Wow ;) Thanks Rainer,
I'll comment inline. On Thu, Aug 5, 2010 at 18:26, Rainer Jung <rainer.j...@kippdata.de> wrote: > Comments inline > > > On 05.08.2010 03:30, Leon Kolchinsky wrote: > >> Hi, >> >> Hmm. >> Interesting. >> Of course I'd like to make it work with "simple configuration" or/and with >> JkHTTPSIndicator. >> >> I'm just not clear on how to make this "simple configuration". >> >> As I've said there is no SSL handling on the server side. All SSL request >> handled on the load balance level which in turn talks to Apache >> (configured >> to talk to Tomcat via mod_jk) via http. >> >> myserv.mydomain.com - Tomcat server's Domain name >> sakai-stg.mydomain.com - Load balancer's Domain name >> >> Clients coming to Load Balancer's URL https://sakai-stg.mydomain.com need >> to >> use internal links (submit forms etc.) which appear as http:// >> sakai-stg.mydomain.com/..... on the served pages. >> Submitting forms is not working in that scenario since the links should >> look >> like this inside the pages - https://sakai-stg.mydomain.com/..... >> >> >> Please see my mod_jk.conf, workers.properties, 01myserv.mydomain.com.conf >> files below. >> >> Can you come up with a solution without using mod_substitute as I do now? >> >> [r...@myserv mod_sed]# cat /etc/httpd/conf/mod_jk.conf >> LoadModule jk_module modules/mod_jk.so >> >> # mod_jk config >> # Where to find workers.properties >> # Update this path to match your conf directory location (put >> workers.properties next to httpd.conf) >> JkWorkersFile /etc/httpd/conf/workers.properties >> # Where to put jk shared memory >> # Update this path to match your local state directory or logs directory >> JkShmFile /var/log/httpd/mod_jk.shm >> # Where to put jk logs >> # Update this path to match your logs directory location (put mod_jk.log >> next to access_log) >> JkLogFile /var/log/httpd/mod_jk.log >> > > Unrelated: you could use rotatelogs here, as in "CustomLog" or "ErrorLog" > to automatically rotate the files. > > My logs rotated by logrotate (I'm not familiar with rotatelogs option, will need to read about it later) > > # Set the jk log level [debug/error/info] >> JkLogLevel info >> # Select the timestamp log format >> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " >> > > Unrelated: I would remove JkLogStampFormat. Since a few years mod_jk will > log sub second timestamps by default, but this format disables that. > > Done: removed JkLogStampFormat > > #JkOptions indicate to send SSL KEY SIZE, >> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories >> > > Unrelated: You should remove "+ForwardURICompat" unless you understand what > it does and that you will definitely need it. > > Done: removed "+ForwardURICompat" > > # JkRequestLogFormat set the request format >> JkRequestLogFormat "%w %V %T" >> > > Unrelated: Don't like the JkRequestFormat. Instead would use so called > "notes" to add the info directly to the access log. > > Are you talking about "mod_log_config" ( http://tomcat.apache.org/connectors-doc/reference/apache.html)? > > # Globally deny access to the WEB-INF directory >> <LocationMatch '.*WEB-INF.*'> >> AllowOverride None >> deny from all >> </LocationMatch> >> > > Unrelated: The application directory usually should not be reachable at all > by Apache. > > So, Is it safe to remove those <LocationMatch '.*WEB-INF.*'>.....</LocationMatch> lines? > > [r...@myserv mod_sed]# >> [r...@myserv mod_sed]# cat /etc/httpd/conf/workers.properties >> # >> # This file provides minimal jk configuration properties needed to >> # connect to Tomcat. >> # >> # We define a workers named worker1 and worker2 >> workers.tomcat_home=/srv/tomcat/ >> workers.java_home=/srv/jdk >> ps=/ >> > > Unrelated: The above three are useless. > > Done: removed > > worker.list=worker1 >> worker.worker1.type=ajp13 >> worker.worker1.host=localhost >> worker.worker1.port=8009 >> worker.worker1.lbfactor=1 >> > > Unrelated: That's very minimal. > > > # Load-balancing behaviour (add when you have more than 1 worker and >> change >> worker.workerX.host and worker.list accordingly) >> # worker.loadbalancer.type=lb >> > > Unrelated: You are not actually using mod_jk load balancing here. > > Sure, I don't need load balancing here. It's done on the external LB. > > # Status worker for managing load balancer (add when you have more than 1 >> worker) >> worker.status.type=status >> > > Suggestion: grab the default workers.properties from the mod_jk 1.2.30 > source download. It contains important hints about production ready > configuration. > > Thanks, very usefull suggestion. > > [r...@myserv mod_sed]# >> [r...@myserv mod_sed]# cat >> /etc/httpd/conf/vhosts.d/01myserv.mydomain.com.conf >> LoadModule substitute_module modules/mod_substitute.so >> >> NameVirtualHost *:80 >> >> <VirtualHost *:80> >> ServerName myserv.mydomain.com >> ServerAdmin leon.kolchin...@mydomain.com >> ServerAlias sakai-stg >> >> # Just in case >> DocumentRoot /srv/sakai >> >> # if not specified, the global error log is used >> ErrorLog /var/log/httpd/myserv.mydomain.com-error_log >> CustomLog /var/log/httpd/myserv.mydomain.com-access_log combined >> # don't loose time with IP address lookups >> HostnameLookups Off >> # needed for named virtual hosts >> UseCanonicalName Off >> >> # Add index.jsp to DirectoryIndex files >> DirectoryIndex index.php index.html index.htm index.shtml index.php4 >> index.php3 index.phtml index.cgi index.jsp >> >> JkMount /* worker1 >> > > Assuming that you always want Tomcat to assume https when a request came in > via this VirtualHost: > > JkHTTPSIndicator FakeHTTPS > SetEnv FakeHTTPS On > > (the module mod_env needs to be loaded). > > Done: Working fine :) Thanks for such a detailed explanation!!! > > AddOutputFilterByType SUBSTITUTE text/html >> Substitute "s|http://myserv|https://sakai-stg|i" >> Substitute "s|http://sakai-stg|https://sakai-stg|i" >> > > Those three should then no longer be needed (if sakai behaves well). > > Done: removed > </VirtualHost> >> > > Regards, > > Rainer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Cheers, -- Leon Kolchinsky
