This Apache web server tutorial will walk you through installing the Apache web server on your instance. This will act as a reverse proxy to your application deployment - accepting all incoming requests and forwarding them to Tomcat.
You will also install TLS/SSL certificates which will enable HTTPS access and remove the dreaded "Not Secure" flag from browsers visiting your domain.
Apache Installation
Info: Before proceeding, edit your EC2 instance's security group, adding a rule to allow access from anywhere for both HTTP and HTTPS. While you are there, you can also remove the rule allowing port 8080, since you won't need public access to Tomcat anymore!
Open up your terminal and connect to your EC2 instance using SSH, then install the Apache web server by using the following command:
$ sudo apt update
$ sudo apt install apache2
Right away, if you now access your domain without adding :8080, you should see the Apache success page. This is good! If you get an endless loading cycle, double-check your instance security group rules and try again.
Virtual Hosts
With Apache installed, you'll now need to create a site configuration that will enable it to act as a reverse proxy to Tomcat. Navigate to the Apache config folder:
$ cd /etc/apache2
$ ls -al
drwxr-xr-x 8 root root 4096 Nov 4 20:12 .
drwxr-xr-x 109 root root 4096 Nov 4 20:12 ..
-rw-r--r-- 1 root root 7224 Jun 14 13:30 apache2.conf
drwxr-xr-x 2 root root 4096 Nov 4 20:12 conf-available
drwxr-xr-x 2 root root 4096 Nov 4 20:12 conf-enabled
-rw-r--r-- 1 root root 1782 Feb 23 2021 envvars
-rw-r--r-- 1 root root 31063 Feb 23 2021 magic
drwxr-xr-x 2 root root 12288 Nov 4 20:12 mods-available
drwxr-xr-x 2 root root 4096 Nov 4 20:12 mods-enabled
-rw-r--r-- 1 root root 320 Feb 23 2021 ports.conf
drwxr-xr-x 2 root root 4096 Nov 4 20:12 sites-available
drwxr-xr-x 2 root root 4096 Nov 4 20:12 sites-enabled
Apache uses virtual hosts to define and configure domains on the server. Virtual hosts can be defined throughout multiple configuration files based on domain names for better organization.
Notice multiple folders ending in either -available or -enabled. The two you are focused on here are sites-available and **sites-enabled *. To facilitate multiple configurations and the ability to easily enable/disable them at any given time - site config files are stored in * sites-available, and then enabled by creating a symlink to the file in sites-enabled.
Take a look in both right now, and you should see a file named * 000-default.conf* which is currently enabled. This is the default site config that publishes the Apache page you saw in the browser earlier.
Apache Reverse Proxy Configuration
You will create a new configuration file for your domain, make sure you replace yourdomain.com with your actual domain name.
$ sudo nano /etc/apache2/sites-available/yourdomain.com.conf
This file will declare a single virtual host. It will accept all traffic on port 80, and forward it to your application running on port 8080. You can add the following to the file, again changing yourdomain.com to your actual domain name. Save and exit.
<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
Apache includes a tool that will parse your configuration before attempting to restart the service, which helps you avoid a situation where your site is actually down while you fix your config. Run the following command to test your config now:
$ sudo apache2ctl configtest
This tool will alert you of any syntax errors in your configuration, allowing you to resolve them one by one. Once the tool outputs something similar to "Syntax OK", you are ready to proceed.
Now you'll disable the default site and enable your new site config:
$ sudo a2dissite 000-default.conf
$ sudo a2ensite yourdomain.com.conf
The next step is to enable the required Apache modules and restart Apache.
$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo systemctl restart apache2
Go ahead and hit your domain with a web browser, this time you should get your application! Awesome! Now it's time to get a certificate installed, so you can get rid of that pesky "Not Secure" flag in web browsers.
Let's Encrypt!
You'll install a certificate with the help of Let's Encrypt. Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG)
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually administrated websites to enable HTTPS. Certbot is made by the Electronic Frontier Foundation (EFF), a nonprofit that defends digital privacy, free speech, and innovation.
To install Certbot on your EC2 instance, simply follow along.
First, make sure snapd is installed and up-to-date.
$ sudo snap install core; sudo snap refresh core
Now install Certbot.
$ sudo snap install --classic certbot
Create a link to run the certbot command.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Finally, use Certbot to get the certificate and install it.
$ sudo certbot certonly --apache -d yourdomain.com -d www.yourdomain.com
Enter a real email address, typically the same one tied to administrative contact for your domain.
When the process is complete, you should receive similar output:
Requesting a certificate for pineapplecamp.com and www.pineapplecamp.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pineapplecamp.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/pineapplecamp.com/privkey.pem
This certificate expires on 2025-09-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Reverse Proxy SSL
Now, use the certificate and keys from the output to edit your Apache virtual host configuration once again.
$ sudo nano /etc/apache2/sites-available/yourdomain.com.conf
<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect permanent / https://www.yourdomain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
</VirtualHost>
Now, any request coming in on port 80 (HTTP), will be automatically forwarded to a new virtual host on port 443 (HTTPS).
Once there, if the request does not contain www, it is added. Although some browsers are now simplifying display URLs (hiding www), this is not only cosmetic but a common practice for consistency. You should always have one (with www or without) redirect to the other.
The reverse proxy now also takes place here, and finally your certificate is referenced, making all of this possible. With the certificate and changes in place, test your new configuration.
$ sudo apache2ctl configtest
If you are getting errors when testing your config, take a look at the information provided and attempt to resolve the issue. It's possible that one (or more) required modules have not been enabled.
The two most probable modules at this point would be RewriteEngine and SSLEngine. You can enable them with the following commands.
$ sudo a2enmod ssl
$ sudo a2enmod rewrite
Once your configuration passes the test go ahead and restart Apache.
$ sudo systemctl restart apache2
When Apache is back up and running, fire up your browser and test it out!
Tip: Interested in using Certbot for other server configurations? Choose your web server and operating system on the Certbot website for easy-to-follow instructions.
Summary: Reverse Proxy With Apache
You now have a fully functional domain attached to your Spring application deployment on Amazon EC2. You set up Apache web server as a reverse proxy to Tomcat, and installed a certificate for your domains using Certbot.
Next up, you'll learn how to use another popular web server as a reverse proxy - NGINX. Stay tuned!