jump to navigation

Setting up SSL on Apache October 28, 2010

Posted by maxmil in : Apache,Java,Security , add a comment

Just had to set up SSL on Apache which uses mod proxy to forward requests to Tomcat.

So that i don’t forget here are the steps and commands that i had to execute.

Create self signed certificate

1) Create private key

openssl genrsa -des3 -out server.key 1024

2) Create csr

openssl req -new -key server.key -out server.csr

NOTE: CN should correspond to domain (may use *)

3) Remove passphrase from private key

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

4) Generate self signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

5) Copy key and certificate

cp server.crt /etc/ssl/certs/
cp server.key /etc/ssl/private/

Configure Apache

1) Make sure mod_ssl is loaded

a2enmod ssl

2) Modify path to key in default virtual host /etc/apache2/sites-available/default-ssl

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Configure Java

1) Connect to apache en browser via https to get certificate. Confirm security exception.

Note that if you already have an exception confirmed you can delete (in firefox Edit > Preferences > Advanced > View Certificates > Servers)

2) Export certificate (in firefox Edit > Preferences > Advanced > View Certificates > Authorities).

3) Navegate to JVM: /usr/lib/jvm/java-sun-x/jre/lib/security

4) Import:

keytool -import -alias servername -keystore cacerts -file /exported/server.pem

NOTE: The default password for the jdk keystore is “changeit”

Setting up developer permissions on apache February 26, 2010

Posted by maxmil in : Apache,Debian , add a comment

I’m administrating a small server that hosts various web sites on an apache. Each web site has a group of developers who update their sites via ssh or sftp.

I needed to set up their permissions so that only the developers of each site and the apache user (www-data) could modify their sites files.

Each site is in a different sub directory of /var/www.

Initially, for each site, i created a group, put the developers of the site and the apache user in this group and gave the owner and group read and write permission on all the files.

This worked fine until a developer added files to the site since the new files were created with the developers principal group which meant the other developers could not edit the file.

Since each developer can be working on more than one site i could not just change the developers group.

However chmod g+s came to my rescue. This forces the all files created in each site to have the same group as the top level directory of the site.

Great.

However i still had a problem. The default umask for the developers that connected to the server was 022 which meant that even though the new files they created had the correct group the group only had read access to the files :(

With ssh connections changing the default umask was easy. I could do it in /etc/profile for the whole system or in ~/.profile for each user.

However when they connected via sftp this had no effect.

I think that the correct way to set up the default umask is using pam but after trying all sorts of configurations i couldn’t get it to work.

In the end the solution was to modify the line in /etc/ssh/sshd_config that started the stfp server.

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp /opt/sftp-server-wrapper.sh

and create a wrapper script /opt/sftp-server-wrapper.sh

umask 0002
exec /usr/lib/openssh/sftp-server

Don’t forget to add execution permissions to the wrapper script, otherwise sftp just fails silently!

This works but if anyone out there has a cleaner solution i would be very happy to hear it!

Apache mod_jk and tomcat with multiple virtual hosts November 22, 2008

Posted by maxmil in : Apache,tomcat , 14 comments

I recently had to configure a couple of different tomcat web applications as virtual hosts, each with its own domain. Although in my case tomcat is serving all the content of these applications i decided to use mod_jk to clean up the URL's and profit from apache's load balancing.

I found plenty of articles on the web that explained how to install and configure mod_jk with tomcat. However they all mapped an apache virtual host to a root tomcat context. Since i had two different tomcat context this seemed to mean that i would have to install two tomcat instances which was not a ideal solution.

The answer to my dilema was to define two separate hosts in tomcat, each one with its own mod_jk worker and one weapp as its root context. This idea came from Grig Gheorghiu. Thanks Grig!

I thought it would be worth describing the steps i took in a post so that others might benefit.

So here goes… My environment is:

Debian Lenny, Apache2.2, Tomcat 6.0.16.

http://test.domain1.org must map to webapp-domain1.war
http://test.domain2.org must map to webapp-domain2.war

(more…)

Setting up apache web server and apache tomcat 5.5 with mod_jk October 22, 2007

Posted by maxmil in : Apache,Debian,tomcat , add a comment

To use tomcat for serving java and apache web server for serving other content you can use mod_jk. Here's a bried recap on how i have just configured them under debian.

1) Install both tomcat and apache.

2) Download binary mod_jk.so (from http://tomcat.apache.org/download-connectors.cgi)

3) Copy module to /usr/lib/apache2/modules/mod_jk.so

4) Create file /etc/apache2/mods-available/jk.load
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so

5) Create file /etc/apache2/mods-available/jk.conf
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel error

6) Create file /etc/apache2/workers.properties
# Tomcat and Java configuration #
worker.list=worker1
# Definition for local worker using AJP 1.3 #
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.cachesize=20

7) Create virtual host in /etc/apache/sites-available/myVirtualHost
<VirtualHost 127.0.0.1:80>
ServerName max-p.sytec.tecfa.com
DocumentRoot /home/maxmil/project/tecfa-systec/webapp
ServerAdmin mpimm@tecfa.com
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/systec.log combined
Alias /edita "/home/maxmil/eclipse-tomcat/wtpwebapps/systec-edita"
<Directory "/home/maxmil/eclipse-tomcat/wtpwebapps/systec-edita">
Options Indexes +FollowSymLinks
</Directory>
JkMount /edita/* worker1
<Location "/edita/WEB-INF/">
deny from all
</Location>
</VirtualHost>

8) Enable new modules and site
cd /etc/apache2
ln -s mods-available/jk.load mods-enabled/jk.load
ln -s mods-available/jk.conf mods-enabled/jk.conf
ln -s sites-available/myVirtualHost sites-enabled/myVirtualHost

Install Apache Php Mysql on Windows February 15, 2007

Posted by maxmil in : Apache,MySql,php , 3 comments

Instalation of Apache
1) Download and open installer (apache_2.2.4-win32-x86-no_ssl.msi in my case)
2) Doesn’t matter what you put as domain, server and admin email as this is a private instalation. I’ve put MyDomain, MyServer and admin@mydomain.com
3) After installation you should see the apache service monitor in the system tray with a green arrow denoting that apache is running. If you navegate to http://localhost in your browser you should see a page that says “it works!”
4) Notes: Apache may not be able to start if IIS is running or Skype is online as both may use port 80.

Install php5
5) Download zip package from php.net (php-5.2.1-Win32.zip in my case). DO NOT DOWNLOAD INSTALLER.
6) Unzip to c:\php
7) Move (DON’T COPY) c:\php\php5ts.dll to c:\WINDOWS\php5ts.dll (An alternative would be to add c:\php to the PATH environmental variable but i haven’t tried this).
8) Copy c:\php\php.ini.dist to c:\php\php.ini
9) Edit extension_dir = “./” in php.ini. Replace with extension_dir = “”C:\php\ext\”. This is necessary when php executes within apache since the relative path “./” is no longer valid.

Configure php with apache
10) Open C:\Archivos de programa\Apache Software Foundation\Apache2.2\conf\httpd.conf
11) Edit doc root from “C:\Archivos de programa\Apache Software Foundation\Apache2.2\htdocs” to the doc root of your choice (2 instances to change).
12) Add php executable script after “AddType application/x-gzip .gz .tgz” in :

	ScriptAlias /php/ "c:/php/"
	AddType application/x-httpd-php .php .php5
	Action application/x-httpd-php "/php/php-cgi.exe"
	SetEnv PHPRC "C:/php"

13) Add permissions to the executable (don’t think that it matters where you put this, i put it after the definition of the above <IfModule mime_module>

	# Add access to php directory
	<Directory "C:/php">
		Options ExecCGI Indexes FollowSymLinks 
		AllowOverride None 
		Order allow,deny 
		Allow from all
	</Directory>

14) Add .php extention to directory index module. Search for “IfModule dir_module” and add index.php after index.html. After editing it should look like this:

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

15) Create index.php file in doc root of apache with the text
16) Stop apache. Start apache (from system tray – for some reason restart apache is not working for me)
17) Go to http://localhost and you should see the typical phpinfo page.

Install Mysql
18) Download mysql community edition from mysql site (in my case its mysql-5.0.27-win32.zip)
19) Extract Setup.exe and execute
20) When prompted you don’t have to sign in/up
21) When prompted accept “Configure the Mysql Server now”
22) Choose “Detailed Configuration”
23) Choose “Developer Machine”
24) Choose “Multifunctional Database”
25) Customize, if you want, where the innodb table space will be created (note: this is not the mysql data dir. To relocate the data dir you must stop the server, copy all files except log files from the current data dir, delete the log files, update the datadir in my.ini and restart the server).
26) Choose Decision Support
27) Choose Enable TCP/IP Networking and accept port 3306
28) Choose best support for multilingualism (UTF8 character set)
29) Choose install as a Windows service. I have unmarked the “Launch the MySQL Server automatically” option because i prefer to start it only when i want to use it (the service can be started from the command line with “net start mysql”). I also mark the “include Bin directory..” as i sometimes connect from the command line using the mysql client)
30) Choose your root password
31) Execute and finish
32) If
33) Test instalation by connecting (use your preferred method) and executing the query “select version();”. You should get:

	+---------------------+
	| version()           |
	+---------------------+
	| 5.0.27-community-nt |
	+---------------------+
	1 row in set (0.02 sec)

Configure php with mysql
34) Open c:\php\php.ini and uncomment the line: extension=php_mysqli.dll
35) Stop and Start Apache
36) Create file testMysql.php in you apache document root with the text (replace ‘root_pswd’ with your real root password:

<?
$mysqli = new mysqli('localhost','root','root_pswd');
$result = $mysqli->query("SELECT version()");
while($row = $result->fetch_assoc()) {
	print $row['version()'];	
}
$result->close();
?>

37) Navegate to http://localhost/testMysql.php and you should see the text “5.0.27-community-nt” (or equivalent if you have installed a different version of mysql.

Set up virtual host in apache
38) In httpd.conf add default virtual host so that your document root folder is not affected. At the end of httpd.conf add:

NameVirtualHost *:80

<VirtualHost *:80>
  ServerName localhost
  DocumentRoot "path/to/document/root"
</VirtualHost>

39) Add declaration for each virtual host. This is a minimal example:

<VirtualHost *:80>
	ServerName  my-virtual-host
	DocumentRoot "path/to/my/virtual/host/doc/root"
	<Directory "path/to/my/virtual/host/doc/root">
		AllowOverride All
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>

40) In c:\WINDOWS\System32\drivers\etc\hosts add your virtual host to the line that starts 127.0.0.1:

127.0.0.1       localhost my-virtual-host

41) Restart apache and navigate to http://my-virtual-host

Creating virtual server in Apache on Debian April 28, 2006

Posted by maxmil in : Apache , add a comment

1) Add new host to DNS:
a) Edit /etc/hosts and add host to line beginning 127.0.0.1 localhost.localdomain …
b) Run, hostname localhost.localdomain, to update hosts

2) Create new virtual host file in /etc/apache2/sites-available. Virtual Host ex.
3) Enable new virtual host:
a2ensite

4) Reload apache:
/etc/init.d/apache2 reload

Note: To remove host run a2dissite (and optionally delete configuration from /etc/apache2/sites-available

Updated Apache Module PHP4 to PHP5 on Debian Sarge April 25, 2006

Posted by maxmil in : Apache,Debian,MySql,php , add a comment

Added these lines to my /etc/apt/sources.list

# Use dotdeb.org for LAMP related packages not available in Sarge
deb http://dotdeb.pimpmylinux.org/ stable all
deb-src http://dotdeb.pimpmylinux.org/ stable all

And then executed:

$> apt-get update
$> apt-get install libapache2-mod-php5

Check out the article from where i got this info: http://www.debian-administration.org/articles/357