Solved

2-way SSL authentication Directory for JkMount

Posted on 2008-10-28
3
810 Views
Last Modified: 2012-05-05
I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 
    ServerName x.y.com
 
    # The x-reverse-sock is relative to FastCgiIpcDir
    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \
        -socket broker/x-reverse-sock -appConnTimeout 3 \
        -idle-timeout 3
 
    # The client uses /backchannel as its path
    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 
    # SSL settings for this virtual host  use the certificate signed by
    # x's CA. The client's certificate is also expected to be signed
    # by the same CA.
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/certs/x.y.com.pem
    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem
    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 
    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    #LogLevel debug
 
    # Protect access to the Broker
    <Directory /home/rob/devt/x/broker/etc>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Directory>
 
    RewriteEngine on
    RewriteRule  ^/$ /x-view/  [R]
    JkMount /x-view/* ajp13
 
</VirtualHost>

Open in new window

0
Comment
Question by:rstaveley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
caterham_www earned 500 total points
ID: 22829752
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Location>

Open in new window

0
 
LVL 17

Author Comment

by:rstaveley
ID: 22829998
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
 
LVL 17

Author Closing Comment

by:rstaveley
ID: 31510847
I really appreciate the knowledge in that response.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question