache 4 doc link. I had glanced at it before, but did not study it in detail. I now see that there's a good discussion on Tomcat Proxies, and it explains how the port assignments are made. I have been using standard Apache2 and Tomcat9 docs for my info, thinking, for example that ports 8005 and 8009 are used. But the doc references the port_authority json file, which is empty:

[[email protected] ~]# ls -al /etc/cpanel/cpuser_port_authority.json
-rw-r----- 1 root root 0 May 22 22:50 /etc/cpanel/cpuser_port_authority.json

Is that json file empty by mistake? Or, is there something I must do in WHM EasyApache 4 to populate it. Create a profile?

I think we're close to getting Apache2 and Tomcat9 configured, probably just some port stuff.

Thanks,
Bob

 

[cPanelMichael]

Hello Bob,

Thanks for sharing the additional information!

I have been using standard Apache2 and Tomcat9 docs for my info, thinking, for example that ports 8005 and 8009 are used. But the doc references the port_authority json file, which is empty:

[[email protected] ~]# ls -al /etc/cpanel/cpuser_port_authority.json
-rw-r----- 1 root root 0 May 22 22:50 /etc/cpanel/cpuser_port_authority.json

Is that json file empty by mistake? Or, is there something I must do in WHM EasyApache 4 to populate it. Create a profile?

The Port Authority script included with cPanel & WHM allows you (as root) to assign one or more 5-digit port numbers for a user's exclusive use:

The cpuser_port_authority script - Version 80 Documentation - cPanel Documentation

This lets cPanel users make use of an specific port number when configuring their application, without concern that another cPanel user is already using the same port number.

Thank you.

 

[bobc02]

I'm the OP. I have finished the Apache2 and Tomcat9 configuration, and wanted to share my experience for others.

It, basically, came down to studying the generated httpd.conf file, for the Include file hooks, uncommenting the appropriate one(s), adding the include file(s) at the specified path(s), and adding an AJP connector to Tomcat's server.xml. connector.

For the Include file hooks, look in the generated httpd.conf. Find the VirtualHost directive that applies to your situation, and locate the "Include /etc/apache2/conf.d/..." line. In SSH, do a mkdir to that Include file path, and set the ownership and permissions appropriately. If the Include lines are commented (# Include /etc/apache2/conf.d/...) you'll need to go into WHM EasyApache 4, and select a profile, to get them uncommented - at least I think you do it this way; I took a different path.

Down the Include file path, I added a file named custom_include.conf, this is its contents:

    LoadModule proxy_ajp_module /usr/lib64/httpd/modules/mod_proxy_ajp.so 
   
        <IfModule security2_module>
            SecRuleEngine On
            SecStatusEngine On
        </IfModule>

    ProxyPass "/" "ajp://127.0.0.1:8009/"

Updating Tomcat's server.xml, involved adding some connectors. My server.xml, may not be exactly what other's need. I force all website traffic through HTTPS, so I've added an elaborate 8443 connector. The AJP connector is required, though, because, as you see in custom_include.conf, the Apache proxy redirects to Tomcat's AJP connector. Here are all my Tomcat connectors:

  <Service name="Catalina">
    <Connector port="8080" 
               protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
                             
    <Connector port="8009" 
               protocol="AJP/1.3"
               redirectPort="8443" 
               enableLookups="false" />
               
    <Connector port="8443" 
               address="127.0.0.1"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               scheme="https" 
               secure="true" 
               SSLEnabled="true"
               keystoreFile="/home/.keystore" 
               keystorePass="******"
               keystoreType="PKCS12"
               sslProtocol="TLS"
               sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
               SSLVerifyClient="optional" 
               SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
               clientAuth="false" 
               maxThreads="200" />

The docs that cPanelMichael posted earlier in this topic, are the basis for the changes I made.

I hope this helps.

Bob

 

[cPanelMichael]

Hello Bob,

Thanks for sharing!