12 Jan
2010
12 Jan
'10
4:34 p.m.
Hi,
I tried to find a solution about my secured access problem, but I failed...
Here I am:
- I use apache https server (2.2.14) as frontal webserver
- I use tomcat (6.0.20) as java container for xwiki
- I use mod_jk.so httpd module as connector between httpd and tomcat,
with that configuration in httpd.conf:
LoadModule jk_module modules/mod_jk.so
<IfModule jk_module>
# Where to find workers.properties
JkWorkersFile "C:/Program Files/Apache Software Foundation/Tomcat
6.0/conf/jk/workers.properties"
# Where to put jk logs
JkLogFile "D:/weblogs/2.2/mod_jk.log"
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# Send JSPs for context /examples to worker named worker1
JkMount /xwiki/* ajp13w
JkMount /xwiki ajp13w
</IfModule>
-I have these lines into the workers.properties file :
worker.list=ajp13w
worker.ajp13w.type=ajp13
worker.ajp13w.host=localhost
worker.ajp13w.port=8009
I still have "javascripts" errors.
I still can't access to /xwiki/bin/skin/resources/js/xwiki/xwiki.js
(redirected to the xwiki.virtual.redirect URL).
I still have no error into httpd logs or xwiki logs.
Do you have any idea of what is going wrong ?
I'm sorry to ask you again, but I have to say that I'm really lost...
Gaëtan
Niels Mayer a écrit :
On Thu, Jan 7, 2010 at 5:35 AM, Gaëtan GUYODO
<gaetan.guyodo(a)lrb.aphp.fr
<mailto:gaetan.guyodo@lrb.aphp.fr>> wrote:
I tried to force xwiki.url.protocol=https in xwiki.cfg, without results.
I tried to create another wiki, same problem.
I tried to add the full URL as alias, doesn't work !
=> I don't have any trouble accessing by
http://localhost:8080/xwiki/wiki/xwiki
but I can't acces the same wiki using external SSL URL
https://mydomain/xwiki/wiki/xwiki
You can't run SSL on a random port, and HTTPS, bound to 443, is
privileged and requires a privileged process (that's why a high-number
port like 8080 is used by default, it's a random, nonprivileged port).
Since you don't want to run java as a privileged process, but people
trust apache to run this way, you use a
connector ( http://tomcat.apache.org/connectors-doc/reference/apache.html
) to bridge between java and a secure SSL
front-end.
Although tomcat can do SSL, it's better and more secure to front tomcat
with Apache Httpd: use mod_proxy
<http://httpd.apache.org/docs/2.0/mod/mod_proxy.html> and mod_proxy_ajp
<http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html> to talk to
tomcat, and mod_ssl <http://www.modssl.org/> to handle SSL (helpful
security hint that is de rigueur for hospital and patient data: use
mod_auth_mysql <http://modauthmysql.sourceforge.net/> and client-side
certificates <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6> to
prevent any access from those without client certs... see "fake basic
auth" concept in
http://www.modssl.org/docs/2.8/ssl_reference.html#SSLOptions ... if you
don't have a client-certificate access, you get redirected to the
"public" part of the web like in http://ipssources.net )
Quickndirty configuration hints:
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/ <http://127.0.0.1:8009/xwiki/>
<IfModule mod_proxy.c>
ProxyRequests Off
## NPM: see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Performances#HModProxyA…
ProxyPreserveHost On
</IfModule>
Niels
http://nielsmayer.com
--
__________________________________________
Gaëtan GUYODO
Chargé de mission
Centre Antipoison - Hôpital Fernand WIDAL
200, rue du faubourg St Denis
75475 PARIS Cedex 10
Tél: 01 40 05 49 63 / Fax: 01 40 05 48 56
__________________________________________