Wow ;)
Thanks Rainer,
I'll comment inline.
On Thu, Aug 5, 2010 at 18:26, Rainer Jung rainer.j...@kippdata.de wrote:
Comments inline
On 05.08.2010 03:30, Leon Kolchinsky wrote:
Hi,
Hmm.
Interesting.
Of course I'd like to make it work with simple configuration or/and with
JkHTTPSIndicator.
I'm just not clear on how to make this simple configuration.
As I've said there is no SSL handling on the server side. All SSL request
handled on the load balance level which in turn talks to Apache
(configured
to talk to Tomcat via mod_jk) via http.
myserv.mydomain.com - Tomcat server's Domain name
sakai-stg.mydomain.com - Load balancer's Domain name
Clients coming to Load Balancer's URL https://sakai-stg.mydomain.com need
to
use internal links (submit forms etc.) which appear as http://
sakai-stg.mydomain.com/. on the served pages.
Submitting forms is not working in that scenario since the links should
look
like this inside the pages - https://sakai-stg.mydomain.com/.
Please see my mod_jk.conf, workers.properties, 01myserv.mydomain.com.conf
files below.
Can you come up with a solution without using mod_substitute as I do now?
[r...@myserv mod_sed]# cat /etc/httpd/conf/mod_jk.conf
LoadModule jk_module modules/mod_jk.so
# mod_jk config
# Where to find workers.properties
# Update this path to match your conf directory location (put
workers.properties next to httpd.conf)
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile /var/log/httpd/mod_jk.shm
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log
next to access_log)
JkLogFile /var/log/httpd/mod_jk.log
Unrelated: you could use rotatelogs here, as in CustomLog or ErrorLog
to automatically rotate the files.
My logs rotated by logrotate (I'm not familiar with rotatelogs option, will
need to read about it later)
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the timestamp log format
JkLogStampFormat [%a %b %d %H:%M:%S %Y]
Unrelated: I would remove JkLogStampFormat. Since a few years mod_jk will
log sub second timestamps by default, but this format disables that.
Done: removed JkLogStampFormat
#JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
Unrelated: You should remove +ForwardURICompat unless you understand what
it does and that you will definitely need it.
Done: removed +ForwardURICompat
# JkRequestLogFormat set the request format
JkRequestLogFormat %w %V %T
Unrelated: Don't like the JkRequestFormat. Instead would use so called
notes to add the info directly to the access log.
Are you talking about mod_log_config (
http://tomcat.apache.org/connectors-doc/reference/apache.html)?
# Globally deny access to the WEB-INF directory
LocationMatch '.*WEB-INF.*'
AllowOverride None
deny from all
/LocationMatch
Unrelated: The application directory usually should not be reachable at all
by Apache.
So, Is it safe to remove those LocationMatch
'.*WEB-INF.*'./LocationMatch lines?
[r...@myserv mod_sed]#
[r...@myserv mod_sed]# cat /etc/httpd/conf/workers.properties
#
# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
#
# We define a workers named worker1 and worker2
workers.tomcat_home=/srv/tomcat/
workers.java_home=/srv/jdk
ps=/
Unrelated: The above three are useless.
Done: removed
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=1
Unrelated: That's very minimal.
# Load-balancing behaviour (add when you have more than 1 worker and
change
worker.workerX.host and worker.list accordingly)
# worker.loadbalancer.type=lb
Unrelated: You are not actually using mod_jk load balancing here.
Sure, I don't need load balancing here. It's done on the external LB.
# Status worker for managing load balancer (add when you have more than 1
worker)
worker.status.type=status
Suggestion: grab the default workers.properties from the mod_jk 1.2.30
source download. It contains important hints about production ready
configuration.
Thanks, very usefull suggestion.
[r...@myserv mod_sed]#
[r...@myserv mod_sed]# cat
/etc/httpd/conf/vhosts.d/01myserv.mydomain.com.conf
LoadModule substitute_module modules/mod_substitute.so
NameVirtualHost *:80
VirtualHost *:80
ServerName myserv.mydomain.com
ServerAdmin leon.kolchin...@mydomain.com
ServerAlias sakai-stg
# Just in case
DocumentRoot /srv/sakai
# if not specified, the global error log is used
ErrorLog /var/log/httpd/myserv.mydomain.com-error_log
CustomLog /var/log/httpd/myserv.mydomain.com-access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# Add
