Install Centos Linux

Install Centos on a VM / Desktop

Install Apache

How to ensure all traffic served by SSL ?

LoadModule rewrite_module libexec/apache2/mod_rewrite.so

## Forcing HTTPS for certain URLs

ProxyPass    http://*/ (http://*/   ) ; https://*:8080/

##  https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp

RewriteEngine on

ReWriteCond %  SERVER_PORT !^443$

RewriteRule ^/(.*) https://%   HTTP_HOST  /$1 [NC,R,L]

Enable SSL for specific APP – remeber the ‘retry’ !!!

ProxyPass    /myapp    http://localhost:8080/myapp retry=5

Configuring Apache to Use Compression

# mod_deflate (compress output for browsers that support it)
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript text/javascript text/x-js application/json application/xml application/javascript

# Some adjustments for IE browsers (http://www.robertswarthout.com/rswarthout/2007/05/ie-6-apache-mod_deflate-blank-pages/)

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE\s7 !no-gzip !gzip-only-text/html
BrowserMatch \bMSIE\s8 !no-gzip !gzip-only-text/html

http://httpd.apache.org/docs/2.2/sections.html


How to implement Load Balancer ?

Ref :   http://docs.codehaus.org/display/JETTY/Configuring+mod_proxy

Virtual Host Tomcat Connector :  http://www.zeitoun.net/articles/configure-mod_proxy_ajp-with-tomcat/start

Do not use mod_jk , rather use mod_proxy_ajp :  http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html 

Setup two Tomcat instances with AJP ports 8019, 8029

ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On
<Proxy balancer://cluster>
BalancerMember ajp://localhost:8019
BalancerMember ajp://localhost:8029
</Proxy>

Concrete Reference : http://www.altuure.com/2007/12/03/complete-apache-22-ajp-load-balance-via-mod_proxy/

Set up Load Balancer with Sticky Sessions : http://andrius.miasnikovas.lt/2010/07/configuring-apache-server-load-balancing-for-multiple-virtual-hosts/

This site specifies certain tricks for PHP sessions.

Access you app :  http://localhost:8080/myapp

Test Load Balancer : http://localhost/balancer-manager

How to implement Virtual Redirection ?

For a simple frontend server, it is often desirable to run multiple HTTP services on the one machine. The web server is Apache, and we want different parts of the site (goverend by path) processed by different HTTP services (Apache, Tomcat, IIS).

Uncomment these lines, if not already done

AddModule mod_rewrite.c

AddModule mod_proxy.c

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule proxy_module modules/mod_proxy.so

Later, either within a virtual host entry or the main host entry, add your re-writing logic.

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteLog "logs/rewrite_log"
 RewriteLogLevel 0
 RewriteRule ^/gallery(.*) http://drewnoakes.com:8080/gallery$1 [P]
 RewriteRule ^/aspx(.*)    http://drewnoakes.com:8090$1 [P, L]
 </IfModule>

This redirects all traffic matching /gallery to a Tomcat web-app ‘gallery’, where Tomcat is running on port 8080. Similarly, any requests matching /aspx are redirected to IIS, which runs on port 8090.

With this setup, both Tomcat and Apache run on ports which are blocked by the firewall.

Classic Reverse-Proxies

Use apache as the global front end.

Open up a private port for a specific application :

>> ProxyPass and ProxyPassReverse are classic reverse proxy directives used to forward the stream to another location.

>> first check if the port is available :

/sbin/ ./semanage port -l | grep 1979

>> then actually allocate it …..

semanage port -a -t http_port_t -p tcp 1979

>>>>>> Do not mess up httpd.conf — add this line at the end — Include /etc/httpd/extras/*.conf

sudo touch /etc/httpd/extras/ajp.conf

http://httpd.apache.org/docs/2.2/vhosts/examples.html&nbsp;

Listen 1979
NameVirtualHost *:1979
<VirtualHost *:1979>
ServerName localhost
ErrorLog /var/log/apache2/ajp.error.log
CustomLog /var/log/apache2/ajp.log combined
<Proxy *>

AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>

The mod_proxy_ajp will forward you request transparently using the AJP protocol to the tomcat application server on localhost:8009.

Resources

http://www.drewnoakes.com/snippets/ConfiguringApacheToRedirectASingleHostToMultiplePorts/

http://httpd.apache.org/docs/2.2/vhosts/examples.html

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

http://httpd.apache.org/docs/2.2/rewrite/

http://httpd.apache.org/docs/2.2/rewrite/avoid.html

http://blog.mc-thias.org/?title=tomcat_and_ssl_redirection&more=1&c=1&tb=1&pb=1

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

https://confluence.sakaiproject.org/display/DOC/Sakai+Admin+Guide+-+Advanced+Tomcat++%28and+Apache%29+Configuration
——————————————————————————-

Install MySQL

………

Install Tomcat and Java

Basic Configuration

……..

SSL on Tomcat

We can place Tomcat behind an Apache Webserver or behind a Hardware Load-balancer.

Then use a native SSL or external SSL certificate (APR – more secure and advanced mechanism).

Configuring tomcat to handle SSL natively
<Connector port=”80″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”443″ />

To make Tomcat listen on the port 443, with a SSL transport, the following needs to be configured in the server.xml file:

<Connector port=”443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”/opt/apache-tomcat-6.0.13/.keystore”
keystorePass=”password”/>

The keystore file is created as follow:

root@server:~/$JAVA_HOME/bin/keytool -genkey -alias virtualhostname \   -keyalg RSA -keystore /opt/apache-tomcat-6.0.13/.keystore

If you need to obtain and install a certificate signed by a trusted authority, review the tomcat documentation here: http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html

You can also take an existing X509 certificate and private key and import them into a keystore using the following utility: http://www.comu.de/docs/tomcat_ssl.htm

Configuring tomcat to use APR

If you take the time to install APR and the tomcat native libraries, tomcat can be made to work with an X509 certificate in PEM format without conversion. Those instructions can be found at:   http://tomcat.apache.org/tomcat-5.5-doc/apr.html

Configuring tomcat to force SSL for appropriate content.

At a minimum, any components (login, xlogin) that transmit username and password information should be transmitted using SSL to avoid problems with session cookie hijacking.

To secure an individual tomcat context, you must edit its WEB-INF/web.xml and add the following inside the <web-app> tags:

<!- redirect all traffic to the SSL port ->
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SLL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

At a minimum, you should secure The ROOT and login contexts.

Securing All Tomcat Contexts

If you wish to secure the entire tomcat installation (which can be done regardless of how you provide SSL), add the following to TOMCAT_HOME/conf/web.xml inside the web-app tags:

<!- redirect all traffic to the SSL port ->
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SLL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

If you have content that is required to be transmitted using http (for example, a tool that exports subscribable iCal calendars), you may want to relax the overall security restriction for a single context.

This can be done by adding the following to a context’s WEB-INF/web.xml file:\\

<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Requirement Disabled</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

Auto-redirection to ssl port,

— uncomment AJP port in web.xml :: <Connector enableLookups=”false” port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ URIEncoding=”UTF-8” / >

— set redirect port for http-port and ajp-port to 8443.

— inside tomcat_home/conf/web.xml :: mark all resource requests confidential …as shown above !

Install Certificate from ThirdParty

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

Advertisements