You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marx <ma...@wasko.pl> on 2006/11/16 13:31:13 UTC
Tomcat5,Apache2,mod_ssl and mod_jk
Hello
I configured Tomcat5,Apache2,mod_ssl and mod_jk.
I use certification, but I want some of directiories not tu require
certificate.
Choosing which directories needs cetrtificate is configured via
<Directory "/">
SSLVerifyClient none
</Directory>
<Directory "/usr/local/tomcat/webapps/xxx/yyy">
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
It works ok with Apache (without certificate I can't access yyy
directory). Hovewer if I anable ajp13 connector like this:
JkMount /xxx/*.jsp ajp13
it works only with non-jsp files (served by Apache in this example) - I
can access JSP files in yyy directory without certificate (I shoudn't).
So directive 'SSLVerifyClient require' doesn't work together with
connector - I can read every file served via connector without certificate.
One another word - if I enable cerificate requirements globally, it
works globally (can't access anything, even jsp files, without
certificate) and whatever directive I would write I can't unblock some
directories to not need certificate.
Last word - such configuration worked with Apache 1.3, Tomcat 4, mod_ssl
and mod_jk.
Marx
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat5,Apache2,mod_ssl and mod_jk
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Marx,
I didn't go into the details, but I find it normal, that Directory
directives don't apply to mod_jk. The module simply forwards URLs and
not requests mapped to a file system. So using it together with Location
seems natural to me (and you can argue, if this is more secure or less
than using Directory).
You could block access via apache using Directory, to be on the safe
side, if you misconfigured mod_jk forwarding, and additionally configure
Location based access control for the case of mod_jk forwards.
Regards,
Rainer
Marx wrote:
> One more information, everything works ok if I use directive <Location>,
> bu I want to be more secure and I want to use <Directory>
> Marx
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat5,Apache2,mod_ssl and mod_jk
Posted by Marx <ma...@wasko.pl>.
Apache 1.3 get request and map it to local system, and when <Directory>
with "required" is hit, it denies access and will not even try to
forward to mod_jk.
In Apache 2.0 it first try to forward using mod_jk and then if no
JKmount fits it checks <Directory>
In both situations it firsts checks <Location> so <Location> always work.
So something have changed between Apache 1.3 and 2.0 that it works in
different order. Maybe it's logical but I didn't find any word about it
in migration docs.
Would it be better to use mod_proxy_ajp instead of mod_jk?
Documentation on Apache page for mod_proxy_ajp is not too good, for
example I know I need mod_proxy together with mod_proxy_ajp, hovewer
mod_proxy is strict http I don't want to have (need to secure his port),
I would like to have only connector with ajp13 protocol whch seems
rather safe.
Marx
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat5,Apache2,mod_ssl and mod_jk
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marx,
Marx wrote:
> One more information, everything works ok if I use directive <Location>,
> bu I want to be more secure and I want to use <Directory>
> Marx
This isn't going to work for you. You can't rely on Apache httpd's
<directory> protections to protect directories what Tomcat is reading.
Since Tomcat is intercepting the request, Apache httpd cannot check the
directory where the JSP is being loaded from, etc.
You have two choices: either use <Location> from within Apache httpd, or
implement cert-based authorization in Tomcat for those URLs you want to
protect.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFXHFV9CaO5/Lv0PARAjLjAKCgELL7a5MzcxIcoxHkkjoVeFFvYACeIucI
kQHIxRKArAMnMzE4jVYnWNw=
=+05X
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat5,Apache2,mod_ssl and mod_jk
Posted by Marx <ma...@wasko.pl>.
One more information, everything works ok if I use directive <Location>,
bu I want to be more secure and I want to use <Directory>
Marx
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org