Last modified by jhurst on 2021/04/21 10:01
Show last authors
1 {{ddtoc/}}
2
3 = Apache HTTPD / Tomcat Connector: AJP =
4
5 == Requirements ==
6
7 * Install apache httpd
8 * Check that the **proxy** and **proxy_ajp** modules are active (see 1.2)
9
10 == Loading a module in apache httpd ==
11
12 === Windows ===
13
14 1. Check that the file corresponding to the module exists and can be found in the **<install_apache>/modules** folder.
15 For instance for the module proxy_ajp the file would be : mod_proxy_ajp.so. If the file does not exist, find a version of httpd that distributes the required module.
16 1. Load the module in the **<install_apache>/conf/httpd.conf** file using:
17 LoadModule nom_du_module modules/fichier_du_module
18 Example: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
19
20 === Linux ===
21
22 Use the command: a2enmod nom_du_module
23 Example:
24
25 {{code language="Shell"}}
26 a2enmod proxy_ajp
27 {{/code}}
28
29 If this command fails or does not exist, follow the same steps as for Windows.
30
31 == Configuring routing between apache httpd and tomcat ==
32
33 === Apache Tomcat ===
34
35 Check that the following connector exists and is not commented in the **<install_tomcat>/conf/server.xml** configuration file:
36
37 {{code language="XML"}}
38 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
39 {{/code}}
40
41 For your information:
42
43 * The redirectPort is used for requests using a security constraint requiring an SSL transport.
44 * Don’t forget to restart Tomcat after modifying the server.xml file.00
45
46 === Apache HTTPD ===
47
48 In the virtual host file, add the **ProxyPass** directive so that httpd can connect to Tomcat’s AJP connector:
49
50 {{code language="XML"}}
51 <VirtualHost *:80>
52 ServerAdmin support@digdash.com
53 ServerName monserveur.digdash.com
54
55 DocumentRoot /var/www
56 ProxyPass / ajp://montomcat.digdash.com:8009/
57 <Directory />
58 Options FollowSymLinks
59 AllowOverride None
60 </Directory>
61 <Directory /var/www>
62 Options Indexes FollowSymLinks MultiViews
63 AllowOverride None
64 Require all granted
65 </Directory>
66
67 ErrorLog logs/error_apache.log
68 LogLevel warn
69 CustomLog logs/access_apache.log combined
70 </VirtualHost>
71 {{/code}}
72
73 (% class="box warningmessage" %)
74 (((
75 Don’t forget to restart Apache httpd after modifying the configuration.
76 )))
77
78 ==== Timeout ====
79
80 It may be necessary to specify a greater timeout value than the default for the AJP connector.
81
82 Some tasks in DigDash Enterprise take over a minute to complete (exports, builders, save/backup…) and could be interrupted by Apache httpd, which in turn would return a HTTP 500 error to the client.
83
84 To change this value you can add the **timeout=<seconds>** parameter to the ProxyPass directive, for example:
85
86 {{code language="properties"}}
87 ProxyPass / ajp://montomcat.digdash.com:8009/ timeout=300
88 {{/code}}
89
90 == Alternative : Configuring routing between apache httpd and tomcat while changing the folder name ==
91
92 === Objective ===
93
94 Connecting to a URL that uses a different parent folder.
95 In this example we will use a folder named: **security_domain1/** and connect to the home page with this URL: http:~/~/machine/security_domain1/adminconsole.
96
97 === Apache Tomcat ===
98
99 Same configuration as [[Configuring routing between apache httpd and tomcat>>path:#tomcat-conf]].
100
101 === Apache HTTPD ===
102
103 In the virtual host file, add the **ProxyPass**, **ProxyPassReverse** and
104 **ProxyPassReverseCookiePath** directives to Tomcat’s AJP connector:
105
106 {{code language="XML"}}
107 <VirtualHost *:80>
108 ServerAdmin support@digdash.com
109 ServerName srvapache
110 DocumentRoot /var/www
111 <Directory />
112 Options FollowSymLinks
113 AllowOverride None
114 </Directory>
115 <Directory /var/www/>
116 Options Indexes FollowSymLinks MultiViews
117 AllowOverride None
118 Require all granted
119 </Directory>
120 ProxyPass "/domaine_securite1" "ajp://srvtomcat:8009"
121 ProxyPassReverseCookiePath "/" "/domaine_securite1"
122 ProxyPassReverse "/domaine_securite1" "http://srvapache"
123 ErrorLog logs/error_apache.log
124 LogLevel warn
125 CustomLog logs/access_apache.log combined
126 </VirtualHost>
127 {{/code}}
128
129 = Enabling https (SSL) =
130
131 == Requirements ==
132
133 * A valid certificate for the network or a certificate approved by a trusted third party (CA). (ex: Comodo, Globalsign, Thawte, Verisign…)
134 * A version of Apache httpd that contains the latest security patches concerning ssl.
135 * Enabling the **mod_ssl** ssl module. (see [[Loading a module in apache httpd>>path:#module]])
136 * Understanding the configurations made in [[Apache HTTPD / Tomcat connector: AJP>>path:#main]]
137
138 == Configuration ==
139
140 A **Listen** directive must be added for httpd to listen on port 443:
141 **<install_apache>/conf/httpd.conf** :
142
143 {{code language="Shell"}}
144 Listen 443
145 {{/code}}
146
147 The port used in the **VirtualHost** must then be changed, ssl must be activated and the certificates and private key must be configured:
148
149 {{code language="XML"}}
150 <VirtualHost *:443>
151 ServerAdmin support@digdash.com
152 ServerName monserveur.digdash.com
153 SSLEngine on
154 SSLCertificateKeyFile /etc/ssl/maclef.key
155 SSLCertificateFile /etc/ssl/moncertif.crt
156 SSLCertificateChainFile /etc/ssl/certif.ca-bundle
157 DocumentRoot /var/www
158 ProxyPass / ajp://montomcat.digdash.com:8009/
159 <Directory />
160 Options FollowSymLinks
161 AllowOverride None
162 </Directory>
163 <Directory /var/www/>
164 Options Indexes FollowSymLinks MultiViews
165 AllowOverride None
166 Require all granted
167 </Directory>
168 ErrorLog logs/error_apache.log
169 LogLevel warn
170 CustomLog logs/access_apache.log combined
171 </VirtualHost>
172 {{/code}}
173
174 === SSLPassphraseDialog ===
175
176 If your private key is encrypted, you will need to type in your password when httpd starts up or use the [[SSLPassPhraseDialog>>url:https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog]] directive.
177
178 (% class="box warningmessage" %)
179 (((
180 **Warning**: This directive is not supported on Windows. You will need to remove it from the configuration file and replace your encrypted private key with an unencrypted one. To replace the key, you can simply decrypt your existing encrypted key and save the unencrypted key to a file (with openssl rsa -in encrypted_key -out unencrypted_key for example).
181 )))
182
183 To use this directive without having to type your password, you must create a script file that displays the required password (on stdout). For example:
184
185 **password.sh** :
186
187 {{code language="Shell"}}
188 #!/bin/bash
189 echo password
190 {{/code}}
191
192 **httpd.conf** :
193
194 {{code language="XML"}}
195 <IfModule ssl_module>
196 SSLPassPhraseDialog "exec:/path/to/password.sh"
197 </IfModule>
198 {{/code}}
199
200 = Load balancing =
201
202 Each user session is linked to a signle Tomcat server (sticky session). If a Tomcat server fails, the user will have to reauthenticate on the server to which the session has been reassociated (if SSO is enabled, this happens automatically).
203
204 == Requirements ==
205
206 * Enabling the **proxy_balancer** module. (see [[Loading a module in apache httpd>>path:#module]])
207 * Understanding the configurations made in [[Apache HTTPD / Tomcat connector : AJP>>path:#main]]
208
209 == Configuration ==
210
211 === Apache Tomcat ===
212
213 In the **<install_tomcat>/conf/server.xml** configuration file, check that the AJP connector exists (add it if it doesn’t):
214
215 {{code language="XML"}}
216 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
217 {{/code}}
218
219 Check that the **Engine** tag has a **jvmRoute** attribute with a unique identifier on each target machine:
220
221 {{code language="XML"}}
222 <Engine name="Catalina" defaultHost="localhost" jvmRoute="m1">
223 {{/code}}
224
225 === Apache HTTPD ===
226
227 In the virtual host file:
228
229 {{code language="XML"}}
230 <VirtualHost lap-sus:80>
231 ServerAdmin support@digdash.com
232 DocumentRoot "C:/htdocs"
233 ServerName monserveur.digdash.com
234
235 <Proxy balancer://monserveur.digdash.com>
236 BalancerMember ajp://montomcat1.digdash.com:8009 route=m1
237 BalancerMember ajp://montomcat2.digdash.com:8009 route=m2
238 ProxySet stickysession=JSESSIONID
239 </Proxy>
240
241 ProxyPass / "balancer://monserveur.digdash.com/" stickysession=JSESSIONID
242 scolonpathdelim=On
243 <Directory />
244 Options FollowSymLinks
245 AllowOverride None
246 Require all granted
247 ProxyPassReverse balancer://monserveur.digdash.com/
248 </Directory>
249
250 ErrorLog logs/error_apache.log
251 LogLevel warn
252 CustomLog logs/acces_apache.log combined
253 </VirtualHost>
254 {{/code}}
255
256 = Cookie SameSite: Integrating Digdash Enterprise in a portal =
257
258 Starting from Chrome version 80, the cookies policy is more restrictive concerning the use of cookies from other sites in the same page. If A Digdash dashboard is inserted into an enterprise portal page (eg. in an IFRAME), you must configure the SameSite policy of the cookies to prevent Chrome from blocking the dashboard cookies. It can be done on the Apache configuration:
259
260 1. Activate headers module
261 {{code language="Shell"}}/etc/apache2/mods-enabled# ln -s ../mods-available/headers.load headers.load{{/code}}
262 1. Configure SameSite cookie policy in /etc/apache2/apache2.conf (at the end)
263 {{code language="properties"}}Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None{{/code}}
264
265
266