vincentkong.com

This covers how to protect parts of a website in Apache using the .htaccess files.

To use .htaccess files, you need to enable it in the server configuration by specifying the directive AllowOverride AuthConfig, typically within the <Directory> section.
<Directory /opt/apache/htdocs>
AllowOverride AuthConfig
</Directory>

Create a password file, which should be placed somewhere not accessible from the web. For example if your documents are served in the directory /opt/apache/htdocs, you can put the password file in the /opt/apache/passwd directory. To create the file use the htpasswd command that came with Apache.

$ htpasswd -c /opt/apache/passwd/passwords myusername

Create an .htaccess file in the diretory you wish to protect. For example, if you wish to protect the directory /opt/apache/htdocs/protect:

$ cd /usr/local/apache/htdocs/protect/
$ nano .htaccess

Add the following lines inside the file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /opt/apache/passwd/passwords
Require user myusername


• The AuthType directive determines the method that is used to authenticate the user. The most common method is Basic, however, it sends the password unencrypted.
• The AuthName directive sets the Realm to be used in the authentication. The realm is used by the browser to determine what password to send for a given authenticated area.
• The AuthUserFile directive sets the path to the password file that created with htpasswd.
• The Require directive provides the authorization part of the process by setting the user that is allowed to access the protected area. To allow anyone in that is listed in the password file use: Require valid-user

Once the .htaccess file has been saved, you have restricted access to the area you want to protect.

For more information: http://httpd.apache.org/docs/2.0/howto/auth.html

SSL stands for Secure Sockets Layer and TLS stands for Transport Layer Security. They are a family protocols that were originially designed to provide security for HTTP transactions, but can also be used for other internet protocols. The following will describe the procedure for configuring the Apache2 HTTP server to provide HTTPS connections using OpenSSL.

Managing Certificates

To have a working SSL implementation, the first step is to create a server certificate using the openssl command.

A public/private key pair must be generated before you can create a certificate request. Create the key with the following command line:

$ openssl genrsa -des3 -out server.key 1024

• genrsa indicates to generate a key pair
• des3 indicates the key protected by a pass phrase
• out indicates where to store the results
• 1024 indicates the number of bits of the generated key

This certificate will prompt Apache to ask for the passphrase at each startup. If you don’t want Apache to prompt you for a passphrase everytime you start or restart it, remove the “-des3” option.

To learn about the contents of the key file use the following command:

$ openssl rsa -noout -text -in server.key

To get a certificate issued by a CA, you must submit what is called a certificate signing request. To create a request, issue the following command:

$ openssl req -new -key server.key -out server.csr

You will be prompted to enter the certificate information, it’s important that the Common Name field entry matches the address of your website. If the name is different, a warning from the web browser indicating the mismatch will be issue to the user.

To learn about the contents of the certificate use the following command:

$ openssl req -noout -text -in server.csr

You can submit the certificate signing request file to a CA for processing, if it’s for board internet use. For example: VeriSign or Thawte. If the certificate is for development, testing or internal use, you can create a self-signed certificate.

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The default value is 30 days without the “-days” option.

Note: Your certificate private key should be only readable by the root user.

Configuring Apache for Ubuntu

Place the certificate and the certificate private key in the directory /etc/apache2/ssl.

Enable the ssl module for Apache

$ a2enmod ssl

Enable Apache to listen to the HTTPS default port 443 by adding the following line to the /etc/apache2/ports.conf

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Inside the virtual host or httpd.conf configuration file add the lines similar to the following:

<VirtualHost _default_:443>
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
</VirtualHost>

Redirecting HTTP traffic to HTTPS

If you want to force users to use HTTPS, you can redirect all HTTP traffic to the HTTPS site.

Enable URL rewrite support by executing the following command:

$ a2enmod rewrite

In the virtual host or httpd.conf configuration file add the following three lines under the <VirtualHost *:80> line:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Using the mod_jk connector is an alternative but more complex method of integrating Tomcat and Apache together. The concept behind this method is to have Apache serve the static content of the website, and Tomcat to serve the Java related content. This could be a better alternative if your website contains mostly HTML pages.

The mod_jk connector along with mod_proxy_ajp are the only recommend methods of Tomcat and Apache integration. mod_jk is still actively under development, and is very stable for production servers, as well it supports both Apache 1.3, and 2.x. Other past alternatives like mod_webapp, mod_jserv, mod_jk2 are not longer supported and are consider deprecated.

mod_jk Package Issue for Ubuntu

For Ubuntu 7.04 there is an error in the mod_jk package. It currently has two packages for mod_jk:

• libapache-mod-jk which depends on apache
• libapache2-mod-jk2 which depends on apache2

As mention previously, mod_jk2 is already deprecated and mod_jk works for both Apache 1.3, and 2.x.

To properly configure Tomcat and Apache to use mod_jk the connector must be manually, build and set up from the source.

Installing and Configuring mod_jk

Download and extract the latest connector from the Tomcat website http://tomcat.apache.org/download-connectors.cgi, then configure and build it:

$ cd tomcat-connectors-1.2.23-src/native
$ ./buildconf.sh
$ ./configure --with-apxs=/usr/bin/apxs2
$ make; make install

Verify the mod_jk.so module exist in the apache module directory /usr/lib/apache2/module.

Note: The programs are required to configure and build the connector: automake, autoconf, libtoolize, and apxs2. To obtain these programs install the following packages in Ubuntu: libtool, automake, and apache2-threaded-dev

libtool error when compiling

On some systems the 'make' command will fail with the following error:

libtool: compile: unable to infer tagged configuration
libtool: compile: specify a tag with `--tag'

This is due to libtool not using the correct gcc when compiling. A workaround would be to add the parameter '--tag CXX' inside the Makefile.

$ cd  tomcat-connectors-1.2.23-src/native/common
$ nano Makefile

Inside the Makefile the change line from:

LIBTOOL = /usr/share/apr-1.0/build/libtool --silent

to:

LIBTOOL = /usr/share/apr-1.0/build/libtool --silent --tag CXX

Creating the workers.properties

Create a workers.properties file in the Apache configuration directory and add the following lines to it.

$ nano /etc/apache2/workers.properties

# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
workers.tomcat_home=/usr/share/tomcat5.5
workers.java_home=/usr/lib/java-1.5.0-sun
ps=/
# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1

Configure Apache for mod_jk

Create the jk module configuration files for Apache

$ nano /etc/apache2/mods-available/jk.load

LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so

$ nano /etc/apache2/mods-available/jk.conf

<IfModule mod_jk.c>
    # Where to find workers.properties
    JkWorkersFile /etc/apache2/workers.properties

    # Where to put jk logs
    JkLogFile /var/log/apache2/mod_jk.log

    # Set the jk log level [debug/error/info]
    JkLogLevel info

    # Select the log format
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

    # JkOptions indicate to send SSL KEY SIZE,
    JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

    # JkRequestLogFormat set the request format
    JkRequestLogFormat "%w %V %T"

    # Globally deny access to the WEB-INF directory
    <LocationMatch '.*WEB-INF.*' >
         Order deny,allow
         Deny from all
    </LocationMatch>
</IfModule>

After creating the configuration files you can now enable the jk module for Apache

$ a2enmod jk

Sending JSP and Servlets through mod_jk

Inside the virtual host you can mount JSP and Servlet context to the worker define in the workers.properties file. For example to mount the JSP and Servlet examples from Tomcat add the following lines:

JkMount /jsp-examples/*.jsp worker1
JkMount /servlets-examples/servlet/* worker1

Apache DirectoryIndex

If your website uses index.jsp it must be download inside the DirectoryIndex of Apache. Modified the file /etc/apache2/mods-enabled/dir.conf and add index.jsp to the list.

The log files for Apache can typically grow very large, and it sometimes necessary to periodically rotate the log files by moving or deleting the existing logs. Apache is capable of writing log files through a pipe to another process, rather than directly to a file. This allows log to be rotated without restarting Apache.

rotatelogs

The Apache HTTP Server includes a simple program called rotatelogs for log rotation. In Ubuntu this program can be found in /usr/sbin/rotatelogs.

The following is a simple configuration to setup log rotation in Apache:

CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 86400" common

This configuration rotates the access log file every 24 hours.

CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 5M" common

This configuration Rotates the access log file whenever it reaches 5MB.

ErrorLog "|/usr/sbin/rotatelogs /var/log/apache2/error.log.%Y-%m-%d-%H_%M_%S 5M"


This configuration will rotate the error log file whenever it reaches 5MB, and add the suffix to the log file name in the form of error.log.YYYY-mm-dd-HH_MM_SS.

For more information on rotatelogs refer to http://httpd.apache.org/docs/2.2/programs/rotatelogs.html

cronolog

Cronolog is a similar more flexible log rotation program. It rotates log files specify by the filename template and the current date and time.

To install cronolog:

$ apt-get install cronolog

The configuration below rotates the log files on a daily basis:

CustomLog "|/usr/bin/cronolog /var/log/apache2/access.log.%Y-%m-%d"
ErrorLog  "|/usr/bin/cronolog /var/log/apache2/errors.log.%Y-%m-%d"

To rotate the log file on a monthly basis the configuration would be:

CustomLog "|/usr/bin/cronolog /var/log/apache2/access.log.%Y-%m"

For more information on cronolog refer to http://cronolog.org/

This easiest way to integrate Tomcat and Apache together is to have Tomcat run behind Apache which behaves like a proxy server.

Enable the proxy module for Apache.

$ a2enmod proxy
$ a2enmod proxy_http (To allow Apache to forward to Tomcat HTTP Connector)

Include the following in the Apache configuration file:

ServerName tomcat.example.com

ProxyPass / http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

The above example tells Apache to forward URLs from http://tomcat.example.com/* to Tomcat’s Http Connector which is setup to be listening on port 8080 and assumes that you have setup a virtual host in Tomcat for tomcat.example.com.

When you are running behind a proxy server, you will sometimes prefer to manage the values returned by:

• ServletRequest.getServerName(): Returns the host name of the server to which the request was sent.
• ServletRequest.getServerPort(): Returns the host name of the server to which the request was sent.

In general, you may want the port number to reflect that specified in the original request, not the one on which the HTTP Connector itself is listening. You can use the proxyName and proxyPort attributes on the <Connector> element to configure these values.

In the server.xml you can uncomment the line similar to the one below, if you still want to keep the HTTP Connector to continue listening on 8080.

<Connector port="8082"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" acceptCount="100" connectionTimeout="20000"
proxyName="www.mycompany.com"
proxyPort="80" disableUploadTimeout="true" />

After you have restarted Tomcat, ServletRequest.getServerName(), and ServletRequest.getServerPort() will return www.mycompany.com and 80 respectively.

Using the AJP Connector

AJP is an optimized version of the HTTP protocol to allow a web server such as Apache talk to Tomcat. When integrating Tomcat with Apache, the AJP connector will provide faster performance than proxied HTTP.

Enable APJ proxy module in Apache:

$ a2enmod proxy_ajp

In the Apache configuration file add the following:

ProxyPass / ajp://localhost:8009/
ProxyPassReverse  /  ajp://localhost:8009/

The default port used by the AJP connector in Tomcat is 8009, and can be enable using the following line inside the server.xml file.

<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />