Re: Mod_jk returning source code of jsp files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ironclaw, Let's take a step back. On 4/23/12 10:19 AM, ironclaw hand wrote: Thanks Christopher I will address the security issues if I am actually able to get mod_jk to execute a jsp! I tend to agree with André, here and his assertions that there's no reason to wait until it's working. Presumably, since you've been tasked with getting this to work, it /must/ work at the end... scrapping httpd isn't an option for you, so you may as well solve this problem since it's the easier one to solve. Honestly, I'm not sure exactly why your configuration doesn't work: I've never had trouble configuring mod_jk. I have now removed everything from mod_jk.conf except for the global directives and I now have my httpd.conf looking like: So what *is* in your mod_jk.conf file? I would have expected LoadModule and Include to be in there, as well as JkWorkersFile, JkLogLevel, etc. Basically, everything but Jk(Un)?Mount directives. Oh! I also usually recommend setting JkStripSession On so that URLs to static content that happen to contain jsessionid path parameters don't confuse httpd and prevent those resources from loading. # # JK for connections to Tomcat # LoadModule jk_module modules/mod_jk.so Include /etc/httpd/conf/mod_jk.conf IfModule jk_module JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info Put all of the above at the top-level. It's not surprising that it doesn't work, but I didn't actually know that you can't put JkWorkersFile in a VirtualHost. I guess the documentation[1] is fairly clear: JkWorkersFile The name of a worker file for the Tomcat servlet containers. This directive is only allowed once. It must be put into the global part of the configuration. [1] http://tomcat.apache.org/connectors-doc/reference/apache.html Alias /sft /var/webapps/sft [security]: we've discussed this Directory /var/webapps/sft Options Indexes FollowSymLinks [security]: do you really need Indexes enabled? I find that to be a security vulnerability unless you want people to be able to browse and download arbitrary files. Sometimes that's what you want, but usually not within a webapp. /Directory Location /sft/WEB-INF/ AllowOverride None deny from all /Location [security]: I would definitely do this as a Directory instead of a Location: that way, you're protected no matter how the URL resolves to the filesystem. VirtualHost sfta.a.b.c:443 JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer Just for parity, I'd make that: JkUnMount /sft/*.html loadbalancer That way, you don't accidentally unmount everything on the whole site when you really only wanted to allow static files form that one webapp to be unmounted. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+YELYACgkQ9CaO5/Lv0PDqmACgiPptfKAAC+Lah1I8B1tszZ4f a0wAoJxU9ft/xII/8ubKM14ariJT5sWL =lokh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mod_jk returning source code of jsp files
Ok thanks for the reply and the points are taken on board but as I said before I havent actually done this before and I am initially trying to get it to work as the existing system does (using the config files from the current installation). I know in an ideal world your suggestion would be best but I was just asked to install current versions of apache, tomcat and mod_jk and get it all to work and I was given some existing config files, as said I have never done this before so initially I would actually like to get mod_jk working so that I can actually see the java code getting executed and the dynamic content returned. I dont think the overhead of tomcat serving static pages is the reason apache is installed on these machines, I think it is because of the load balancing as there are a number of machines with Tomcat installed on them that will be in the load although initially I am only trying to get apache to direct to a tomcat on local host. I was looking for some help understanding why mod_jk doesnt work for me, surely this cant be related to the security issues you mentioned? Date: Mon, 23 Apr 2012 17:28:00 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: Mod_jk returning source code of jsp files ironclaw hand wrote: Thanks Christopher I will address the security issues if I am actually able to get mod_jk to execute a jsp! No. You should do things right first, in a secure way. And then, when it works, you can start optimising carefully and step by step, and try not to introduce security holes while doing so. I put optimise between quotes here, because what you are apparently trying is not much of an optimisation, while it IS creating security issues (and confusing things). It would be better to let Tomcat serve all your content, including the static pages that are inside your webapp directory anyway. This way, you will not compromise whatever access security is implemented at the Tomcat side, and the overhead of having Tomcat serve those static pages is measured in microseconds at worst. I have now removed everything from mod_jk.conf except for the global directives and I now have my httpd.conf looking like: # # JK for connections to Tomcat # LoadModule jk_module modules/mod_jk.so Include /etc/httpd/conf/mod_jk.conf IfModule jk_module JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info remove from here Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory Location /sft/WEB-INF/ AllowOverride None deny from all /Location until here /IfModule ## ## SSL Virtual Host Context VirtualHost sfta.a.b.c:443 change this JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer to this JkMount /sft loadbalancer JkMount /sft/* loadbalancer /VirtualHost I still get the jsp file returned as text which means that Apache is serving them, not Tomcat. so I obviously still have problems and initially I would just like to get apache to invoke mod_jk and return me the dynamic content. And let it first return the static content as well, since it is anyway located in your webapps directory. One could also question why you are using the term (or name) loadbalancer above, since all your content seems to be on the same host anyway. Do you really have one httpd and several Tomcat's ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mod_jk returning source code of jsp files
Hi Andre, I tried your suggestions but apache is still serving the content plus the WEB-INF directory is now available via the URL. I am only trying to get this set up on one machine initially as I said in my earlier message but the reason the term load balancer is used is because there will actually be a number of machines running tomcat and one machine running apache and tomcat. I did'nt choose this solution and I dont know why this solution was preferred and I didnt have anything to do with configuring or installing the original set up. The machines are being replaced and I have been asked to install new versions of the software but I cannot even get this working with one apache and localhost tomcat. From: ironclawh...@hotmail.com To: users@tomcat.apache.org Subject: RE: Mod_jk returning source code of jsp files Date: Tue, 24 Apr 2012 08:40:08 +0100 Ok thanks for the reply and the points are taken on board but as I said before I havent actually done this before and I am initially trying to get it to work as the existing system does (using the config files from the current installation). I know in an ideal world your suggestion would be best but I was just asked to install current versions of apache, tomcat and mod_jk and get it all to work and I was given some existing config files, as said I have never done this before so initially I would actually like to get mod_jk working so that I can actually see the java code getting executed and the dynamic content returned. I dont think the overhead of tomcat serving static pages is the reason apache is installed on these machines, I think it is because of the load balancing as there are a number of machines with Tomcat installed on them that will be in the load although initially I am only trying to get apache to direct to a tomcat on local host. I was looking for some help understanding why mod_jk doesnt work for me, surely this cant be related to the security issues you mentioned? Date: Mon, 23 Apr 2012 17:28:00 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: Mod_jk returning source code of jsp files ironclaw hand wrote: Thanks Christopher I will address the security issues if I am actually able to get mod_jk to execute a jsp! No. You should do things right first, in a secure way. And then, when it works, you can start optimising carefully and step by step, and try not to introduce security holes while doing so. I put optimise between quotes here, because what you are apparently trying is not much of an optimisation, while it IS creating security issues (and confusing things). It would be better to let Tomcat serve all your content, including the static pages that are inside your webapp directory anyway. This way, you will not compromise whatever access security is implemented at the Tomcat side, and the overhead of having Tomcat serve those static pages is measured in microseconds at worst. I have now removed everything from mod_jk.conf except for the global directives and I now have my httpd.conf looking like: # # JK for connections to Tomcat # LoadModule jk_module modules/mod_jk.so Include /etc/httpd/conf/mod_jk.conf IfModule jk_module JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info remove from here Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory Location /sft/WEB-INF/ AllowOverride None deny from all /Location until here /IfModule ## ## SSL Virtual Host Context VirtualHost sfta.a.b.c:443 change this JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer to this JkMount /sft loadbalancer JkMount /sft/* loadbalancer /VirtualHost I still get the jsp file returned as text which means that Apache is serving them, not Tomcat. so I obviously still have problems and initially I would just like to get apache to invoke mod_jk and return me the dynamic content. And let it first return the static content as well, since it is anyway located in your webapps directory. One could also question why you are using the term (or name) loadbalancer above, since all your content seems to be on the same host anyway. Do you really have one httpd and several Tomcat's ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_jk returning source code of jsp files
ironclaw hand wrote: Ok thanks for the reply and the points are taken on board but as I said before I havent actually done this before and I am initially trying to get it to work as the existing system does (using the config files from the current installation). I know in an ideal world your suggestion would be best but I was just asked to install current versions of apache, tomcat and mod_jk and get it all to work and I was given some existing config files, as said I have never done this before so initially I would actually like to get mod_jk working so that I can actually see the java code getting executed and the dynamic content returned. I dont think the overhead of tomcat serving static pages is the reason apache is installed on these machines, I think it is because of the load balancing as there are a number of machines with Tomcat installed on them that will be in the load although initially I am only trying to get apache to direct to a tomcat on local host. I was looking for some help understanding why mod_jk doesnt work for me, surely this cant be related to the security issues you mentioned? Well, you are probably mistaken there. With the current configuration, what is apparently attempted is, for some URLs, to have Apache httpd /not/ forwarding them to Tomcat via mod_jk, and instead having Apache httpd serving them directly, using a back door into Tomcat's webapps/sft/ directory. This /is/ a security issue, because in this way, any security mechanism that may be in place at the Tomcat level to avoid delivering the wrong content, are bypassed. That is why, from a security point of view, it is strongly recommended not to allow Apache to see, and serve the content of, directories whose content should be controlled by Tomcat. Your Alias and Directory section at the Apache level do just that, so they create a large potential security hole, which then someone tries to plug using other instructions (which by the way look like they're wrong and/or incomplete). But apart from the security issue, this scheme has further drawbacks : - it makes things more confusing as to whom is serving what - Tomcat knows that a .jsp file's content is not to be served as is. It knows that this kind of file has to be compiled into a servlet, and that instead of delivering the content of the .jsp file, it should run the resulting servlet, and serve its response. Apache httpd has no idea about that. It sees a .jsp file as just a text file, and happily serves its contents as is (even if the .jsp source file contained some information which a user should never see). And that is exactly what you are seeing. Something in your present configuration allows Apache to see these jsp's, and serve them directly. It is not very clear at the moment how this happens. In order to remove some potential reasons why this could happen, Chris and I showed you how to modify your configuration so that in the principle, it should not happen. Or at least, it should remove one potential way in which it could be happening, leaving us with a more transparent situation helping to find the real reason. A useful tool to find out what happens is the mod_jk logfile. Increase JkLogLevel gradually, until you see which URLs mod_jk is actually forwarding to Tomcat (and which ones it is not, and why not). A bit of background, to understand what happens : When mod_jk is configured within Apache httpd, it acts as a content generator. For Apache httpd, it is mod_jk itself which creates the content that is returned to the user. Apache httpd has no idea that behind mod_jk, there are one or more Tomcats who actually do the work. When it comes time to generate the response to a request URL, Apache passes this URL in turn to all configured content generators (one of them being mod_jk). Each of these content generators gets a shot at deciding whether it wants to generate content for that URL, or just decline. If the content generator declines, Apache passes the URL through the next content generator in the chain, to see if it does better. The last content generator in the chain is the Apache builtin one, which reads the file from disk and sends the content back as is. In other words, mod_jk gets to see /every/ request URL, and gets to decide if for this one, it wants to pass it on to Tomcat or not. It decides this on the base of an internal table it has built at server startup, on the base of the JkMount/JkUnmount instructions it knows about. If it decides that this URL is not for Tomcat, it returns a declined answer to Apache, and Apache proceeds to ask the next module. If mod_jk decides to pass this request to Tomcat, then it does so using the AJP connection, and waits for Tomcat's response. When it gets the Tomcat response, it returns it to Apache (as if it had created it itself), along with a return code that means here is the response, you do not need to call any other module anymore.
RE: Mod_jk returning source code of jsp files
Andre, Thank you for the detailed response I can see now that the config was probably never actually quite right... I have amended the log level to debug and I now can see this in the mod_jk.log file: [Tue Apr 24 10:45:35.203 2012] [20188:3044006768] [debug] jk_map_to_storage::mod_jk.c (3773): missing uri map for sfta.a.b.c:/sft/announcement.jsp [Tue Apr 24 10:45:35.266 2012] [20287:2844699504] [debug] jk_map_to_storage::mod_jk.c (3773): missing uri map for sfta.a.b.c:/sft/images/sft.css [Tue Apr 24 10:45:35.269 2012] [20188:3033516912] [debug] jk_map_to_storage::mod_jk.c (3773): missing uri map for sfta.a.b.c:/sft/images/logo.gif It looks like mod_jk is receiving from apache but it doesnt know what to do with the request. Is this correct? I have been reading about this and people have suggested in other forum posts to use: JKMountCopy On - within the virtual host directive I have tried this and it doesnt make any difference although I am assuming this is because my JKMounts are actually defined within the virtual host and not globally? If I run a tcpdump on port 8009 I never actually see any packets so it never reaches tomcat again probably because of the missing uri map issue. As a side note would you reccommend dropping mod_jk and using mod_proxy as some posts suggest? Date: Tue, 24 Apr 2012 11:11:33 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: Mod_jk returning source code of jsp files ironclaw hand wrote: Ok thanks for the reply and the points are taken on board but as I said before I havent actually done this before and I am initially trying to get it to work as the existing system does (using the config files from the current installation). I know in an ideal world your suggestion would be best but I was just asked to install current versions of apache, tomcat and mod_jk and get it all to work and I was given some existing config files, as said I have never done this before so initially I would actually like to get mod_jk working so that I can actually see the java code getting executed and the dynamic content returned. I dont think the overhead of tomcat serving static pages is the reason apache is installed on these machines, I think it is because of the load balancing as there are a number of machines with Tomcat installed on them that will be in the load although initially I am only trying to get apache to direct to a tomcat on local host. I was looking for some help understanding why mod_jk doesnt work for me, surely this cant be related to the security issues you mentioned? Well, you are probably mistaken there. With the current configuration, what is apparently attempted is, for some URLs, to have Apache httpd /not/ forwarding them to Tomcat via mod_jk, and instead having Apache httpd serving them directly, using a back door into Tomcat's webapps/sft/ directory. This /is/ a security issue, because in this way, any security mechanism that may be in place at the Tomcat level to avoid delivering the wrong content, are bypassed. That is why, from a security point of view, it is strongly recommended not to allow Apache to see, and serve the content of, directories whose content should be controlled by Tomcat. Your Alias and Directory section at the Apache level do just that, so they create a large potential security hole, which then someone tries to plug using other instructions (which by the way look like they're wrong and/or incomplete). But apart from the security issue, this scheme has further drawbacks : - it makes things more confusing as to whom is serving what - Tomcat knows that a .jsp file's content is not to be served as is. It knows that this kind of file has to be compiled into a servlet, and that instead of delivering the content of the .jsp file, it should run the resulting servlet, and serve its response. Apache httpd has no idea about that. It sees a .jsp file as just a text file, and happily serves its contents as is (even if the .jsp source file contained some information which a user should never see). And that is exactly what you are seeing. Something in your present configuration allows Apache to see these jsp's, and serve them directly. It is not very clear at the moment how this happens. In order to remove some potential reasons why this could happen, Chris and I showed you how to modify your configuration so that in the principle, it should not happen. Or at least, it should remove one potential way in which it could be happening, leaving us with a more transparent situation helping to find the real reason. A useful tool to find out what happens is the mod_jk logfile. Increase JkLogLevel gradually, until you see which URLs mod_jk is actually forwarding to Tomcat (and which ones it is not, and why not). A bit of background, to understand what happens : When
Re: Mod_jk returning source code of jsp files
ironclaw hand wrote: Andre, Thank you for the detailed response I can see now that the config was probably never actually quite right... I have amended the log level to debug and I now can see this in the mod_jk.log file: [Tue Apr 24 10:45:35.203 2012] [20188:3044006768] [debug] jk_map_to_storage::mod_jk.c (3773): missing uri map for sfta.a.b.c:/sft/announcement.jsp [Tue Apr 24 10:45:35.266 2012] [20287:2844699504] [debug] jk_map_to_storage::mod_jk.c (3773): missing uri map for sfta.a.b.c:/sft/images/sft.css [Tue Apr 24 10:45:35.269 2012] [20188:3033516912] [debug] jk_map_to_storage::mod_jk.c (3773): missing uri map for sfta.a.b.c:/sft/images/logo.gif It looks like mod_jk is receiving from apache but it doesnt know what to do with the request. Is this correct? Yes. mod_jk is looking at the URI pattern, and it does not match any pattern in the table which it has built on the base of its JkMount directives. So it returns declined to Apache, and Apache proceeds to serve that URI itself, as a blob. Actually, the mod_jk log, at the moment your httpd server is restarted, should show the processing of the JkMount/jkUnmount directives, when mod_jk builds its URI map which it refers to above. What I am not quite sure about anymore, is what the mention in the loglines above of the actual hostname means, It could be a function of your JkLogFormat directive, or it could be that these requests are actually processed by the wrong VirtualHost. I remember that this subject has come up previously on the list, but I don't remember precisely in which context or when. Maybe someone else can answer that. If your Apache configuration is such that you have a separate access log for the different VirtualHosts (and one for the main server), then you should be able to see which requests go to which VirtualHost (independently of whether they are forwarded to Tomcat or not). I have been reading about this and people have suggested in other forum posts to use: JKMountCopy On - within the virtual host directive I have tried this and it doesnt make any difference although I am assuming this is because my JKMounts are actually defined within the virtual host and not globally? If I run a tcpdump on port 8009 I never actually see any packets so it never reaches tomcat again probably because of the missing uri map issue. This takes us into the realm of understanding Apache's VirtualHost workings, and how VirtualHosts inherit or not some configuration from the main configuration part. I was hoping to avoid that part... Generally, when a configuration directive is present in the main part of httpd.conf, it acts as a default for all VirtualHosts. That is, it is valid in (or inherited by) each VirtualHost, unless the VirtualHost section specifically overrides it. JkMount/JkUnmount are an exception. They are not automatically inherited. So either you put the JkMount/JkUnmount directives directly in each VirtualHost section (as you seem to have done), or you use either one of two tricks. Trick #1 : in the main part of the configuration, you put the JkMount/JkUnmount directives, and you add a JkMountCopy all directive. This causes the main JkMount/JkUnmount directives to be copied to *all* VirtualHosts. Trick #2 : in the main part of the configuration, you put the JkMount/JkUnmount directives. In the select VirtualHosts in which you want to inherit the main JkMount/JkUnmount directives, you add a JkMountCopy on directive. This will copy the main configuration's JkMount/JkUnmount directives to *this* VirtualHost only. Which one is best to use in your case is a matter of choice depending on your whole setup (how many VirtualHosts you have and how similar they are). As a side note would you reccommend dropping mod_jk and using mod_proxy as some posts suggest? That is your choice of yourse. But in my view, it is a bit like throwing out the baby along with the bath water. I personally prefer mod_jk, and find that it has a lot more configuration options. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_jk returning source code of jsp files
Put this line
Include /etc/httpd/conf/mod_jk.conf
inside virtual host.
On Apr 23, 2012 9:12 PM, ironclaw hand ironclawh...@hotmail.com wrote:
Hi,
I am attempting to set up apache and tomcat together for the first time on
a new machine using some existing configuration files. I am not sure what
is happening but it looks like apache is just serving up all files so when
i acccess a jsp file I get the source as if tomcat never executed it.
I have installed the following versions of software:
httpd 2.4.2
Tomcat connectors 1.2.35
Tomcat 7.0.27
Below are the mod_jk config (workers.properties and mod_jk.conf) files I
am currently trying to get working if there is anything else that is needed
then I can include this. My worker softcat1 is defined in my server.xml for
tomcat.
Tomcat works on its own if I access it directly and it does run the jsp
files ok, it just seems to be when I try via apache.
I have included my httpd.conf in case it is needed:
ServerTokens Prod
ServerRoot /etc/httpd
PidFile run/httpd.pid
Timeout 120
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
IfModule prefork.c
StartServers 8
MinSpareServers5
MaxSpareServers 20
ServerLimit 1024
#ServerLimit 50
MaxClients 1024
#MaxClients50
MaxRequestsPerChild 4000
/IfModule
IfModule worker.c
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
/IfModule
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule unixd_module modules/mod_unixd.so
Include conf.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
UseCanonicalName Off
DocumentRoot /var/webapps
Directory /
Options FollowSymLinks
AllowOverride None
/Directory
Directory /var/webapps
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory
IfModule mod_userdir.c
UserDir disable
/IfModule
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
Files ~ ^\.ht
Order allow,deny
Deny from all
/Files
TypesConfig /etc/mime.types
DefaultType text/plain
IfModule mod_mime_magic.c
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
/IfModule
HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
combined
LogFormat %h %l %u %t \%r\ %s %b common
LogFormat %{Referer}i - %U referer
RE: Mod_jk returning source code of jsp files
Ok I tried that but apache wont start now. It gives the following error: AH00526: Syntax error on line 1 of /etc/httpd/conf/mod_jk.conf: JkWorkersFile cannot occur within VirtualHost section [FAILED] Date: Mon, 23 Apr 2012 22:36:35 +1000 Subject: Re: Mod_jk returning source code of jsp files From: icici...@gmail.com To: users@tomcat.apache.org Put this line Include /etc/httpd/conf/mod_jk.conf inside virtual host. On Apr 23, 2012 9:12 PM, ironclaw hand ironclawh...@hotmail.com wrote: Hi, I am attempting to set up apache and tomcat together for the first time on a new machine using some existing configuration files. I am not sure what is happening but it looks like apache is just serving up all files so when i acccess a jsp file I get the source as if tomcat never executed it. I have installed the following versions of software: httpd 2.4.2 Tomcat connectors 1.2.35 Tomcat 7.0.27 Below are the mod_jk config (workers.properties and mod_jk.conf) files I am currently trying to get working if there is anything else that is needed then I can include this. My worker softcat1 is defined in my server.xml for tomcat. Tomcat works on its own if I access it directly and it does run the jsp files ok, it just seems to be when I try via apache. I have included my httpd.conf in case it is needed: ServerTokens Prod ServerRoot /etc/httpd PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 1024 #ServerLimit 50 MaxClients 1024 #MaxClients50 MaxRequestsPerChild 4000 /IfModule IfModule worker.c StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule LoadModule access_compat_module modules/mod_access_compat.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule asis_module modules/mod_asis.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule imagemap_module modules/mod_imagemap.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so #LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule file_cache_module modules/mod_file_cache.so #LoadModule mem_cache_module modules/mod_mem_cache.so LoadModule cgi_module modules/mod_cgi.so LoadModule version_module modules/mod_version.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule unixd_module modules/mod_unixd.so Include conf.d/*.conf User apache Group apache ServerAdmin root@localhost UseCanonicalName Off DocumentRoot /var/webapps Directory / Options FollowSymLinks AllowOverride None /Directory Directory /var/webapps Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all /Directory
RE: Mod_jk returning source code of jsp files
Well you need to have JkMount command inside the virtual host so its up to you how to do it. On Apr 23, 2012 10:53 PM, ironclaw hand ironclawh...@hotmail.com wrote: Ok I tried that but apache wont start now. It gives the following error: AH00526: Syntax error on line 1 of /etc/httpd/conf/mod_jk.conf: JkWorkersFile cannot occur within VirtualHost section [FAILED] Date: Mon, 23 Apr 2012 22:36:35 +1000 Subject: Re: Mod_jk returning source code of jsp files From: icici...@gmail.com To: users@tomcat.apache.org Put this line Include /etc/httpd/conf/mod_jk.conf inside virtual host. On Apr 23, 2012 9:12 PM, ironclaw hand ironclawh...@hotmail.com wrote: Hi, I am attempting to set up apache and tomcat together for the first time on a new machine using some existing configuration files. I am not sure what is happening but it looks like apache is just serving up all files so when i acccess a jsp file I get the source as if tomcat never executed it. I have installed the following versions of software: httpd 2.4.2 Tomcat connectors 1.2.35 Tomcat 7.0.27 Below are the mod_jk config (workers.properties and mod_jk.conf) files I am currently trying to get working if there is anything else that is needed then I can include this. My worker softcat1 is defined in my server.xml for tomcat. Tomcat works on its own if I access it directly and it does run the jsp files ok, it just seems to be when I try via apache. I have included my httpd.conf in case it is needed: ServerTokens Prod ServerRoot /etc/httpd PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 1024 #ServerLimit 50 MaxClients 1024 #MaxClients50 MaxRequestsPerChild 4000 /IfModule IfModule worker.c StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule LoadModule access_compat_module modules/mod_access_compat.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule asis_module modules/mod_asis.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule imagemap_module modules/mod_imagemap.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so #LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule file_cache_module modules/mod_file_cache.so #LoadModule mem_cache_module modules/mod_mem_cache.so LoadModule cgi_module modules/mod_cgi.so LoadModule version_module modules/mod_version.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule unixd_module modules/mod_unixd.so Include conf.d/*.conf User apache Group apache ServerAdmin root
RE: Mod_jk returning source code of jsp files
So are you saying I should do away with the mod_jk.conf completely? I have already tried putting everything into httpd.conf like you suggested: NameVirtualHost sfta.npfit.nhs.uk:443 VirtualHost sfta.npfit.nhs.uk:443 LoadModule jk_module modules/mod_jk.so /Virtualhost IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer Location /sft/WEB-INF/ AllowOverride None deny from all /Location /IfModule Whilst apache seemed to start up ok and there were no errors in my mod_jk.log I still had exactly the same issue in that accessing a jsp would return the sourcecode. Is the example above what you meant? Date: Mon, 23 Apr 2012 23:10:55 +1000 Subject: RE: Mod_jk returning source code of jsp files From: icici...@gmail.com To: users@tomcat.apache.org Well you need to have JkMount command inside the virtual host so its up to you how to do it. On Apr 23, 2012 10:53 PM, ironclaw hand ironclawh...@hotmail.com wrote: Ok I tried that but apache wont start now. It gives the following error: AH00526: Syntax error on line 1 of /etc/httpd/conf/mod_jk.conf: JkWorkersFile cannot occur within VirtualHost section [FAILED] Date: Mon, 23 Apr 2012 22:36:35 +1000 Subject: Re: Mod_jk returning source code of jsp files From: icici...@gmail.com To: users@tomcat.apache.org Put this line Include /etc/httpd/conf/mod_jk.conf inside virtual host. On Apr 23, 2012 9:12 PM, ironclaw hand ironclawh...@hotmail.com wrote: Hi, I am attempting to set up apache and tomcat together for the first time on a new machine using some existing configuration files. I am not sure what is happening but it looks like apache is just serving up all files so when i acccess a jsp file I get the source as if tomcat never executed it. I have installed the following versions of software: httpd 2.4.2 Tomcat connectors 1.2.35 Tomcat 7.0.27 Below are the mod_jk config (workers.properties and mod_jk.conf) files I am currently trying to get working if there is anything else that is needed then I can include this. My worker softcat1 is defined in my server.xml for tomcat. Tomcat works on its own if I access it directly and it does run the jsp files ok, it just seems to be when I try via apache. I have included my httpd.conf in case it is needed: ServerTokens Prod ServerRoot /etc/httpd PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 1024 #ServerLimit 50 MaxClients 1024 #MaxClients50 MaxRequestsPerChild 4000 /IfModule IfModule worker.c StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule LoadModule access_compat_module modules/mod_access_compat.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule asis_module modules/mod_asis.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule vhost_alias_module modules/mod_vhost_alias.so
Re: Mod_jk returning source code of jsp files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ironclaw, On 4/23/12 9:18 AM, ironclaw hand wrote: So are you saying I should do away with the mod_jk.conf completely? That depends upon what is in mod_jk.conf. Your mod_jk.conf looks like a mix between global mod_jk directives (e.g. JkWorkersFile) and VirtualHost-specific directives (e.g. Location and JkMounts). I would recommend putting all your global configuration into mod_jk.conf and then putting your VirtualHost-specific configuration into the appropriate VirtualHost (possibly the default one). It looks like you have an old example of how to set up mod_jk. The following properties are no longer useful in workers.properties: workers.apache_log=/var/log/httpd/ workers.tomcat_home=/var/tomcat workers.java_home=/usr/java/latest ps=/ Finally, if you are going to do this: Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory You'll have to protect more than just this: Location /sft/WEB-INF/ AllowOverride None deny from all /Location If you have anything sensitive in sft/META-INF (like a context.xml containing your LDAP or database credentials for instance). Also, since the content lives on the filesystem, you might be better off using a Directory directive instead (or in addition to) Location. Be very careful if you decide to use an Alias to your appBase: it's usually discouraged on a security basis. JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer JkMounts need to be *inside* a VirtualHost: otherwise, they have no effect. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+VYVAACgkQ9CaO5/Lv0PCkVgCgqw11nIU5ZnJ1DZ165WQQ1ZEN UTAAn2CKlcjIiOO+oFkQFGHeJFpfVHQt =w8JP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mod_jk returning source code of jsp files
Thanks Christopher I will address the security issues if I am actually able to get mod_jk to execute a jsp! I have now removed everything from mod_jk.conf except for the global directives and I now have my httpd.conf looking like: # # JK for connections to Tomcat # LoadModule jk_module modules/mod_jk.so Include /etc/httpd/conf/mod_jk.conf IfModule jk_module JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory Location /sft/WEB-INF/ AllowOverride None deny from all /Location /IfModule ## ## SSL Virtual Host Context VirtualHost sfta.a.b.c:443 JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer /VirtualHost I still get the jsp file returned as text so I obviously still have problems and initially I would just like to get apache to invoke mod_jk and return me the dynamic content. I have looked in the mod_jk.conf file and there are no errors so I assume the versions of software I have installed are compatible? This is in my mod_jk.conf file: [Mon Apr 23 15:11:51.006 2012] [9293:3078489792] [info] init_jk::mod_jk.c (3365): mod_jk/1.2.35 initialized Date: Mon, 23 Apr 2012 10:04:00 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: Mod_jk returning source code of jsp files -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ironclaw, On 4/23/12 9:18 AM, ironclaw hand wrote: So are you saying I should do away with the mod_jk.conf completely? That depends upon what is in mod_jk.conf. Your mod_jk.conf looks like a mix between global mod_jk directives (e.g. JkWorkersFile) and VirtualHost-specific directives (e.g. Location and JkMounts). I would recommend putting all your global configuration into mod_jk.conf and then putting your VirtualHost-specific configuration into the appropriate VirtualHost (possibly the default one). It looks like you have an old example of how to set up mod_jk. The following properties are no longer useful in workers.properties: workers.apache_log=/var/log/httpd/ workers.tomcat_home=/var/tomcat workers.java_home=/usr/java/latest ps=/ Finally, if you are going to do this: Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory You'll have to protect more than just this: Location /sft/WEB-INF/ AllowOverride None deny from all /Location If you have anything sensitive in sft/META-INF (like a context.xml containing your LDAP or database credentials for instance). Also, since the content lives on the filesystem, you might be better off using a Directory directive instead (or in addition to) Location. Be very careful if you decide to use an Alias to your appBase: it's usually discouraged on a security basis. JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer JkMounts need to be *inside* a VirtualHost: otherwise, they have no effect. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+VYVAACgkQ9CaO5/Lv0PCkVgCgqw11nIU5ZnJ1DZ165WQQ1ZEN UTAAn2CKlcjIiOO+oFkQFGHeJFpfVHQt =w8JP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_jk returning source code of jsp files
ironclaw hand wrote: Thanks Christopher I will address the security issues if I am actually able to get mod_jk to execute a jsp! No. You should do things right first, in a secure way. And then, when it works, you can start optimising carefully and step by step, and try not to introduce security holes while doing so. I put optimise between quotes here, because what you are apparently trying is not much of an optimisation, while it IS creating security issues (and confusing things). It would be better to let Tomcat serve all your content, including the static pages that are inside your webapp directory anyway. This way, you will not compromise whatever access security is implemented at the Tomcat side, and the overhead of having Tomcat serve those static pages is measured in microseconds at worst. I have now removed everything from mod_jk.conf except for the global directives and I now have my httpd.conf looking like: # # JK for connections to Tomcat # LoadModule jk_module modules/mod_jk.so Include /etc/httpd/conf/mod_jk.conf IfModule jk_module JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info remove from here Alias /sft /var/webapps/sft Directory /var/webapps/sft Options Indexes FollowSymLinks /Directory Location /sft/WEB-INF/ AllowOverride None deny from all /Location until here /IfModule ## ## SSL Virtual Host Context VirtualHost sfta.a.b.c:443 change this JkMount /sft/* loadbalancer JkUnMount /*.html loadbalancer to this JkMount /sft loadbalancer JkMount /sft/* loadbalancer /VirtualHost I still get the jsp file returned as text which means that Apache is serving them, not Tomcat. so I obviously still have problems and initially I would just like to get apache to invoke mod_jk and return me the dynamic content. And let it first return the static content as well, since it is anyway located in your webapps directory. One could also question why you are using the term (or name) loadbalancer above, since all your content seems to be on the same host anyway. Do you really have one httpd and several Tomcat's ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
