Configuring an apache web server

Last modified by Aurelie Bertrand on 2021/10/11 15:28

Apache HTTPD / Tomcat Connector: AJP

Requirements

  • Install apache httpd
  • Check that the proxy and proxy_ajp modules are active (see 1.2)

Loading a module in apache httpd

Windows

  1. Check that the file corresponding to the module exists and can be found in the <install_apache>/modules folder.
     For instance for the module proxy_ajp the file would be : mod_proxy_ajp.so. If the file does not exist, find a version of httpd that distributes the required module.
  2. Load the module in the <install_apache>/conf/httpd.conf file using:
     LoadModule nom_du_module modules/fichier_du_module
     Example: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

Linux

Use the command: a2enmod nom_du_module
Example:

a2enmod proxy_ajp

If this command fails or does not exist, follow the same steps as for Windows.

Configuring routing between apache httpd and tomcat

Apache Tomcat

Check that the following connector exists and is not commented in the <install_tomcat>/conf/server.xml configuration file:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>

For your information:

  • The redirectPort is used for requests using a security constraint requiring an SSL transport.
  • Don’t forget to restart Tomcat after modifying the server.xml file.00

Apache HTTPD

In the virtual host file, add the ProxyPass directive so that httpd can connect to Tomcat’s AJP connector:

<VirtualHost *:80>  
    ServerAdmin support@digdash.com  
    ServerName monserveur.digdash.com  

    DocumentRoot /var/www  
    ProxyPass / ajp://montomcat.digdash.com:8009/
   <Directory />  
        Options FollowSymLinks
        AllowOverride None
   </Directory>
   <Directory /var/www>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
   </Directory>

    ErrorLog logs/error_apache.log
    LogLevel warn
    CustomLog logs/access_apache.log combined
</VirtualHost>

Don’t forget to restart Apache httpd after modifying the configuration.

Timeout

It may be necessary to specify a greater timeout value than the default for the AJP connector.

Some tasks in DigDash Enterprise take over a minute to complete (exports, builders, save/backup…) and could be interrupted by Apache httpd, which in turn would return a HTTP 500 error to the client.

To change this value you can add the timeout=<seconds> parameter to the ProxyPass directive, for example:

ProxyPass / ajp://montomcat.digdash.com:8009/ timeout=300

Alternative : Configuring routing between apache httpd and tomcat while changing the folder name

Objective

Connecting to a URL that uses a different parent folder.
 In this example we will use a folder named: security_domain1/ and connect to the home page with this URL: http://machine/security_domain1/adminconsole.

Apache Tomcat

Same configuration as Configuring routing between apache httpd and tomcat.

Apache HTTPD

In the virtual host file, add the ProxyPass, ProxyPassReverse and
ProxyPassReverseCookiePath directives to Tomcat’s AJP connector:

<VirtualHost *:80>
    ServerAdmin support@digdash.com
    ServerName srvapache
    DocumentRoot /var/www
   <Directory />
            Options FollowSymLinks
            AllowOverride None
   </Directory>
   <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
   </Directory>
    ProxyPass "/domaine_securite1" "ajp://srvtomcat:8009"
    ProxyPassReverseCookiePath  "/" "/domaine_securite1"
    ProxyPassReverse "/domaine_securite1" "http://srvapache"
    ErrorLog logs/error_apache.log
    LogLevel warn
    CustomLog logs/access_apache.log combined
</VirtualHost>

Enabling https (SSL)

Requirements

  • A valid certificate for the network or a certificate approved by a trusted third party (CA). (ex: Comodo, Globalsign, Thawte, Verisign…)
  • A version of Apache httpd that contains the latest security patches concerning ssl.
  • Enabling the mod_ssl ssl module. (see Loading a module in apache httpd)
  • Understanding the configurations made in Apache HTTPD / Tomcat connector: AJP

Configuration

A Listen directive must be added for httpd to listen on port 443:
<install_apache>/conf/httpd.conf :

Listen 443

The port used in the VirtualHost must then be changed, ssl must be activated and the certificates and private key must be configured:

<VirtualHost *:443>
    ServerAdmin support@digdash.com
    ServerName monserveur.digdash.com
    SSLEngine on
    SSLCertificateKeyFile /etc/ssl/maclef.key
    SSLCertificateFile /etc/ssl/moncertif.crt
    SSLCertificateChainFile /etc/ssl/certif.ca-bundle
    DocumentRoot /var/www
    ProxyPass / ajp://montomcat.digdash.com:8009/
   <Directory />
            Options FollowSymLinks
            AllowOverride None
   </Directory>
   <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
   </Directory>
    ErrorLog logs/error_apache.log
    LogLevel warn
    CustomLog logs/access_apache.log combined
</VirtualHost>

SSLPassphraseDialog

If your private key is encrypted, you will need to type in your password when httpd starts up or use the SSLPassPhraseDialog directive.

Warning: This directive is not supported on Windows. You will need to remove it from the configuration file and replace your encrypted private key with an unencrypted one. To replace the key, you can simply decrypt your existing encrypted key and save the unencrypted key to a file (with openssl rsa -in encrypted_key -out unencrypted_key for example).

To use this directive without having to type your password, you must create a script file that displays the required password (on stdout). For example:

password.sh :

#!/bin/bash
echo password

httpd.conf :

<IfModule ssl_module>
    SSLPassPhraseDialog "exec:/path/to/password.sh"
</IfModule>

Load balancing

Each user session is linked to a signle Tomcat server (sticky session). If a Tomcat server fails, the user will have to reauthenticate on the server to which the session has been reassociated (if SSO is enabled, this happens automatically).

Requirements

Configuration

Apache Tomcat

In the <install_tomcat>/conf/server.xml configuration file, check that the AJP connector exists (add it if it doesn’t):

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>

Check that the Engine tag has a jvmRoute attribute with a unique identifier on each target machine:

<Engine name="Catalina" defaultHost="localhost" jvmRoute="m1">

Apache HTTPD

In the virtual host file:

<VirtualHost lap-sus:80>
    ServerAdmin support@digdash.com
    DocumentRoot "C:/htdocs"
    ServerName monserveur.digdash.com

   <Proxy balancer://monserveur.digdash.com>
        BalancerMember ajp://montomcat1.digdash.com:8009 route=m1
        BalancerMember ajp://montomcat2.digdash.com:8009 route=m2
        ProxySet stickysession=JSESSIONID
   </Proxy>

    ProxyPass / "balancer://monserveur.digdash.com/" stickysession=JSESSIONID
        scolonpathdelim=On
   <Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all granted
        ProxyPassReverse balancer://monserveur.digdash.com/
   </Directory>

    ErrorLog logs/error_apache.log
    LogLevel warn
    CustomLog logs/acces_apache.log combined
</VirtualHost>

Cookie SameSite: Integrating Digdash Enterprise in a portal

Starting from Chrome version 80, the cookies policy is more restrictive concerning the use of cookies from other sites in the same page. If A Digdash dashboard is inserted into an enterprise portal page (eg. in an IFRAME), you must configure the SameSite policy of the cookies to prevent Chrome from blocking the dashboard cookies. It can be done on the Apache configuration:

  1. Activate headers module
    /etc/apache2/mods-enabled# ln -s ../mods-available/headers.load headers.load
  2. Configure SameSite cookie policy in /etc/apache2/apache2.conf (at the end)
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None