I also use mod_jk 1.2 with virtual hosting and allow the appBase for Tomcat to be the document root for apache.
I use JkAutoAlias. It will automatically serve static files for any webapp and return a 403 error if someone tries to access a webapps /WEB-INF or /META-INF directories. See the docs here and search for JkAutoAlias: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/jk/aphowto.html This works great for me. Regards, Glenn mdevin wrote: > Hi all, > > I am looking for some advice regarding the usual directory layout for > Virtual Hosts and tomcat. > > Currently I have a working setup of apache and tomcat using mod_jk. I > have set things up the way that tomcat seems to prefer (or what others > seem to have done based on the documentation I could find). > > Essentially, I have apache and tomcat both using the same document root > so that apache will serve any static html pages and tomcat will do the > jsp and servlet stuff. However, I am concerned that from a security > point of view, this may not be the best option. In particular, this > means that my cgi-bin directory comes below my document root and I have > to explicitely deny access to the WEB-INF directory. > > Anyway, I am a little confused as to the best way to go in terms of > security and at the same time most easily separable into Virtual Hosts > so that different people can work on their own projects without > interfering with others. > > Any suggestions welcome. In particular, I am interested in how others > have set up virtual hosts for tomcat. > > Regards. > Mark. > > Currently each of my Virtual Hosts has the following directory layout: > > /www/hostname/ -> all static html files > -> also appBase to tomcat host > /cgi-bin/ -> perl cgi scripts etc. > > I have configured Virtual hosts like follows in apache: > ... cut ... > <VirtualHost *> > ServerName www.myhost.com > ServerAdmin [EMAIL PROTECTED] > DocumentRoot /www/myhost > JKMount /servlet/* ajp13 > JKMount /*.jsp ajp13 > <Directory /www/myhost/> > AllowOverride None > Options Indexes > Order Deny,Allow > Allow from all > </Directory> > ScriptAlias /cgi-bin/ /www/myhost/cgi-bin/ > <Directory /www/myhost/cgi-bin/> > Allow from all > Options ExecCGI > </Directory> > <Location /WEB-INF/> > deny from all > </Location> > <Location /META-INF/> > deny from all > </Location> > </VirtualHost> > > And I have the following in my server.xml file: > ... cut ... > <Service name="Tomcat-Apache"> > > <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" > port="8009" minProcessors="5" maxProcessors="75" > enableLookups="true" acceptCount="10" debug="0"/> > > <Engine name="Tomcat-Apache" defaultHost="localhost" debug="0"> > > <Logger className="org.apache.catalina.logger.FileLogger" > prefix="catalina_log." suffix="" > timestamp="true"/> > > <Realm className="org.apache.catalina.realm.MemoryRealm" /> > > ... ... > ... snip localhost section ... > ... ... > > <!-- www.myhost.com VirtualHost --> > <Host name="www.multistep.info" debug="0" unpackWARs="false"> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="myhost_access_log." suffix="" > pattern="common" /> > > <Logger className="org.apache.catalina.logger.FileLogger" > directory="logs" prefix="myhost_log." suffix="" > timestamp="true"/> > > <Context path="" docBase="/www/myhost" > crossContext="false" debug="0" reloadable="true" /> > > </Host> > </Engine> > </Service> > </Server> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
