To use .htaccess files, you need to enable it in the server configuration by specifying the directive AllowOverride AuthConfig, typically within the <Directory> section.
<Directory /opt/apache/htdocs>
AllowOverride AuthConfig
</Directory>

Create a password file, which should be placed somewhere not accessible from the web. For example if your documents are served in the directory /opt/apache/htdocs, you can put the password file in the /opt/apache/passwd directory. To create the file use the htpasswd command that came with Apache.

$ htpasswd -c /opt/apache/passwd/passwords myusername

Create an .htaccess file in the diretory you wish to protect. For example, if you wish to protect the directory /opt/apache/htdocs/protect:

$ cd /usr/local/apache/htdocs/protect/
$ nano .htaccess

Add the following lines inside the file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /opt/apache/passwd/passwords
Require user myusername


• The AuthType directive determines the method that is used to authenticate the user. The most common method is Basic, however, it sends the password unencrypted.
• The AuthName directive sets the Realm to be used in the authentication. The realm is used by the browser to determine what password to send for a given authenticated area.
• The AuthUserFile directive sets the path to the password file that created with htpasswd.
• The Require directive provides the authorization part of the process by setting the user that is allowed to access the protected area. To allow anyone in that is listed in the password file use: Require valid-user

Once the .htaccess file has been saved, you have restricted access to the area you want to protect.

For more information: http://httpd.apache.org/docs/2.0/howto/auth.html

Related posts:

1. Apache for Ubuntu Quickstart Guide
2. Configuring Apache for SSL Support
3. Apache mod_proxy and Reverse Proxy

Managing Certificates

To have a working SSL implementation, the first step is to create a server certificate using the openssl command.

A public/private key pair must be generated before you can create a certificate request. Create the key with the following command line:

$ openssl genrsa -des3 -out server.key 1024

• genrsa indicates to generate a key pair
• des3 indicates the key protected by a pass phrase
• out indicates where to store the results
• 1024 indicates the number of bits of the generated key

This certificate will prompt Apache to ask for the passphrase at each startup. If you don’t want Apache to prompt you for a passphrase everytime you start or restart it, remove the “-des3” option.

To learn about the contents of the key file use the following command:

$ openssl rsa -noout -text -in server.key

To get a certificate issued by a CA, you must submit what is called a certificate signing request. To create a request, issue the following command:

$ openssl req -new -key server.key -out server.csr

You will be prompted to enter the certificate information, it’s important that the Common Name field entry matches the address of your website. If the name is different, a warning from the web browser indicating the mismatch will be issue to the user.

To learn about the contents of the certificate use the following command:

$ openssl req -noout -text -in server.csr

You can submit the certificate signing request file to a CA for processing, if it’s for board internet use. For example: VeriSign or Thawte. If the certificate is for development, testing or internal use, you can create a self-signed certificate.

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The default value is 30 days without the “-days” option.

Note: Your certificate private key should be only readable by the root user.

Configuring Apache for Ubuntu

Place the certificate and the certificate private key in the directory /etc/apache2/ssl.

Enable the ssl module for Apache

$ a2enmod ssl

Enable Apache to listen to the HTTPS default port 443 by adding the following line to the /etc/apache2/ports.conf

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Inside the virtual host or httpd.conf configuration file add the lines similar to the following:

<VirtualHost _default_:443>
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
</VirtualHost>

Redirecting HTTP traffic to HTTPS

If you want to force users to use HTTPS, you can redirect all HTTP traffic to the HTTPS site.

Enable URL rewrite support by executing the following command:

$ a2enmod rewrite

In the virtual host or httpd.conf configuration file add the following three lines under the <VirtualHost *:80> line:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Related posts:

1. Apache for Ubuntu Quickstart Guide
2. Integrating Tomcat and Apache with mod_jk Connector
3. Apache Log File Rotation

The mod_jk connector along with mod_proxy_ajp are the only recommend methods of Tomcat and Apache integration. mod_jk is still actively under development, and is very stable for production servers, as well it supports both Apache 1.3, and 2.x. Other past alternatives like mod_webapp, mod_jserv, mod_jk2 are not longer supported and are consider deprecated.

mod_jk Package Issue for Ubuntu

For Ubuntu 7.04 there is an error in the mod_jk package. It currently has two packages for mod_jk:

• libapache-mod-jk which depends on apache
• libapache2-mod-jk2 which depends on apache2

As mention previously, mod_jk2 is already deprecated and mod_jk works for both Apache 1.3, and 2.x.

To properly configure Tomcat and Apache to use mod_jk the connector must be manually, build and set up from the source.

Installing and Configuring mod_jk

Download and extract the latest connector from the Tomcat website http://tomcat.apache.org/download-connectors.cgi, then configure and build it:

$ cd tomcat-connectors-1.2.23-src/native
$ ./buildconf.sh
$ ./configure --with-apxs=/usr/bin/apxs2
$ make; make install

Verify the mod_jk.so module exist in the apache module directory /usr/lib/apache2/module.

Note: The programs are required to configure and build the connector: automake, autoconf, libtoolize, and apxs2. To obtain these programs install the following packages in Ubuntu: libtool, automake, and apache2-threaded-dev

libtool error when compiling

On some systems the 'make' command will fail with the following error:

libtool: compile: unable to infer tagged configuration
libtool: compile: specify a tag with `--tag'

This is due to libtool not using the correct gcc when compiling. A workaround would be to add the parameter '--tag CXX' inside the Makefile.

$ cd  tomcat-connectors-1.2.23-src/native/common
$ nano Makefile

Inside the Makefile the change line from:

LIBTOOL = /usr/share/apr-1.0/build/libtool --silent

to:

LIBTOOL = /usr/share/apr-1.0/build/libtool --silent --tag CXX

Creating the workers.properties

Create a workers.properties file in the Apache configuration directory and add the following lines to it.

$ nano /etc/apache2/workers.properties

# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
workers.tomcat_home=/usr/share/tomcat5.5
workers.java_home=/usr/lib/java-1.5.0-sun
ps=/
# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1

Configure Apache for mod_jk

Create the jk module configuration files for Apache

$ nano /etc/apache2/mods-available/jk.load

LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so

$ nano /etc/apache2/mods-available/jk.conf

<IfModule mod_jk.c>
    # Where to find workers.properties
    JkWorkersFile /etc/apache2/workers.properties

    # Where to put jk logs
    JkLogFile /var/log/apache2/mod_jk.log

    # Set the jk log level [debug/error/info]
    JkLogLevel info

    # Select the log format
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

    # JkOptions indicate to send SSL KEY SIZE,
    JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

    # JkRequestLogFormat set the request format
    JkRequestLogFormat "%w %V %T"

    # Globally deny access to the WEB-INF directory
    <LocationMatch '.*WEB-INF.*' >
         Order deny,allow
         Deny from all
    </LocationMatch>
</IfModule>

After creating the configuration files you can now enable the jk module for Apache

$ a2enmod jk

Sending JSP and Servlets through mod_jk

Inside the virtual host you can mount JSP and Servlet context to the worker define in the workers.properties file. For example to mount the JSP and Servlet examples from Tomcat add the following lines:

JkMount /jsp-examples/*.jsp worker1
JkMount /servlets-examples/servlet/* worker1

Apache DirectoryIndex

If your website uses index.jsp it must be download inside the DirectoryIndex of Apache. Modified the file /etc/apache2/mods-enabled/dir.conf and add index.jsp to the list.

Related posts:

1. Integrating Tomcat and Apache Using Proxy
2. Tomcat 5.5 for Ubuntu Quickstart Guide
3. Problem using MySQL JDBC on Tomcat 5.5 and Ubuntu 8.04

rotatelogs

The Apache HTTP Server includes a simple program called rotatelogs for log rotation. In Ubuntu this program can be found in /usr/sbin/rotatelogs.

The following is a simple configuration to setup log rotation in Apache:

CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 86400" common

This configuration rotates the access log file every 24 hours.

CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 5M" common

This configuration Rotates the access log file whenever it reaches 5MB.

ErrorLog "|/usr/sbin/rotatelogs /var/log/apache2/error.log.%Y-%m-%d-%H_%M_%S 5M"


This configuration will rotate the error log file whenever it reaches 5MB, and add the suffix to the log file name in the form of error.log.YYYY-mm-dd-HH_MM_SS.

For more information on rotatelogs refer to http://httpd.apache.org/docs/2.2/programs/rotatelogs.html

cronolog

Cronolog is a similar more flexible log rotation program. It rotates log files specify by the filename template and the current date and time.

To install cronolog:

$ apt-get install cronolog

The configuration below rotates the log files on a daily basis:

CustomLog "|/usr/bin/cronolog /var/log/apache2/access.log.%Y-%m-%d"
ErrorLog  "|/usr/bin/cronolog /var/log/apache2/errors.log.%Y-%m-%d"

To rotate the log file on a monthly basis the configuration would be:

CustomLog "|/usr/bin/cronolog /var/log/apache2/access.log.%Y-%m"

For more information on cronolog refer to http://cronolog.org/

Related posts:

1. Apache for Ubuntu Quickstart Guide
2. Integrating Tomcat and Apache with mod_jk Connector
3. Configuring Apache for SSL Support

Enable the proxy module for Apache.

$ a2enmod proxy
$ a2enmod proxy_http (To allow Apache to forward to Tomcat HTTP Connector)

Include the following in the Apache configuration file:

ServerName tomcat.example.com

ProxyPass / http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

The above example tells Apache to forward URLs from http://tomcat.example.com/* to Tomcat’s Http Connector which is setup to be listening on port 8080 and assumes that you have setup a virtual host in Tomcat for tomcat.example.com.

When you are running behind a proxy server, you will sometimes prefer to manage the values returned by:

• ServletRequest.getServerName(): Returns the host name of the server to which the request was sent.
• ServletRequest.getServerPort(): Returns the host name of the server to which the request was sent.

In general, you may want the port number to reflect that specified in the original request, not the one on which the HTTP Connector itself is listening. You can use the proxyName and proxyPort attributes on the <Connector> element to configure these values.

In the server.xml you can uncomment the line similar to the one below, if you still want to keep the HTTP Connector to continue listening on 8080.

<Connector port="8082"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" acceptCount="100" connectionTimeout="20000"
proxyName="www.mycompany.com"
proxyPort="80" disableUploadTimeout="true" />

After you have restarted Tomcat, ServletRequest.getServerName(), and ServletRequest.getServerPort() will return www.mycompany.com and 80 respectively.

Using the AJP Connector

AJP is an optimized version of the HTTP protocol to allow a web server such as Apache talk to Tomcat. When integrating Tomcat with Apache, the AJP connector will provide faster performance than proxied HTTP.

Enable APJ proxy module in Apache:

$ a2enmod proxy_ajp

In the Apache configuration file add the following:

ProxyPass / ajp://localhost:8009/
ProxyPassReverse  /  ajp://localhost:8009/

The default port used by the AJP connector in Tomcat is 8009, and can be enable using the following line inside the server.xml file.

<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

Related posts:

1. Integrating Tomcat and Apache with mod_jk Connector
2. Tomcat 5.5 for Ubuntu Quickstart Guide
3. Apache mod_proxy and Reverse Proxy

Apache can be configured in both a forward and reverse proxy mode. Only reverse proxy will be discussed in this section.

A reverse proxy is a gateway for servers, and enables one web server to provide content from another transparently.

Note: A reverse proxy is activated using the ProxyPass directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy.

Setting Up Reverse Proxy

Enable the mod_proxy module

$ a2enmod proxy

Enable the mod_proxy_http module if you are going to proxy to a http protocol

$ a2enmod proxy_http

Add the following to the /etc/apache2/httpd.conf or a virtual host site in /etc/apache2/sites-available:

ProxyRequests Off
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>

ProxyPreserveHost on
ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar

For more information on mod_proxy refer to the Apache documentation at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Related posts:

1. Integrating Tomcat and Apache Using Proxy
2. Apache for Ubuntu Quickstart Guide
3. Configuring Apache for SSL Support

Installing Apache for Ubuntu

From the Ubuntu desktop:

1. Go to System > Administration > Synapatic Package Manager
2. Search for “apache2″ and “Mark for installation”
3. Click on the “Apply” to install

From the command line:

$ sudo apt-get install apache2

Apache Directories for Ubuntu

• /etc/apache2 This directory contains the Apache configuration files.
• /etc/init.d The startup script apache2 can be found in this directory. This script is used to start and stop the server. It also, automatically starts and stops the server when it’s halted, started, or rebooted.
• /var/www The default location for the web content.
• /usr/sbin The executable programs are placed in this directory. For example: apache2 the server executeable itself.
• /usr/bin Some of the utilities from Apache package are placed here. For example: htpasswd, used for generating authentication password files.

Configuration Files

The configuration files for Apache is under the directory /etc/apache2.

• apache2.conf This is the file which contains all the default configurations of the web server. Inside the configuration file it also loads configurations from: mods-enabled/*.load, mods-enabled/*.conf, httpd.conf, ports.conf, conf.d/, and sites-enabled/
• mods-available This directory contains all the configurations for all the available modules in Apache
• mods-enabled This directory contains all the configurations for the modules enable in Apache
• httpd.conf This file is original and should contain custom configuration specifically for your web server. e.g. ServerName
• ports.conf This file contains a list of all the ports the web server should be listening to.
• sites-available This directory should contain all the configurations for your websites being hosted on the webserver
• sites-enabled This directory should contains the configurations for your websites that you have enabled on the web server.

Starting and Stopping Apache

The /etc/init.d/apache2 script and the following options is use to control the web server:

• start Start the web server.
• stop Stops the web server.
• reload Reload the configuration files after modification.
• restart Convenient way to stop and then immediately start the web server.

Virtual Hosting

Virtual hosts enable you to run more than one host on the same IP address. To enable virtual host you can modified the httpd.conf file:

NameVirtualHost 192.168.100.1

<VirtualHost 192.168.100.1>
ServerName www.vincentkong.com
ServerAlias vincentkong.com


CustomLog /path/to/logfile/access.log combined
ErrorLog /path/to/logfile/error.log

DocumentRoot /path/to/website/
<Directory /path/to/website/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
allow from all
</Directory>
</VirtualHost>

Options Directives

Options directives determines what options are available for the directory configured in Apache.

Enabling/Disabling Multiple Sites

There are two commands which allows you to easily enable/disable multiple websites. For each website create a file in the /etc/apache2/sites-available directory (it’s perferable that the file name is the name of your site) e.g. vincentkong.com, and add in your virtual host settings.

To enable the website use the command:

$ a2ensite <site filename>

This command will create a symbolic link inside the /etc/apache2/sites-enabled directory to your file.

To disable the website use the command:

$ a2dissite <site filename>

Enabling/Disabling Modules

All the configuration files for the modules installed with Apache can be found in /etc/apache2/mods-available, the .load file are the settings to load the module, and the .conf are the default settings for the module.

To enable a module for Apache use the following command:

$ a2enmod or

$ a2enmod <module name> (if you already know the name of the module)

This command basically creates a symbolic link in the mods-enabled directory to the module configuration you specified.

To disable a module use the command:

$ a2dismod

Related posts:

1. Integrating Tomcat and Apache with mod_jk Connector
2. Configuring Apache for SSL Support
3. Tomcat 5.5 for Ubuntu Quickstart Guide