日本語 : Apache frontend for security

オリジナル: Apache frontend for security

It is possible to use an apache in front of your tomcat instance that runs Hudson. You will need to compile apache-2.2 with mod_proxy enabled. The example below shows an invocation of apache-2.2 configure script with parameters that enable mod_proxy, mod_proxy_ajp, LDAP and SSL.

[ root@buildhost# ]sudo ./configure --enable-proxy \
--enable-ldap \
--enable-vhost \
--enable-ssl \
--enable-suexec \
--enable-rewrite \
--enable-proxy-ajp \
--enable-authnz-ldap \
--enable-mods-shared=all \
--with-ssl \
--with-ldap \
--with-ldap-include=/usr/include/ \
--prefix=/opt/apache/httpd-2.2.6

Edit the httpd-vhosts.conf file that resides in \${APACHE_HOME}/conf/extras to make apache aware of your tomcat server. The example below shows a vhost configuration for an apache that runs on the same machine as the tomcat instance. The tomcat instance here is configured to run an AJP connector on port 8102. It has no HTTP* connectors configured. This vhost is also configured to rely on basic authentication (htpasswd) to protect certain resources, such as project(s) configuration, hudon management, and project(s) deletion. See the apache manual for examples of basic, and other, authentication scheme configuration.

<VirtualHost *:80>
    ServerAdmin your@email.address.com
    DocumentRoot "/opt/apache/httpd/htdocs"
    ServerName hudson.yourdomain.com
    ErrorLog "logs/hudson-error_log"

           ProxyPass /hudson/ ajp://127.0.0.1:8102/hudson/
           ProxyPassReverse /hudson/ ajp://127.0.0.1:8102/hudson/
           ProxyPass / ajp://127.0.0.1:8102/hudson/
           ProxyPassReverse / ajp://127.0.0.1:8102/hudson/
        <Location />
                Order allow,deny
                Allow from all
        </Location>
        <Location /hudson/manage>
                AuthType basic
                AuthName "Hudson Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </Location>
        <LocationMatch "/hudson/job/.*/configure">
                AuthType basic
                AuthName "Hudson Project Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </LocationMatch>
        <LocationMatch "/hudson/job/.*/delete">
                AuthType basic
                AuthName "Hudson Project Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </LocationMatch>
[_Top of page_|#top]

</VirtualHost>

The tomcat instance does not have an HTTP connector to prevent direct access. I am currently trying to find out how to get the AJP connector only listen/accept communications on a certain interface. Until that is done, a rogue apache server can be configured to access your tomcat instance and bypass all authentication.

This is done by setting the address attribute in the tomcat connector definition. See http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html#Standard%20Implementation. For above localhost setting, use address="127.0.0.1". Without this, Tomcat will listen on all interfaces, including all external-facing interfaces. With the setting, Tomcat will make the connector listen just on 127.0.0.1 to which no packets from external sources will be routed.

日本語 : Apache frontend for security

Comments: