Wiki source code of Configurer un serveur web apache
Last modified by Aurelie Bertrand on 2025/02/07 10:18
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | {{ddtoc/}} |
| 2 | |||
| |
10.1 | 3 | = Apache HTTPD / Tomcat Connector: AJP = |
| |
1.1 | 4 | |
| |
10.1 | 5 | == Requirements == |
| |
1.1 | 6 | |
| |
10.1 | 7 | * Install apache httpd |
| 8 | * Check that the **proxy** and **proxy_ajp** modules are active (see 1.2) | ||
| |
1.1 | 9 | |
| |
10.1 | 10 | == Loading a module in apache httpd == |
| |
1.1 | 11 | |
| |
10.1 | 12 | === Windows === |
| |
1.1 | 13 | |
| |
10.1 | 14 | 1. Check that the file corresponding to the module exists and can be found in the **<install_apache>/modules** folder. |
| 15 | For instance for the module proxy_ajp the file would be : mod_proxy_ajp.so. If the file does not exist, find a version of httpd that distributes the required module. | ||
| 16 | 1. Load the module in the **<install_apache>/conf/httpd.conf** file using: | ||
| |
1.1 | 17 | LoadModule nom_du_module modules/fichier_du_module |
| |
10.1 | 18 | Example: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so |
| |
1.1 | 19 | |
| |
10.1 | 20 | === Linux === |
| |
1.1 | 21 | |
| |
10.1 | 22 | Use the command: a2enmod nom_du_module |
| 23 | Example: | ||
| |
7.1 | 24 | |
| |
10.1 | 25 | {{code language="Shell" cssClass="notranslate"}} |
| |
7.1 | 26 | a2enmod proxy_ajp |
| 27 | {{/code}} | ||
| 28 | |||
| |
10.1 | 29 | If this command fails or does not exist, follow the same steps as for Windows. |
| |
1.1 | 30 | |
| |
10.1 | 31 | == Configuring routing between apache httpd and tomcat == |
| |
1.1 | 32 | |
| |
10.1 | 33 | === Apache Tomcat === |
| |
1.1 | 34 | |
| |
10.1 | 35 | Check that the following connector exists and is not commented in the **<install_tomcat>/conf/server.xml** configuration file: |
| |
1.1 | 36 | |
| |
10.1 | 37 | {{code language="XML" cssClass="notranslate"}} |
| 38 | <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/> | ||
| |
1.1 | 39 | {{/code}} |
| 40 | |||
| |
10.1 | 41 | For your information: |
| |
1.1 | 42 | |
| |
10.1 | 43 | * The redirectPort is used for requests using a security constraint requiring an SSL transport. |
| 44 | * Don’t forget to restart Tomcat after modifying the server.xml file.00 | ||
| |
1.1 | 45 | |
| |
10.1 | 46 | === Apache HTTPD === |
| |
1.1 | 47 | |
| |
10.1 | 48 | In the virtual host file, add the **ProxyPass** directive so that httpd can connect to Tomcat’s AJP connector: |
| |
1.1 | 49 | |
| |
10.1 | 50 | {{code language="XML" cssClass="notranslate"}} |
| 51 | <VirtualHost *:80> | ||
| 52 | ServerAdmin support@digdash.com | ||
| 53 | ServerName monserveur.digdash.com | ||
| 54 | |||
| 55 | DocumentRoot /var/www | ||
| 56 | ProxyPass / ajp://montomcat.digdash.com:8009/ | ||
| 57 | <Directory /> | ||
| |
1.1 | 58 | Options FollowSymLinks |
| 59 | AllowOverride None | ||
| 60 | </Directory> | ||
| 61 | <Directory /var/www> | ||
| 62 | Options Indexes FollowSymLinks MultiViews | ||
| 63 | AllowOverride None | ||
| 64 | Require all granted | ||
| 65 | </Directory> | ||
| |
10.1 | 66 | |
| |
1.1 | 67 | ErrorLog logs/error_apache.log |
| 68 | LogLevel warn | ||
| 69 | CustomLog logs/access_apache.log combined | ||
| 70 | </VirtualHost> | ||
| |
4.1 | 71 | {{/code}} |
| |
1.1 | 72 | |
| 73 | (% class="box warningmessage" %) | ||
| 74 | ((( | ||
| |
10.1 | 75 | Don’t forget to restart Apache httpd after modifying the configuration. |
| |
1.1 | 76 | ))) |
| 77 | |||
| |
10.1 | 78 | ==== Timeout ==== |
| |
1.1 | 79 | |
| |
10.1 | 80 | It may be necessary to specify a greater timeout value than the default for the AJP connector. |
| |
1.1 | 81 | |
| |
10.1 | 82 | Some tasks in DigDash Enterprise take over a minute to complete (exports, builders, save/backup…) and could be interrupted by Apache httpd, which in turn would return a HTTP 500 error to the client. |
| |
1.1 | 83 | |
| |
10.1 | 84 | To change this value you can add the **timeout=<seconds>** parameter to the ProxyPass directive, for example: |
| |
1.1 | 85 | |
| |
10.1 | 86 | {{code language="properties" cssClass="notranslate"}} |
| |
7.1 | 87 | ProxyPass / ajp://montomcat.digdash.com:8009/ timeout=300 |
| 88 | {{/code}} | ||
| |
1.1 | 89 | |
| |
10.1 | 90 | == Alternative : Configuring routing between apache httpd and tomcat while changing the folder name == |
| |
1.1 | 91 | |
| |
10.1 | 92 | === Objective === |
| |
1.1 | 93 | |
| |
10.1 | 94 | Connecting to a URL that uses a different parent folder. |
| 95 | In this example we will use a folder named: **security_domain1/** and connect to the home page with this URL: http:~/~/machine/security_domain1/adminconsole. | ||
| |
1.1 | 96 | |
| |
10.1 | 97 | === Apache Tomcat === |
| |
1.1 | 98 | |
| |
10.1 | 99 | Same configuration as [[Configuring routing between apache httpd and tomcat>>path:#tomcat-conf]]. |
| |
1.1 | 100 | |
| |
10.1 | 101 | === Apache HTTPD === |
| |
1.1 | 102 | |
| |
10.1 | 103 | In the virtual host file, add the **ProxyPass**, **ProxyPassReverse** and |
| 104 | **ProxyPassReverseCookiePath** directives to Tomcat’s AJP connector: | ||
| |
1.1 | 105 | |
| |
10.1 | 106 | {{code language="XML" cssClass="notranslate"}} |
| |
1.1 | 107 | <VirtualHost *:80> |
| |
10.1 | 108 | ServerAdmin support@digdash.com |
| 109 | ServerName srvapache | ||
| 110 | DocumentRoot /var/www | ||
| 111 | <Directory /> | ||
| 112 | Options FollowSymLinks | ||
| 113 | AllowOverride None | ||
| 114 | </Directory> | ||
| 115 | <Directory /var/www/> | ||
| 116 | Options Indexes FollowSymLinks MultiViews | ||
| 117 | AllowOverride None | ||
| 118 | Require all granted | ||
| 119 | </Directory> | ||
| 120 | ProxyPass "/domaine_securite1" "ajp://srvtomcat:8009" | ||
| 121 | ProxyPassReverseCookiePath "/" "/domaine_securite1" | ||
| 122 | ProxyPassReverse "/domaine_securite1" "http://srvapache" | ||
| 123 | ErrorLog logs/error_apache.log | ||
| 124 | LogLevel warn | ||
| 125 | CustomLog logs/access_apache.log combined | ||
| |
1.1 | 126 | </VirtualHost> |
| |
4.1 | 127 | {{/code}} |
| |
1.1 | 128 | |
| |
10.1 | 129 | = Enabling https (SSL) = |
| |
1.1 | 130 | |
| |
10.1 | 131 | == Requirements == |
| |
1.1 | 132 | |
| |
10.1 | 133 | * A valid certificate for the network or a certificate approved by a trusted third party (CA). (ex: Comodo, Globalsign, Thawte, Verisign…) |
| 134 | * A version of Apache httpd that contains the latest security patches concerning ssl. | ||
| 135 | * Enabling the **mod_ssl** ssl module. (see [[Loading a module in apache httpd>>path:#module]]) | ||
| 136 | * Understanding the configurations made in [[Apache HTTPD / Tomcat connector: AJP>>path:#main]] | ||
| |
1.1 | 137 | |
| |
10.1 | 138 | == Configuration == |
| |
1.1 | 139 | |
| |
10.1 | 140 | A **Listen** directive must be added for httpd to listen on port 443: |
| |
1.1 | 141 | **<install_apache>/conf/httpd.conf** : |
| 142 | |||
| |
10.1 | 143 | {{code language="Shell" cssClass="notranslate"}} |
| |
7.1 | 144 | Listen 443 |
| 145 | {{/code}} | ||
| 146 | |||
| |
10.1 | 147 | The port used in the **VirtualHost** must then be changed, ssl must be activated and the certificates and private key must be configured: |
| |
1.1 | 148 | |
| |
10.1 | 149 | {{code language="XML" cssClass="notranslate"}} |
| |
1.1 | 150 | <VirtualHost *:443> |
| |
10.1 | 151 | ServerAdmin support@digdash.com |
| 152 | ServerName monserveur.digdash.com | ||
| 153 | SSLEngine on | ||
| 154 | SSLCertificateKeyFile /etc/ssl/maclef.key | ||
| 155 | SSLCertificateFile /etc/ssl/moncertif.crt | ||
| 156 | SSLCertificateChainFile /etc/ssl/certif.ca-bundle | ||
| 157 | DocumentRoot /var/www | ||
| 158 | ProxyPass / ajp://montomcat.digdash.com:8009/ | ||
| 159 | <Directory /> | ||
| 160 | Options FollowSymLinks | ||
| 161 | AllowOverride None | ||
| 162 | </Directory> | ||
| 163 | <Directory /var/www/> | ||
| 164 | Options Indexes FollowSymLinks MultiViews | ||
| 165 | AllowOverride None | ||
| 166 | Require all granted | ||
| 167 | </Directory> | ||
| 168 | ErrorLog logs/error_apache.log | ||
| 169 | LogLevel warn | ||
| 170 | CustomLog logs/access_apache.log combined | ||
| |
1.1 | 171 | </VirtualHost> |
| |
3.1 | 172 | {{/code}} |
| |
1.1 | 173 | |
| |
10.1 | 174 | === SSLPassphraseDialog === |
| |
1.1 | 175 | |
| |
10.1 | 176 | If your private key is encrypted, you will need to type in your password when httpd starts up or use the [[SSLPassPhraseDialog>>url:https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog]] directive. |
| |
1.1 | 177 | |
| 178 | (% class="box warningmessage" %) | ||
| 179 | ((( | ||
| |
10.1 | 180 | **Warning**: This directive is not supported on Windows. You will need to remove it from the configuration file and replace your encrypted private key with an unencrypted one. To replace the key, you can simply decrypt your existing encrypted key and save the unencrypted key to a file (with openssl rsa -in encrypted_key -out unencrypted_key for example). |
| |
1.1 | 181 | ))) |
| 182 | |||
| |
10.1 | 183 | To use this directive without having to type your password, you must create a script file that displays the required password (on stdout). For example: |
| |
1.1 | 184 | |
| |
10.1 | 185 | **password.sh** : |
| |
1.1 | 186 | |
| |
10.1 | 187 | {{code language="Shell" cssClass="notranslate"}} |
| |
1.1 | 188 | #!/bin/bash |
| |
10.1 | 189 | echo password |
| |
1.1 | 190 | {{/code}} |
| 191 | |||
| 192 | **httpd.conf** : | ||
| 193 | |||
| |
10.1 | 194 | {{code language="XML" cssClass="notranslate"}} |
| |
1.1 | 195 | <IfModule ssl_module> |
| |
10.1 | 196 | SSLPassPhraseDialog "exec:/path/to/password.sh" |
| |
1.1 | 197 | </IfModule> |
| 198 | {{/code}} | ||
| 199 | |||
| |
10.1 | 200 | = Load balancing = |
| |
1.1 | 201 | |
| |
10.1 | 202 | Each user session is linked to a signle Tomcat server (sticky session). If a Tomcat server fails, the user will have to reauthenticate on the server to which the session has been reassociated (if SSO is enabled, this happens automatically). |
| |
1.1 | 203 | |
| |
10.1 | 204 | == Requirements == |
| |
1.1 | 205 | |
| |
10.1 | 206 | * Enabling the **proxy_balancer** module. (see [[Loading a module in apache httpd>>path:#module]]) |
| 207 | * Understanding the configurations made in [[Apache HTTPD / Tomcat connector : AJP>>path:#main]] | ||
| |
1.1 | 208 | |
| |
10.1 | 209 | == Configuration == |
| |
1.1 | 210 | |
| |
10.1 | 211 | === Apache Tomcat === |
| |
1.1 | 212 | |
| |
10.1 | 213 | In the **<install_tomcat>/conf/server.xml** configuration file, check that the AJP connector exists (add it if it doesn’t): |
| |
6.1 | 214 | |
| |
10.1 | 215 | {{code language="XML" cssClass="notranslate"}} |
| 216 | <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/> | ||
| |
5.1 | 217 | {{/code}} |
| |
1.1 | 218 | |
| |
10.1 | 219 | Check that the **Engine** tag has a **jvmRoute** attribute with a unique identifier on each target machine: |
| |
6.1 | 220 | |
| |
10.1 | 221 | {{code language="XML" cssClass="notranslate"}} |
| |
5.1 | 222 | <Engine name="Catalina" defaultHost="localhost" jvmRoute="m1"> |
| 223 | {{/code}} | ||
| |
1.1 | 224 | |
| |
10.1 | 225 | === Apache HTTPD === |
| |
1.1 | 226 | |
| |
10.1 | 227 | In the virtual host file: |
| |
1.1 | 228 | |
| |
10.1 | 229 | {{code language="XML" cssClass="notranslate"}} |
| |
1.1 | 230 | <VirtualHost lap-sus:80> |
| |
10.1 | 231 | ServerAdmin support@digdash.com |
| 232 | DocumentRoot "C:/htdocs" | ||
| 233 | ServerName monserveur.digdash.com | ||
| |
1.1 | 234 | |
| |
10.1 | 235 | <Proxy balancer://monserveur.digdash.com> |
| 236 | BalancerMember ajp://montomcat1.digdash.com:8009 route=m1 | ||
| 237 | BalancerMember ajp://montomcat2.digdash.com:8009 route=m2 | ||
| 238 | ProxySet stickysession=JSESSIONID | ||
| 239 | </Proxy> | ||
| |
1.1 | 240 | |
| |
10.1 | 241 | ProxyPass / "balancer://monserveur.digdash.com/" stickysession=JSESSIONID |
| 242 | scolonpathdelim=On | ||
| 243 | <Directory /> | ||
| 244 | Options FollowSymLinks | ||
| 245 | AllowOverride None | ||
| 246 | Require all granted | ||
| 247 | ProxyPassReverse balancer://monserveur.digdash.com/ | ||
| 248 | </Directory> | ||
| |
1.1 | 249 | |
| |
10.1 | 250 | ErrorLog logs/error_apache.log |
| 251 | LogLevel warn | ||
| 252 | CustomLog logs/acces_apache.log combined | ||
| |
1.1 | 253 | </VirtualHost> |
| |
1.2 | 254 | {{/code}} |
| |
7.2 | 255 | |
| |
10.1 | 256 | = Cookie SameSite: Integrating Digdash Enterprise in a portal = |
| |
7.2 | 257 | |
| |
10.1 | 258 | Starting from Chrome version 80, the cookies policy is more restrictive concerning the use of cookies from other sites in the same page. If A Digdash dashboard is inserted into an enterprise portal page (eg. in an IFRAME), you must configure the SameSite policy of the cookies to prevent Chrome from blocking the dashboard cookies. It can be done on the Apache configuration: |
| |
7.2 | 259 | |
| |
10.1 | 260 | 1. Activate headers module |
| 261 | {{code language="Shell" cssClass="notranslate"}}/etc/apache2/mods-enabled# ln -s ../mods-available/headers.load headers.load{{/code}} | ||
| 262 | 1. Configure SameSite cookie policy in /etc/apache2/apache2.conf (at the end) | ||
| 263 | {{code language="properties" cssClass="notranslate"}}Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None{{/code}} | ||
| |
7.2 | 264 | |
| |
10.1 | 265 | |
| |
7.2 | 266 |