On Thu, 19 Aug 2010 21:33:24 +0200, André Warnier <a...@ice-sa.com> wrote: > li...@cgi-net.ch wrote: >> Hi List, >> >> I'm running mod_jk on a apache 2.2.14 connecting to a second host, >> running >> tomcat 5 server with a third party application. >> This application is configured to display some company internal >> information when accessing the page directly without any subdirectory: >> like: http://<servername>/ >> A second application part is located under address >> http://<servername>/application -> please note, this is not a directory, >> this is a servlet-mapping made by tomcat (and we can't change the tomcat >> setup as we would loose support for it) >> >> My problem is now, that I only what to grant access to >> http://<servername>/application for external customers through the apache >> mod_jk setup. >> But of some reason do I have trouble implementing this. >> >> The stuff only works if I configure mod_jk to JkMount /* - but with that, >> also the page ttp://<servername>/ is access-able. >> I've also tried it with Rewrite rules (to make sure everything else than >> http://<servername/application is redirected to this address), etc. but >> nothing was/is working. >> > Apart from the help Rainer is giving you, I have a suggestion about your > setup. > But first a question : you seem to be proxying just about everything from > Apache httpd to > Tomcat. Do you need Apache httpd then ? why not just have Tomcat listen > on port 80 and > handle everything itself ? Sharing / was only done to check if it works with that way. I need the reverse proxy because the tomcat application server is located in the intranet, and customer from outside should not access this server directly. That's why we use a reverse proxy - which of course is located in a secure DMZ.
> If you have some reason anyway to have Apachje httpd in front, then here > is the suggestion : > > - remove all JkMount directives. > - instead, configure Apache httpd as follows : > > <Location /> > # here is the stuff that you want only internal users to see. > # Let's say that all these users have IP addresses in the 192.168.* range > Order Allow,Deny > Allow from 192.168.0.0/16 > Deny from all > # the following is the same as a "JkMount *" for everything in this > location > SetHandler jakarta-servlet > ... any other Apache directives .. > </Location> > > <Location /application> > # This is the stuff that everyone can see, so we override the above for > this location > Order Allow,Deny > Allow from all > # the following is the same as a "JkMount *" for everything in this > location > SetHandler jakarta-servlet > .. any other Apache directives .. > </Location> > > That's it. > > Instead of the allow/deny stuff above, you can use any Apache-level > authentication/authorization/access control you want, inside of each > Location. > AAA will happen *before* the call is forwarded to Tomcat. > You can also exclude some URLs inside each location, from being forwarded > by mod_jk to > Tomcat, by using something like > SetEnvIf REQUEST_URI "\.(css|gif|jpg|js)$" no-jk > for example, to have all your images, stylesheets, javascript,.. served > directly by Apache > (if you want, and if it makes sense in your context). Thanks for that idea, I was already thinking about something like that. Since I have resolved the first Issue now, I should be able to move forward and try this. Thanks and all the best, Simon --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
