Skip to content

12 Apache NIO Connector

While it is technically possible to access OpenEMM with the HTTP protocol, this is certainly not recommended for production environments. One could even argue that is illegal in EU countries where the GDPR is in force. To use OpenEMM with secure HTTPS connections, for Tomcat you should use the NIO Connector.

OST provides template file server.xml.template in directory /home/openemm/conf as basis for your individual server.xml file. Configuration of the NIO Connector is done by changing the connector type and its properties for Tomcat in tag Connector of Tomcat's server configuration file server.xml like this:

<Connector
  port="8443"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  scheme="https"
  secure="true"
  SSLEnabled="true"
  disableUploadTimeout="true"
  acceptCount="100"
  connectionTimeout="20000"
  maxThreads="1000"
  enableLookups="false"
  useBodyEncodingForURI="true"
  server="<server_name>">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig
    disableCompression="true"
    honorCipherOrder="true"
    ciphers="ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256"
    protocols="all">
    <Certificate
      certificateChainFile="<tls-ca-keychain-bundle.file>"
      certificateFile="<tls-certificate.file>"
      certificateKeyFile="<tls-private-key.file>" />
  </SSLHostConfig>
</Connector>

Replace placeholder <server_name> with the FQDN of your OpenEMM server. Replace <tls-ca-keychain-bundle.file> with the path and name of your cacert file. Replace <tls-certificate.file> with the path and name of your crt file. And replace <tls-private-key.file> with the path and name of your key file.

The modified server.xml file belongs into Tomcat's configuration directory /home/openemm/conf. Alternatively, you may use option Configure TLS certificate (https) of OST's Security menu to configure file server.xml (see section Menus of OST for details).

Do not forget to activate a port forwarding from port 443 to 8443 as described in section Firewall Configuration, because Tomcat uses port 8443 for HTTPS traffic by default.