Solved

2-way SSL authentication Directory for JkMount

Posted on 2008-10-28
3
800 Views
Last Modified: 2012-05-05
I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 

    ServerName x.y.com
 

    # The x-reverse-sock is relative to FastCgiIpcDir

    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \

        -socket broker/x-reverse-sock -appConnTimeout 3 \

        -idle-timeout 3
 

    # The client uses /backchannel as its path

    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 

    # SSL settings for this virtual host  use the certificate signed by

    # x's CA. The client's certificate is also expected to be signed

    # by the same CA.

    SSLEngine on

    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/httpd/certs/x.y.com.pem

    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem

    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 

    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    #LogLevel debug
 

    # Protect access to the Broker

    <Directory /home/rob/devt/x/broker/etc>

        SSLVerifyClient require

        SSLVerifyDepth 1

        SSLOptions +FakeBasicAuth

        SSLRequireSSL

        AuthName "My Authentication for X"

        AuthType Basic

        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd

        Require valid-user

    </Directory>
 

    RewriteEngine on

    RewriteRule  ^/$ /x-view/  [R]

    JkMount /x-view/* ajp13
 

</VirtualHost>

Open in new window

0
Comment
Question by:rstaveley
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
caterham_www earned 500 total points
Comment Utility
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />

        SSLVerifyClient require

        SSLVerifyDepth 1

        SSLOptions +FakeBasicAuth

        SSLRequireSSL

        AuthName "My Authentication for X"

        AuthType Basic

        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd

        Require valid-user

    </Location>

Open in new window

0
 
LVL 17

Author Comment

by:rstaveley
Comment Utility
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
 
LVL 17

Author Closing Comment

by:rstaveley
Comment Utility
I really appreciate the knowledge in that response.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now