Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

2-way SSL authentication Directory for JkMount

Posted on 2008-10-28
3
Medium Priority
?
817 Views
Last Modified: 2012-05-05
I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 
    ServerName x.y.com
 
    # The x-reverse-sock is relative to FastCgiIpcDir
    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \
        -socket broker/x-reverse-sock -appConnTimeout 3 \
        -idle-timeout 3
 
    # The client uses /backchannel as its path
    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 
    # SSL settings for this virtual host  use the certificate signed by
    # x's CA. The client's certificate is also expected to be signed
    # by the same CA.
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/certs/x.y.com.pem
    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem
    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 
    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    #LogLevel debug
 
    # Protect access to the Broker
    <Directory /home/rob/devt/x/broker/etc>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Directory>
 
    RewriteEngine on
    RewriteRule  ^/$ /x-view/  [R]
    JkMount /x-view/* ajp13
 
</VirtualHost>

Open in new window

0
Comment
Question by:rstaveley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
caterham_www earned 2000 total points
ID: 22829752
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Location>

Open in new window

0
 
LVL 17

Author Comment

by:rstaveley
ID: 22829998
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
 
LVL 17

Author Closing Comment

by:rstaveley
ID: 31510847
I really appreciate the knowledge in that response.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question