2-way SSL authentication Directory for JkMount

I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 
    ServerName x.y.com
 
    # The x-reverse-sock is relative to FastCgiIpcDir
    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \
        -socket broker/x-reverse-sock -appConnTimeout 3 \
        -idle-timeout 3
 
    # The client uses /backchannel as its path
    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 
    # SSL settings for this virtual host  use the certificate signed by
    # x's CA. The client's certificate is also expected to be signed
    # by the same CA.
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/certs/x.y.com.pem
    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem
    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 
    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    #LogLevel debug
 
    # Protect access to the Broker
    <Directory /home/rob/devt/x/broker/etc>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Directory>
 
    RewriteEngine on
    RewriteRule  ^/$ /x-view/  [R]
    JkMount /x-view/* ajp13
 
</VirtualHost>

Open in new window

LVL 17
rstaveleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

caterham_wwwCommented:
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Location>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rstaveleyAuthor Commented:
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
rstaveleyAuthor Commented:
I really appreciate the knowledge in that response.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.