home | tech | misc | code | bookmarks (broken) | contact | README


Apache notes

Apache and Tomcat with mod_jk

This document show the must basic configuration of mod_jk for Apache to make it work connected to Tomcat.

Install the ap-jk package from pkgsrc, that will build and install mod_jk module.

Just after the install, a message appear and give an example about httpd.conf configuration:

LoadModule jk_module lib/httpd/mod_jk.so

<IfModule mod_jk.c>
JkWorkersFile /usr/pkg/tomcat/conf/workers.properties
JkLogFile     /var/log/httpd/mod_jk.log
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</IfModule>

So, looking to these configuration is easy to see that there is a workers.properties file. Tomcat documentation gives a very good example of workers.properties and httpd.conf. So workers.properties in /usr/pkg/tomcat/conf/workers.properties is:

workers.tomcat_home=/usr/pkg/tomcat
workers.java_home=/usr/pkg/java/sun-1.5
ps=/
worker.list=ajp13

worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13

The port used by the protocol (AJP 1.3) to make this connection is 8009, as set in the workers.properties file. The server.xml file also holds this information for Tomcat.

We also need to tell mod_jk to "mount" the Tomcat application in the http URL, that is, make HTTP URLs be translated to Tomcat application. Example:

http://<site>/source/

should show the same page as:

http://<site>:8080/source/

(supposing that Tomcat is running in port 8080).

So httpd.conf turns:

LoadModule jk_module lib/httpd/mod_jk.so

<IfModule mod_jk.c>
JkWorkersFile /usr/pkg/tomcat/conf/workers.properties
JkLogFile     /var/log/httpd/mod_jk.log
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /source/* ajp13
</IfModule>

Just restart Apache and see if it is working.

HTTP authentication

Simple authentication

To make Apache apache work with HTTP authentication, globally, put inside a <Directory> directive, Auth* and Require directives, like in the following example:

<Directory />
    Options FollowSymLinks
    AllowOverride None

    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile /usr/pkg/etc/httpd/passwd
    Require user username
</Directory>

This will make authentication be required for all directories in the server.

Don't forget to create the passwd file with htpasswd (see that the passwd file can have any name and be anywhere, since you configured its path correctly in the AuthUserFile directive). Also "username" is the name of the user you want to provide access to:

# htpasswd -c /usr/pkg/etc/httpd/passwd username
New password: <type password here>
Re-type password: <type password again>

Restart the server. Authentication is probably running fine.

LDAP authentication

LDAP authentication is a bit different from basic authentication. You need to insert some other configuration options. The following example make user login according to its e-mail field on the LDAP database:

<Directory /var/www/html>
    AuthType Basic
    AuthName "LDAP authentication"
    AuthLDAPURL ldap://ldapserver:389/o=bla?mail
    require valid-user
</Directory>

If you have an Organization Unit (ou) called "Groups", with Groups defined on it and users added to the groups (where a user can belong to more than one group, like in Unix groups) and want to authenticate only users belonging to a given group, for instance, the "mygroup" group, follow this example:

<Location /myarea>
    AuthType Basic
    AuthName "LDAP authentication"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    AuthLDAPURL "ldap://ldapserver:389/ou=Users,dc=foo,dc=bar,dc=com?uid"
    require ldap-group cn=mygroup,ou=Groups,dc=foo,dc=bar,dc=com
    Order deny,allow
    allow from all
</Location>

You may combine other attributes to authenticate, besides "uid". According to the mod_authnz_ldap documentation, the standards (RFC 2255, obsoleted by RFC 4516) allow the use of multiple attributes separated by comma, but Apache does not support it. You can use filters instead. See how the AuthLDAPURL directive looks after using the filter mechanism to match users whose attribute "employeeType" has the "Worker" string:

AuthLDAPURL "ldap://ldapserver:389/ou=Users,dc=foo,dc=bar,dc=com?uid?sub?(employeeType=Worker)"

Troubleshooting

httpd: apr_sockaddr_info_get() failed for HOST

I'm using Apache 2.2 in NetBSD 5.1 and, just after I started Apache for the first time, I got this error:

httpd: apr_sockaddr_info_get() failed for auron

"auron" is the name of my host.

The problem was that /etc/hosts didn't have an entry indicating that 127.0.0.1, besides being localhost, is also auron.

So I just added to /etc/hosts:

127.0.0.1               auron

Unknown Authn provider: ldap when implementing LDAP HTTP authentication

If you are trying to configure LDAP HTTP authentication in Apache 2.2 in a Debian system, maybe the following error came up:

Unknown Authn provider: ldap

It is probably because you has a link to ldap.load in /etc/apache2/mods-enabled but don't have a link to authnz_ldap.load there, so create it. I'm using Debian, but you might have to check your system configuration.

Got this tip from here.