Solved

2-way SSL authentication Directory for JkMount

Posted on 2008-10-28
3
802 Views
Last Modified: 2012-05-05
I have 2-way SSL set up to protect access to a FastCGI server on /backchannel. That works nicely.

Everything else is handled by an application on JBoss called x-view, which is connected to mod_jk. That works nicely, but I haven't figured up how to set up a directory for it to get 2-way SSL authentication apply to that too.

I tried <Directory /> with the same directives as <Directory /home/rob/devt/x/broker/etc> below, but they didn't get applied to the  JBoss application.
<VirtualHost *:443>
 

    ServerName x.y.com
 

    # The x-reverse-sock is relative to FastCgiIpcDir

    FastCgiExternalServer /home/rob/devt/x/broker/etc/broker.conf \

        -socket broker/x-reverse-sock -appConnTimeout 3 \

        -idle-timeout 3
 

    # The client uses /backchannel as its path

    Alias /backchannel /home/rob/devt/x/broker/etc/broker.conf
 

    # SSL settings for this virtual host  use the certificate signed by

    # x's CA. The client's certificate is also expected to be signed

    # by the same CA.

    SSLEngine on

    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/httpd/certs/x.y.com.pem

    SSLCertificateKeyFile /etc/httpd/certs/x.y.com-nopassphrase.pem

    SSLCACertificateFile /home/rob/src/cert/CA/ca-bundle-test-only.pem
 

    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    #LogLevel debug
 

    # Protect access to the Broker

    <Directory /home/rob/devt/x/broker/etc>

        SSLVerifyClient require

        SSLVerifyDepth 1

        SSLOptions +FakeBasicAuth

        SSLRequireSSL

        AuthName "My Authentication for X"

        AuthType Basic

        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd

        Require valid-user

    </Directory>
 

    RewriteEngine on

    RewriteRule  ^/$ /x-view/  [R]

    JkMount /x-view/* ajp13
 

</VirtualHost>

Open in new window

0
Comment
Question by:rstaveley
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
caterham_www earned 500 total points
ID: 22829752
/home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right? You may try <location>. But the problem is apache does not map anything to the filesystem, that's done by the mounted application.
    <Location />

        SSLVerifyClient require

        SSLVerifyDepth 1

        SSLOptions +FakeBasicAuth

        SSLRequireSSL

        AuthName "My Authentication for X"

        AuthType Basic

        AuthUserFile /home/rob/devt/x/broker/etc/httpd.passwd

        Require valid-user

    </Location>

Open in new window

0
 
LVL 17

Author Comment

by:rstaveley
ID: 22829998
> /home/rob/devt/x/broker/etc is the path of your application which is connected through mod_jk, right?

No, /home/rob/devt/x/broker/etc/broker.conf is the FastCGI application, accessed via the alias '/backchannel'. The UNIC domain socket deals with that - not mod_jk. That bit is OK and is being protected by the FakeBasicAuth. It is the "everything else" that gets passed to JBoss via mod_jk that isn't being protected by FakeBasicAuth.

For the "everything else", I tried an additional <Directory /> section, but will have a go with your suggested <Location /> as soon as I can get write permissions to the conf file. I must say that I wasn't aware of the existence of the Location directive, and I can see that with rewriting and JkMount, Apache won't map anything to the file system and your suggestion sounds like a winner.

Many thanks! I'll award points now and raise another question, if needs be.
0
 
LVL 17

Author Closing Comment

by:rstaveley
ID: 31510847
I really appreciate the knowledge in that response.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
slow web access in oversea location 3 41
Apache server crashes randomly 38 108
htaccess restrict subdomain 4 84
NGINX/Apache redirect on 403 and 404 5 68
If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now