Re: [xwiki-users] Problem with fresh new 2.1.1 XEM install

On Thu, Jan 7, 2010 at 5:35 AM, Gaëtan GUYODO &lt;gaetan.guyodo(a)lrb.aphp.fr&gt; wrote: You can't run SSL on a random port, and HTTPS, bound to 443, is privileged and requires a privileged process (that's why a high-number port like 8080 is used by default, it's a random, nonprivileged port). Since you don't want to run java as a privileged process, but people trust apache to run this way, you use a connector ( http://tomcat.apache.org/connectors-doc/reference/apache.html ) to bridge between java and a secure SSL front-end. Although tomcat can do SSL, it's better and more secure to front tomcat with Apache Httpd: use mod_proxy<http://httpd.apache.org/docs/2.0/mod/mod_proxy.html>and mod_proxy_ajp <http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html> to talk to tomcat, and mod_ssl <http://www.modssl.org/> to handle SSL (helpful security hint that is de rigueur for hospital and patient data: use mod_auth_mysql <http://modauthmysql.sourceforge.net/> and client-side certificates <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6> to prevent any access from those without client certs... see "fake basic auth" concept in http://www.modssl.org/docs/2.8/ssl_reference.html#SSLOptions ... if you don't have a client-certificate access, you get redirected to the "public" part of the web like in http://ipssources.net ) Quickndirty configuration hints: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/ <IfModule mod_proxy.c> ProxyRequests Off ## NPM: see http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Performances#HModProxyA… ProxyPreserveHost On </IfModule> Niels http://nielsmayer.com