Last modified by jhurst on 2024/04/02 14:25
Hide last authors
jhurst 1.1 1
2 {{ddtoc/}}
3
4 = Apache HTTPD / Tomcat Connector: AJP =
5
6 == Requirements ==
7
8 * Install apache httpd
9 * Check that the **proxy** and **proxy_ajp** modules are active (see 1.2)
10
11 == Loading a module in apache httpd ==
12
13 === Windows ===
14
15 1. Check that the file corresponding to the module exists and can be found in the **<install_apache>/modules** folder.
16 For instance for the module proxy_ajp the file would be : mod_proxy_ajp.so. If the file does not exist, find a version of httpd that distributes the required module.
17 1. Load the module in the **<install_apache>/conf/httpd.conf** file using:
18 LoadModule nom_du_module modules/fichier_du_module
19 Example: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
20
21 === Linux ===
22
23 Use the command: a2enmod nom_du_module
24 Example: a2enmod proxy_ajp
25 If this command fails or does not exist, follow the same steps as for Windows.
26
27 == Configuring routing between apache httpd and tomcat ==
28
29 === Apache Tomcat ===
30
31 Check that the following connector exists and is not commented in the **<install_tomcat>/conf/server.xml** configuration file:
32
33 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
34
35 For your information:
36
37 * The redirectPort is used for requests using a security constraint requiring an SSL transport.
38 * Don’t forget to restart Tomcat after modifying the server.xml file.00
39
40 === Apache HTTPD ===
41
42 In the virtual host file, add the **ProxyPass** directive so that httpd can connect to Tomcat’s AJP connector:
43
44 {{{<VirtualHost *:80>
45 ServerAdmin support@digdash.com
46 ServerName monserveur.digdash.com
47
48 DocumentRoot /var/www
49 ProxyPass / ajp://montomcat.digdash.com:8009/
50 <Directory />
51 Options FollowSymLinks
52 AllowOverride None
53 </Directory>
54 <Directory /var/www>
55 Options Indexes FollowSymLinks MultiViews
56 AllowOverride None
57 Require all granted
58 </Directory>
59
60 ErrorLog logs/error_apache.log
61 LogLevel warn
62 CustomLog logs/access_apache.log combined
63 </VirtualHost>}}}
64
65 (% class="box warningmessage" %)
66 (((
67 Don’t forget to restart Apache httpd after modifying the configuration.
68 )))
69
70 ==== Timeout ====
71
72 It may be necessary to specify a greater timeout value than the default for the AJP connector.
73
74 Some tasks in DigDash Enterprise take over a minute to complete (exports, builders, save/backup…) and could be interrupted by Apache httpd, which in turn would return a HTTP 500 error to the client.
75
76 To change this value you can add the **timeout=<seconds>** parameter to the ProxyPass directive, for example:
77
78 ProxyPass / ajp:~/~/montomcat.digdash.com:8009/ timeout=300
79
80 == Alternative : Configuring routing between apache httpd and tomcat while changing the folder name ==
81
82 === Objective ===
83
84 Connecting to a URL that uses a different parent folder.
85 In this example we will use a folder named: **security_domain1/** and connect to the home page with this URL: http:~/~/machine/security_domain1/adminconsole.
86
87 === Apache Tomcat ===
88
89 Same configuration as [[Configuring routing between apache httpd and tomcat>>path:#tomcat-conf]].
90
91 === Apache HTTPD ===
92
93 In the virtual host file, add the **ProxyPass**, **ProxyPassReverse** and
94 **ProxyPassReverseCookiePath** directives to Tomcat’s AJP connector:
95
96 {{{<VirtualHost *:80>
97 ServerAdmin support@digdash.com
98 ServerName srvapache
99 DocumentRoot /var/www
100 <Directory />
101 Options FollowSymLinks
102 AllowOverride None
103 </Directory>
104 <Directory /var/www/>
105 Options Indexes FollowSymLinks MultiViews
106 AllowOverride None
107 Require all granted
108 </Directory>
109 ProxyPass "/domaine_securite1" "ajp://srvtomcat:8009"
110 ProxyPassReverseCookiePath "/" "/domaine_securite1"
111 ProxyPassReverse "/domaine_securite1" "http://srvapache"
112 ErrorLog logs/error_apache.log
113 LogLevel warn
114 CustomLog logs/access_apache.log combined
115 </VirtualHost>}}}
116
117 = Enabling https (SSL) =
118
119 == Requirements ==
120
121 * A valid certificate for the network or a certificate approved by a trusted third party (CA). (ex: Comodo, Globalsign, Thawte, Verisign…)
122 * A version of Apache httpd that contains the latest security patches concerning ssl.
123 * Enabling the **mod_ssl** ssl module. (see [[Loading a module in apache httpd>>path:#module]])
124 * Understanding the configurations made in [[Apache HTTPD / Tomcat connector: AJP>>path:#main]]
125
126 == Configuration ==
127
128 A **Listen** directive must be added for httpd to listen on port 443:
129 **<install_apache>/conf/httpd.conf** :
130 Listen 443
131
132 The port used in the **VirtualHost** must then be changed, ssl must be activated and the certificates and private key must be configured:
133
134 {{{<VirtualHost *:443>
135 ServerAdmin support@digdash.com
136 ServerName monserveur.digdash.com
137 SSLEngine on
138 SSLCertificateKeyFile /etc/ssl/maclef.key
139 SSLCertificateFile /etc/ssl/moncertif.crt
140 SSLCertificateChainFile /etc/ssl/certif.ca-bundle
141 DocumentRoot /var/www
142 ProxyPass / ajp://montomcat.digdash.com:8009/
143 <Directory />
144 Options FollowSymLinks
145 AllowOverride None
146 </Directory>
147 <Directory /var/www/>
148 Options Indexes FollowSymLinks MultiViews
149 AllowOverride None
150 Require all granted
151 </Directory>
152 ErrorLog logs/error_apache.log
153 LogLevel warn
154 CustomLog logs/access_apache.log combined
155 </VirtualHost>}}}
156
157 === SSLPassphraseDialog ===
158
159 If your private key is encrypted, you will need to type in your password when httpd starts up or use the [[SSLPassPhraseDialog>>url:https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog]] directive.
160
161 **Warning**: This directive is not supported on Windows. You will need to remove it from the configuration file and replace your encrypted private key with an unencrypted one. To replace the key, you can simply decrypt your existing encrypted key and save the unencrypted key to a file (with openssl rsa -in encrypted_key -out unencrypted_key for example).
162
163 To use this directive without having to type your password, you must create a script file that displays the required password (on stdout). For example:
164
165 **password.sh** :
166
167 {{{#!/bin/bash
168 echo password}}}
169
170 **httpd.conf** :
171
172 {{{<IfModule ssl_module>
173 SSLPassPhraseDialog "exec:/path/to/password.sh"
174 </IfModule>}}}
175
176 = Load balancing =
177
178 Each user session is linked to a signle Tomcat server (sticky session). If a Tomcat server fails, the user will have to reauthenticate on the server to which the session has been reassociated (if SSO is enabled, this happens automatically).
179
180 == Requirements ==
181
182 * Enabling the **proxy_balancer** module. (see [[Loading a module in apache httpd>>path:#module]])
183 * Understanding the configurations made in [[Apache HTTPD / Tomcat connector : AJP>>path:#main]]
184
185 == Configuration ==
186
187 === Apache Tomcat ===
188
189 In the **<install_tomcat>/conf/server.xml** configuration file, check that the AJP connector exists (add it if it doesn’t):
190 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
191
192 Check that the **Engine** tag has a **jvmRoute** attribute with a unique identifier on each target machine:
193 <Engine name="Catalina" defaultHost="localhost" jvmRoute="m1">
194
195 === Apache HTTPD ===
196
197 In the virtual host file:
198
199 {{{<VirtualHost lap-sus:80>
200 ServerAdmin support@digdash.com
201 DocumentRoot "C:/htdocs"
202 ServerName monserveur.digdash.com
203
204 <Proxy balancer://monserveur.digdash.com>
205 BalancerMember ajp://montomcat1.digdash.com:8009 route=m1
206 BalancerMember ajp://montomcat2.digdash.com:8009 route=m2
207 ProxySet stickysession=JSESSIONID
208 </Proxy>
209
210 ProxyPass / "balancer://monserveur.digdash.com/" stickysession=JSESSIONID
211 scolonpathdelim=On
212 <Directory />
213 Options FollowSymLinks
214 AllowOverride None
215 Require all granted
216 ProxyPassReverse balancer://monserveur.digdash.com/
217 </Directory>
218
219 ErrorLog logs/error_apache.log
220 LogLevel warn
221 CustomLog logs/acces_apache.log combined
222 </VirtualHost>}}}
223
224
225