Solved

2-way SSL authentication Directory for JkMount

Posted on 2008-10-28
3
809 Views
Last Modified: 2012-05-05
I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 
    ServerName x.y.com
 
    # The x-reverse-sock is relative to FastCgiIpcDir
    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \
        -socket broker/x-reverse-sock -appConnTimeout 3 \
        -idle-timeout 3
 
    # The client uses /backchannel as its path
    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 
    # SSL settings for this virtual host  use the certificate signed by
    # x's CA. The client's certificate is also expected to be signed
    # by the same CA.
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/certs/x.y.com.pem
    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem
    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 
    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    #LogLevel debug
 
    # Protect access to the Broker
    <Directory /home/rob/devt/x/broker/etc>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Directory>
 
    RewriteEngine on
    RewriteRule  ^/$ /x-view/  [R]
    JkMount /x-view/* ajp13
 
</VirtualHost>

Open in new window

0
Comment
Question by:rstaveley
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
caterham_www earned 500 total points
ID: 22829752
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Location>

Open in new window

0
 
LVL 17

Author Comment

by:rstaveley
ID: 22829998
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
 
LVL 17

Author Closing Comment

by:rstaveley
ID: 31510847
I really appreciate the knowledge in that response.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question