Skip to end of metadata
Go to start of metadata

オリジナル: Apache frontend for security

It is possible to use an apache in front of your tomcat instance that runs Hudson. You will need to compile apache-2.2 with mod_proxy enabled. The example below shows an invocation of apache-2.2 configure script with parameters that enable mod_proxy, mod_proxy_ajp, LDAP and SSL.

[ root@buildhost# ]sudo ./configure --enable-proxy \
--enable-ldap \
--enable-vhost \
--enable-ssl \
--enable-suexec \
--enable-rewrite \
--enable-proxy-ajp \
--enable-authnz-ldap \
--enable-mods-shared=all \
--with-ssl \
--with-ldap \
--with-ldap-include=/usr/include/ \
--prefix=/opt/apache/httpd-2.2.6

Edit the httpd-vhosts.conf file that resides in \${APACHE_HOME}/conf/extras to make apache aware of your tomcat server. The example below shows a vhost configuration for an apache that runs on the same machine as the tomcat instance. The tomcat instance here is configured to run an AJP connector on port 8102. It has no HTTP* connectors configured. This vhost is also configured to rely on basic authentication (htpasswd) to protect certain resources, such as project(s) configuration, hudon management, and project(s) deletion. See the apache manual for examples of basic, and other, authentication scheme configuration.

<VirtualHost *:80>
    ServerAdmin your@email.address.com
    DocumentRoot "/opt/apache/httpd/htdocs"
    ServerName hudson.yourdomain.com
    ErrorLog "logs/hudson-error_log"

           ProxyPass /hudson/ ajp://127.0.0.1:8102/hudson/
           ProxyPassReverse /hudson/ ajp://127.0.0.1:8102/hudson/
           ProxyPass / ajp://127.0.0.1:8102/hudson/
           ProxyPassReverse / ajp://127.0.0.1:8102/hudson/
        <Location />
                Order allow,deny
                Allow from all
        </Location>
        <Location /hudson/manage>
                AuthType basic
                AuthName "Hudson Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </Location>
        <LocationMatch "/hudson/job/.*/configure">
                AuthType basic
                AuthName "Hudson Project Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </LocationMatch>
        <LocationMatch "/hudson/job/.*/delete">
                AuthType basic
                AuthName "Hudson Project Config"
                AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
                Require valid-user
        </LocationMatch>
[_Top of page_|#top]

</VirtualHost>

The tomcat instance does not have an HTTP connector to prevent direct access. I am currently trying to find out how to get the AJP connector only listen/accept communications on a certain interface. Until that is done, a rogue apache server can be configured to access your tomcat instance and bypass all authentication.

This is done by setting the address attribute in the tomcat connector definition. See http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html#Standard%20Implementation. For above localhost setting, use address="127.0.0.1". Without this, Tomcat will listen on all interfaces, including all external-facing interfaces. With the setting, Tomcat will make the connector listen just on 127.0.0.1 to which no packets from external sources will be routed.

  • No labels

11 Comments

  1. Anonymous

    Fioricet2u.com Buy Fioricet Online
    [http://www.fioricet2u.com||Fioricet]
    [http://www.fioricet2u.com||Buy Fioricet]

  2. Anonymous

    I always cut out interesting article,cheap jordans .

  3. Anonymous

    I really want to say your article is very good! Support you,fake tian louboutin.

  4. Anonymous

    Bless your friend forever! Also bless myself! coach bags

  5. Anonymous

    There was a song in the first season,coach outlet joke and then we decided to go to Hawaii with my kids.

  6. Anonymous

    supra skytop I like your your beauty! Perhaps you don; t think too much of it, bu it is really fascinating.

  7. Anonymous

    When you can feel the things you,coach shoes want to feel able to say what you feel when this is a very happy time.

  8. Anonymous

    Truth is God and God is truth. christian louboutin

  9. Anonymous

    Not tolerance of others, is unworthy of tolerance by others,louis vuitton outlet but who can say oneself is not to need tolerant?

  10. Anonymous

    Thank you for your explanation. Very helpful.
    Air Jordan

  11. Anonymous

    coach factory stores. I like all of your article.Well done..*