Hi, I tried to find a solution about my secured access problem, but I failed... Here I am: - I use apache https server (2.2.14) as frontal webserver - I use tomcat (6.0.20) as java container for xwiki - I use mod_jk.so httpd module as connector between httpd and tomcat, with that configuration in httpd.conf:
LoadModule jk_module modules/mod_jk.so <IfModule jk_module> # Where to find workers.properties JkWorkersFile "C:/Program Files/Apache Software Foundation/Tomcat 6.0/conf/jk/workers.properties" # Where to put jk logs JkLogFile "D:/weblogs/2.2/mod_jk.log" # Set the jk log level [debug/error/info] JkLogLevel info # Select the timestamp log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # Send JSPs for context /examples to worker named worker1 JkMount /xwiki/* ajp13w JkMount /xwiki ajp13w </IfModule> -I have these lines into the workers.properties file : worker.list=ajp13w worker.ajp13w.type=ajp13 worker.ajp13w.host=localhost worker.ajp13w.port=8009 I still have "javascripts" errors. I still can't access to /xwiki/bin/skin/resources/js/xwiki/xwiki.js (redirected to the xwiki.virtual.redirect URL). I still have no error into httpd logs or xwiki logs. Do you have any idea of what is going wrong ? I'm sorry to ask you again, but I have to say that I'm really lost... Gaëtan Niels Mayer a écrit : > On Thu, Jan 7, 2010 at 5:35 AM, Gaëtan GUYODO <[email protected] > <mailto:[email protected]>> wrote: > > I tried to force xwiki.url.protocol=https in xwiki.cfg, without results. > I tried to create another wiki, same problem. > I tried to add the full URL as alias, doesn't work ! > > => I don't have any trouble accessing by > http://localhost:8080/xwiki/wiki/xwiki > but I can't acces the same wiki using external SSL URL > https://mydomain/xwiki/wiki/xwiki > > > You can't run SSL on a random port, and HTTPS, bound to 443, is > privileged and requires a privileged process (that's why a high-number > port like 8080 is used by default, it's a random, nonprivileged port). > Since you don't want to run java as a privileged process, but people > trust apache to run this way, you use a > connector ( http://tomcat.apache.org/connectors-doc/reference/apache.html > ) to bridge between java and a secure SSL > front-end. > > Although tomcat can do SSL, it's better and more secure to front tomcat > with Apache Httpd: use mod_proxy > <http://httpd.apache.org/docs/2.0/mod/mod_proxy.html> and mod_proxy_ajp > <http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html> to talk to > tomcat, and mod_ssl <http://www.modssl.org/> to handle SSL (helpful > security hint that is de rigueur for hospital and patient data: use > mod_auth_mysql <http://modauthmysql.sourceforge.net/> and client-side > certificates <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6> to > prevent any access from those without client certs... see "fake basic > auth" concept in > http://www.modssl.org/docs/2.8/ssl_reference.html#SSLOptions ... if you > don't have a client-certificate access, you get redirected to the > "public" part of the web like in http://ipssources.net ) > > Quickndirty configuration hints: > > LoadModule proxy_ajp_module modules/mod_proxy_ajp.so > ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/ <http://127.0.0.1:8009/xwiki/> > > <IfModule mod_proxy.c> > ProxyRequests Off > > ## NPM: see > http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Performances#HModProxyAJPConfiguration > ProxyPreserveHost On > </IfModule> > > Niels > http://nielsmayer.com -- __________________________________________ Gaëtan GUYODO Chargé de mission Centre Antipoison - Hôpital Fernand WIDAL 200, rue du faubourg St Denis 75475 PARIS Cedex 10 Tél: 01 40 05 49 63 / Fax: 01 40 05 48 56 __________________________________________ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
