Created at: 2009-07-15

Modified at: 2011-05-11

Apache notes

Apache and Tomcat with mod_jk

This document show the must basic configuration of mod_jk for Apache to make it work connected to Tomcat.

Install the ap-jk package from pkgsrc, that will build and install mod_jk module.

pkgsrc

Just after the install, a message appear and give an example about httpd.conf configuration::

    LoadModule jk_module lib/httpd/mod_jk.so

    <IfModule mod_jk.c>
    JkWorkersFile /usr/pkg/tomcat/conf/workers.properties
    JkLogFile     /var/log/httpd/mod_jk.log
    JkLogLevel    info
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
    </IfModule>

So, looking to these configuration is easy to see that there is a workers.properties file. Tomcat documentation gives a very good example of workers.properties and httpd.conf. So workers.properties in /usr/pkg/tomcat/conf/workers.properties is::

    workers.tomcat_home=/usr/pkg/tomcat
    workers.java_home=/usr/pkg/java/sun-1.5
    ps=/
    worker.list=ajp13

    worker.ajp13.port=8009
    worker.ajp13.host=localhost
    worker.ajp13.type=ajp13

Tomcat documentation: The AJP Connector

The port used by the protocol (AJP 1.3) to make this connection is 8009, as set in the workers.properties file. The server.xml file also holds this information for Tomcat.

We also need to tell mod_jk to "mount" the Tomcat application in the http URL, that is, make HTTP URLs be translated to Tomcat application. Example::

    http://<site>/source/

should show the same page as::

    http://<site>:8080/source/

(supposing that Tomcat is running in port 8080).

So httpd.conf turns::

    LoadModule jk_module lib/httpd/mod_jk.so

    <IfModule mod_jk.c>
    JkWorkersFile /usr/pkg/tomcat/conf/workers.properties
    JkLogFile     /var/log/httpd/mod_jk.log
    JkLogLevel    info
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
    JkMount /source/* ajp13
    </IfModule>

Just restart Apache and see if it is working.

HTTP authentication

Simple authentication

To make Apache apache work with HTTP authentication, globally, put inside a <Directory> directive, Auth* and Require directives, like in the following example::

    <Directory />
        Options FollowSymLinks
        AllowOverride None

        AuthType Basic
        AuthName "Authentication Required"
        AuthUserFile /usr/pkg/etc/httpd/passwd
        Require user username
    </Directory>

This will make authentication be required for all directories in the server.

Don't forget to create the passwd file with htpasswd (see that the passwd file can have any name and be anywhere, since you configured its path correctly in the AuthUserFile directive). Also "username" is the name of the user you want to provide access to::

    # htpasswd -c /usr/pkg/etc/httpd/passwd username
    New password: <type password here>
    Re-type password: <type password again>

Restart the server. Authentication is probably running fine.

LDAP authentication

(2012-09-04)

LDAP authentication is a bit different from basic authentication. You need to insert some other configuration options. The following example make user login according to its e-mail field on the LDAP database::

    <Directory /var/www/html>
        AuthType Basic
        AuthName "LDAP authentication"
        AuthLDAPURL ldap://ldapserver:389/o=bla?mail
        require valid-user
    </Directory>

If you have an Organization Unit (ou) called "Groups", with Groups defined on it and users added to the groups (where a user can belong to more than one group, like in Unix groups) and want to authenticate only users belonging to a given group, for instance, the "mygroup" group, follow this example::

    <Location /myarea>
        AuthType Basic
        AuthName "LDAP authentication"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPGroupAttribute memberUid
        AuthLDAPURL "ldap://ldapserver:389/ou=Users,dc=foo,dc=bar,dc=com?uid"
        require ldap-group cn=mygroup,ou=Groups,dc=foo,dc=bar,dc=com
        Order deny,allow
        allow from all
    </Location>

You may combine other attributes to authenticate, besides "uid". According to the mod_authnz_ldap documentation, the standards (RFC 2255, obsoleted by RFC 4516) allow the use of multiple attributes separated by comma, but Apache does not support it. You can use filters instead. See how the AuthLDAPURL directive looks after using the filter mechanism to match users whose attribute "employeeType" has the "Worker" string::

    AuthLDAPURL "ldap://ldapserver:389/ou=Users,dc=foo,dc=bar,dc=com?uid?sub?(employeeType=Worker)"

mod_authnz_ldap

RFC 2255

RFC 4516

Troubleshooting

httpd: apr_sockaddr_info_get() failed for HOST

(2011-05-11)

I'm using Apache 2.2 in NetBSD 5.1 and, just after I started Apache for the first time, I got this error::

    httpd: apr_sockaddr_info_get() failed for auron

"auron" is the name of my host.

The problem was that /etc/hosts didn't have an entry indicating that 127.0.0.1, besides being localhost, is also auron.

So I just added to /etc/hosts::

    127.0.0.1               auron

Unknown Authn provider: ldap when implementing LDAP HTTP authentication

(2011-07-12)

If you are trying to configure LDAP HTTP authentication in Apache 2.2 in a Debian system, maybe the following error came up::

    Unknown Authn provider: ldap

It is probably because you has a link to ldap.load in /etc/apache2/mods-enabled but don't have a link to authnz_ldap.load there, so create it. I'm using Debian, but you might have to check your system configuration.

Apache and Subversion authentication with Microsoft Active Directory

"File not found" and AH01071: Got error 'Primary script unknown

Possible solution: Check permissions for all directories in the path to index.html (or similar) can be accessed by the user that runs Apache.