Re: [users@httpd] balancing best practices - mod_proxy_balancer

2018-03-06 Thread Galen Johnson 
Not sure if this is still the case, but I don't believe that mod_jk allows
SSL connections between Apache and Tomcat.  This is why mod_proxy_httpd is
often used.  If that bit of security is important to your organization,
something to keep in mind.  If this is not the case for mod_jk, I would
love to know since I would prefer to use mod_jk.

=G=

On Tue, Mar 6, 2018 at 2:03 PM, Herb Burnswell 
wrote:

> Daniel,
>
> Thanks.  I'm reading the docs on sticky sessions.  There is a lot of
> conflicting "how to's" out there but I'm making progress.
>
> HB
>
> On Wed, Feb 28, 2018 at 12:21 PM, Daniel Ferradal 
> wrote:
>
>> > 3: Regarding my inquiry about potential better options, I was more
>> referring
>> > to the idea of maybe using Tomcat as a proxy to Tomcat backend
>> application.
>> > I've read it can be done was wondering if the like to like might provide
>> > advantages.  I am personally not as familiar with Tomcat as I am with
>> HTTPD
>> > and therefore would prefer using HTTPD if there are no significant
>> reasons
>> > to use Tomcat --> Tomcat.
>>
>> IMO it is better to leave the application server to do what it is
>> supposed to do, handle dynamic content generation. While leaving
>> static content as well as balancing to httpd, which is what it does
>> best.
>>
>> >
>> > 4:  The sticky sessions need makes sense.
>> >
>> > I have attempted to set up the sticky sessions configuration in HTTPD
>> but
>> > unfortunately I must not have it set up properly.  It's probably best
>> if I
>> > create a new thread for that issue and will do so.
>>
>> Sticky sessions can be very tricky to setup correctly.
>>
>> In mod_proxy_balancer docs it documents very well that you probably
>> need to set all these three elements correctly according to how tomcat
>> was setup:
>>
>> stickysession (the most obvious)
>> scolonpathdelim
>> route - according to the value jvmroute the tomcats have setup.
>>
>>
>>
>> >
>> > Thanks again for your guidance.
>> >
>> > HB
>> >
>> > On Fri, Feb 23, 2018 at 12:57 AM, Daniel Ferradal > >
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'll try to answer point by point the best I can.
>> >>
>> >> 1º You can only use one balancer method, so choose the best strategy
>> >> for your case. There is plenty on the description for each in the docs
>> >> (TL to explain here).
>> >> 2º No, it does not, you choose one and use only one that suites you
>> >> best for a specific balancer.
>> >> 3º Inside httpd the only non-third party choice that I know is
>> >> mod_proxy_balancer, so yes, by all means use it. Unless you find a
>> >> more suitable product for your needs.
>> >> 4º That will precisely mean you need to use sticky sessions and define
>> >> how to properly handle them at the balancer level, why? because as
>> >> long as nodes are up and running you  want to deliver the session to
>> >> the specific node dealing with that session or session will be lost.
>> >> It is when that backend node is down that httpd should look for other
>> >> nodes to deliver the session. Afaik is called session persistence. Or
>> >> at least this is the usual way to balance with sessions dealt by a
>> >> backend cluster.
>> >>
>> >> About docs you can also visit:
>> >> http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
>> >> and mod_proxy itself: http://httpd.apache.org/docs/2
>> .4/mod/mod_proxy.html
>> >>
>> >> Cheers!
>> >>
>> >> 2018-02-23 1:48 GMT+01:00 Herb Burnswell > >:
>> >> > All,
>> >> >
>> >> > I am looking for some guidance on using HTTPD as a proxy and load
>> >> > balancer
>> >> > to a backend Tomcat application.  Specifically, I'm interested in
>> how to
>> >> > best handle the balancing of requests.  The configuration would be
>> very
>> >> > much
>> >> > like the 'typical implementation' shown in this Reverse Proxy Guide:
>> >> > https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html  (I'm
>> using
>> >> > version 2.4.6):
>> >> >
>> >> > +-  +
>> >> > | Firewall Public |
>> >> > +-  +
>> >> > +---+
>> >> > |  +--+   +---+  +---+  |
>> >> > |  | httpd|   | httpd  |   | httpd |  |
>> >> > |  |1   |   |   2  |   |   3 |  |
>> >> > |  +--+   +---+  +---+  |
>> >> > +---+
>> >> > +--  +
>> >> > | Firewall Private |
>> >> > +--  +
>> >> > +-+
>> >> > |++  +-+  ++  |
>> >> > || tomcat|  |tomcat |   |tomcat |   |
>> >> > ||   1   |  |2  |   |   3   |  |
>> >> > |++  +-+  ++  |
>> >> > +-+
>> >> >
>> >> >
>> >> > We have this working fine with a vanity URL to a VIP on our public
>> >> > firewall
>> >> > --> to the 3 httpd proxy load balancer pool --> to one of the 3
>> backend
>> >> > To

Re: [users@httpd] Assistance with file + ldap auth config moving from httpd 2.2 to 2.4

2017-10-13 Thread Galen Johnson 
Eduardo,

It looks like you're trying to get it working with Xymon so you might want
to ask on that list as well.  I had a heck of a time getting it to work but
I ended up using mod_authnz_external.c to configure it to use PAM.  This is
the config I use:


# Require SSL connection for password protection.
SSLRequireSSL

AuthBasicProvider external file
AuthExternal pwauth
AuthGroupFile /etc/xymon/xymongroups
GroupExternal unixgroup

# "valid-user" restricts access to anyone who is logged in.
Require valid-user

# "group xymon" restricts access to users who have logged in,
AND
# are members of the "xymon" group in xymongroups.
Require group xymon



While not exactly what you're doing, I hope this helps nudge you in the
right direction.

=G=

On Fri, Oct 13, 2017 at 12:10 PM, Eric Covener  wrote:

> Can you crank up the loglevel to trace8? I believe there are some
> spurious error messages when authz modules are reporting their
> individual results vs. getting rolled up to RequireAny.
>
> On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral 
> wrote:
> > Hi, Eric,
> >
> > Thanks for your fast answer. The reason for the provider aliases is
> > that once I get this config working I would like to re-use it for about
> > 6 different directories.
> >
> > However, I have tried to flatten the configuration according to your
> > suggestion. I repeated the tests, exact same result. Flattened config
> > follows:
> >
> >   AuthType Basic
> >   AuthName "Xymon user"
> >
> >   AuthBasicProvider file ldap
> >   AuthBasicAuthoritative off
> >
> >   AuthLDAPURL "ldap://REDACTED:3268
> > REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
> >   AuthLDAPBindDN "redac...@arsyslan.es"
> >   AuthLDAPBindPassword "REDACTED"
> >   AuthLDAPGroupAttributeIsDN on
> >   AuthLDAPGroupAttribute member
> >   AuthLDAPMaxSubGroupDepth 3
> >
> >   AuthUserFile /etc/xymon/xymonusers.htpasswd
> >   AuthGroupFile /etc/xymon/xymongroups.htpasswd
> >
> >
> >   
> > Require group XymonUsers
> > Require ldap-group
> > cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
> >   
> >
> >
> > Eduardo Mayoral Jimeno (emayo...@arsys.es)
> > Administrador de sistemas. Departamento de Plataformas. Arsys internet.
> > +34 941 620 145 ext. 5153
> >
> > On 13/10/17 16:47, Eric Covener wrote:
> >> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral 
> wrote:
> >>> Hi,
> >>>
> >>> I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
> >> I don't think all of those provider-aliases are necessary. Did you a
> >> try a more simpler/direct port of the config?
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
>
>
> --
> Eric Covener
> cove...@gmail.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] mod_authz_core and http response 451

2017-09-05 Thread Galen Johnson 
Hello,

I've googled a bit and I can't find a way to handle this without using a
rewrite rule.

I'm setting up a rule using mod_geoip to block embargoed countries.  I set
up the config as follows:


  # Blocking a client based on country
  SetEnvIf GEOIP_COUNTRY_CODE CU BlockCountry
  SetEnvIf GEOIP_COUNTRY_CODE IR BlockCountry
  SetEnvIf GEOIP_COUNTRY_CODE KP BlockCountry
  SetEnvIf GEOIP_COUNTRY_CODE SY BlockCountry

  
Require all granted

  Require env BlockCountry

  


This works but returns a 403.  I'd like for it to return a 451.  Is this
possible?  Or am I going to have to stick with using a rewrite rule
(without the require block)?


RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CU|IR|KP|SY)$
RewriteRule ^(.*)$ https://example.com/$1 [NE,R=451,L]


If there is a preferred way to handle this, I'd be interested in that as
well.

thanks

=G=