• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 822
  • Last Modified:

2-way SSL authentication Directory for JkMount

I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 
    ServerName x.y.com
 
    # The x-reverse-sock is relative to FastCgiIpcDir
    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \
        -socket broker/x-reverse-sock -appConnTimeout 3 \
        -idle-timeout 3
 
    # The client uses /backchannel as its path
    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 
    # SSL settings for this virtual host  use the certificate signed by
    # x's CA. The client's certificate is also expected to be signed
    # by the same CA.
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/certs/x.y.com.pem
    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem
    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 
    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    #LogLevel debug
 
    # Protect access to the Broker
    <Directory /home/rob/devt/x/broker/etc>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Directory>
 
    RewriteEngine on
    RewriteRule  ^/$ /x-view/  [R]
    JkMount /x-view/* ajp13
 
</VirtualHost>

Open in new window

0
rstaveley
Asked:
rstaveley
  • 2
1 Solution
 
caterham_wwwCommented:
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +FakeBasicAuth
        SSLRequireSSL
        AuthName "My Authentication for X"
        AuthType Basic
        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd
        Require valid-user
    </Location>

Open in new window

0
 
rstaveleyAuthor Commented:
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
 
rstaveleyAuthor Commented:
I really appreciate the knowledge in that response.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now