日本語 : Apache frontend for security

オリジナル: Apache frontend for security

It is possible to use an apache in front of your tomcat instance that runs Hudson. You will need to compile apache-2.2 with mod_proxy enabled. The example below shows an invocation of apache-2.2 configure script with parameters that enable mod_proxy, mod_proxy_ajp, LDAP and SSL.

[ root@buildhost# ]sudo ./configure --enable-proxy \
--enable-ldap \
--enable-vhost \
--enable-ssl \
--enable-suexec \
--enable-rewrite \
--enable-proxy-ajp \
--enable-authnz-ldap \
--enable-mods-shared=all \
--with-ssl \
--with-ldap \
--with-ldap-include=/usr/include/ \
--prefix=/opt/apache/httpd-2.2.6

Edit the httpd-vhosts.conf file that resides in \${APACHE_HOME}/conf/extras to make apache aware of your tomcat server. The example below shows a vhost configuration for an apache that runs on the same machine as the tomcat instance. The tomcat instance here is configured to run an AJP connector on port 8102. It has no HTTP* connectors configured. This vhost is also configured to rely on basic authentication (htpasswd) to protect certain resources, such as project(s) configuration, hudon management, and project(s) deletion. See the apache manual for examples of basic, and other, authentication scheme configuration.

<VirtualHost *:80>
    ServerAdmin your@email.address.com
    DocumentRoot "/opt/apache/httpd/htdocs"
    ServerName hudson.yourdomain.com
    ErrorLog "logs/hudson-error_log"

           ProxyPass /hudson/ ajp://127.0.0.1:8102/hudson/
           ProxyPassReverse /hudson/ ajp://127.0.0.1:8102/hudson/
           ProxyPass / ajp://127.0.0.1:8102/hudson/
           ProxyPassReverse / ajp://127.0.0.1:8102/hudson/
        <Location />
                Order allow,deny
                Allow from all
        </Location>
        <Location /hudson/manage>
                AuthType basic
                AuthName "Hudson Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </Location>
        <LocationMatch "/hudson/job/.*/configure">
                AuthType basic
                AuthName "Hudson Project Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </LocationMatch>
        <LocationMatch "/hudson/job/.*/delete">
                AuthType basic
                AuthName "Hudson Project Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </LocationMatch>
[_Top of page_|#top]

</VirtualHost>

The tomcat instance does not have an HTTP connector to prevent direct access. I am currently trying to find out how to get the AJP connector only listen/accept communications on a certain interface. Until that is done, a rogue apache server can be configured to access your tomcat instance and bypass all authentication.

This is done by setting the address attribute in the tomcat connector definition. See http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html#Standard%20Implementation. For above localhost setting, use address="127.0.0.1". Without this, Tomcat will listen on all interfaces, including all external-facing interfaces. With the setting, Tomcat will make the connector listen just on 127.0.0.1 to which no packets from external sources will be routed.

Comments:

Fioricet2u.com Buy Fioricet Online
[http://www.fioricet2u.com||Fioricet]
[http://www.fioricet2u.com||Buy Fioricet]

Posted by at Oct 19, 2010 08:33

I always cut out interesting article,cheap jordans .

Posted by at Nov 23, 2010 23:47

I really want to say your article is very good! Support you,fake tian louboutin.

Posted by at Nov 23, 2010 23:50

Bless your friend forever! Also bless myself! coach bags

Posted by at Nov 23, 2010 23:50

There was a song in the first season,coach outlet joke and then we decided to go to Hawaii with my kids.

Posted by at Nov 24, 2010 00:21

supra skytop I like your your beauty! Perhaps you don; t think too much of it, bu it is really fascinating.

Posted by at Dec 03, 2010 18:14

When you can feel the things you,coach shoes want to feel able to say what you feel when this is a very happy time.

Posted by at Dec 03, 2010 19:37

Truth is God and God is truth. christian louboutin

Posted by at Dec 04, 2010 00:51

Not tolerance of others, is unworthy of tolerance by others,louis vuitton outlet but who can say oneself is not to need tolerant?

Posted by at Dec 07, 2010 17:04

Thank you for your explanation. Very helpful.
Air Jordan

Posted by at Dec 09, 2010 18:31

coach factory stores. I like all of your article.Well done..*

Posted by at Dec 09, 2010 22:18