I need to configure Jenkins behind Apache. For this purpose I installed Apache 2.2 using httpd-2.2.25-win32-x86-openssl-0.9.8y.msi.
Now I have configured jenkins with -
--httpPort=8084 --prefix=/jenkins (inside jenkins.xml)
The securityRealm for Jenkins is (I am using LDAP authentication):
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap#1.11">
<server>ldap://ldap.myserver.com:1234</server>
<rootDN>DC=blah-blah,DC=blah</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>SAMAccountName={0}</userSearch>
<groupSearchFilter></groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter></filter>
</groupMembershipStrategy>
<managerDN>email#mycompany.com</managerDN>
<managerPasswordSecret>XXXX</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>
The name of the server where Apache and Jenkins are hosted is : http://abchost/.
Jenkins is hosted at : http://abchost:8084/jenkins.
Now I need to configure Apache server in such a way that, when I enter http://abchost/jenkins in browser it a Proxy should work in between and it should forward the request to http://abchost:8084/jenkins and again, get the result from jenkins and display the result at : http://abchost/jenkins.
For this I have configured Apache like this:
NameVirtualHost abchost:80
Listen 80
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes On
<VirtualHost *:80>
ServerName abchost.com
ServerAdmin admin#abchost.com
ProxyPass /downloads !
Alias /downloads "d:\myPath1"
<Directory "d:\myPath2">
# Don't allow editing the main repository site.
Options -Indexes
</Directory>
<Directory "d:\myPath3">
# Remove 'Parent Directory' link from the site.
# IndexIgnore ..
#
Options +Indexes
# List file names which will be opened automatically when the folder is opened.
DirectoryIndex index.html toc.html
IndexOptions FancyIndexing HTMLTable FoldersFirst SuppressDescription
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Jenkins via HTTP.
ProxyPass /jenkins/ http:/abchost:8084/jenkins/ nocanon
ProxyPassReverse /jenkins http://abchost:8084/jenkins/
</VirtualHost>
After this configuration, I am able to login in jenkins using http:/abchost:8084/jenkins/, but, not using http:/abchost/jenkins/.
Point to note is:
When I am logging in http:/abchost/jenkins/ using proper user id and pswd, it looks like the page refreshes and blank login page appears again.
When I am logging in http:/abchost/jenkins/ using wrong user id and pswd combination, it shows message that LDAP authentication failed.
Can anyone please enlighten me?
Thanks in advance!
Related
I am using puppet to provision an AWS AMI using packer and then launch the AMI.
Puppet does all the configuration and package installations upon baking the AMI which includes installing and configuring apache and wsgi.
By the time I launch the AMI my application (a Flask application) would have already been downloaded and configured by Puppet as well as my apache configuration file at /etc/apache2/sites-available/xxxx.conf . I make use of the Puppet template to configure the apache configuration file and as such it is a Ruby template (xxxx.conf.erb) ,the apache configuration template file looks like this :
<VirtualHost *:<%= #port -%>>
ServerName <%= #servername %>
ServerAdmin admin#example.com WSGIScriptAlias / /var/www/Porfolio/xxxxx.wsgi
<Directory /var/www/Porfolio/> Order allow,deny Allow from all </Directory> Alias /static /var/www/Porfolio/static <Directory /var/www/Porfolio/static/> Order allow,deny Allow from all </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I have set the variable servername = $::hostname (using facter) and port = 80
When i launch the AMI and I access the public IP address of the server of the ec2 instance, it takes me to the default ubuntu webpage instead of my web Flask application.
I will have to ssh into my server and change the apache configuration file at
/etc/apache2/sites-available/xxxx.conf to become :
<VirtualHost *:<%= #port -%>>
ServerName 52.91.143.90
ServerAdmin admin#example.com
WSGIScriptAlias / /var/www/Porfolio/culturely.wsgi
<Directory /var/www/Porfolio/>
Order allow,deny
Allow from all
</Directory>
Alias /static /var/www/Porfolio/static
<Directory /var/www/Porfolio/static/>
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
This means i have to manually type in the public IP address of the ec2instance in order to get my Flask web page to display when the public Ip address is accessed on a browser. This ofcourse defeats the level of automation I am trying to achieve.
The public IP address only becomes available after I launch the AMI, is there a way i can re-configure my apache configuration file to make it automatically goto my web application instead of the default ubuntu web page ? without having me to ssh into the server and manually change it after it is launched
There is a fact ec2_public_ipv4, use this to set the address
I have found a solution to my problem. I was creating a new apache configuration file with puppet at packer time, a point at which the public IP address that will be assigned to ec2 instance is unavailable.
So instead of creating a new apache configuration file, I modified the default one at /etc/apache2/sites-available/000-default.conf . I left the variable servername = $::fqdn . Now whenever I launch the AMI and visit the assigned public IP address of the ec2-instance, it navigates to my Flask application and not the default ubuntu web page anymore.
My website directory structure was this:
/var/services/web/
A portion of my website is a Wordpress page called portal with a Ninja Forms plugin. Ninja forms stores uploaded files in a directory on the server for all to see. So to deal with that I did this in the site's configuration file:
<Directory "/var/services/web/portal/wp-content/plugins/ninja-forms/">
AllowOverride None
Order deny,allow
Deny from all
</Directory>
I have had to move my website to a proxy server and now the Ninja Forms directory structure is like this:
/var/services/web/MYWEBSITE/portal/wp-content/plugins/ninja-forms/
I am not sure how to make the above Apache config item work in the proxy server. My proxy set up in httpd-ssl-vhost.conf-user is like this (port 80 is similar but I don't think that is an issue because I am only connecting ssl. Correct me if I am wrong):
<VirtualHost *:443>
ServerName www.MYWEBSITE.com
DocumentRoot "/var/services/web/MYWEBSITE"
ErrorDocument 403 "/webdefault/error.html"
ErrorDocument 404 "/webdefault/error.html"
ErrorDocument 500 "/webdefault/error.html"
SSLEngine on
</VirtualHost>
I tried just changing the path in the Apache config file to:
<Directory "/var/services/web/MYWEBSITE/portal/wp-content/plugins/ninja-forms/">
AllowOverride None
Order deny,allow
Deny from all
</Directory>
And this just produces the following error:
client denied by server configuration: /var/services/web/MYWEBSITE/portal/wp-content/plugins/ninja-forms . . . etc.
So, I think I need to add lines to my proxy ssl set up. I could use tips on the proper SSL set up in my proxy server. Other solutions I have found here appear to be changing the Deny from All line and I do not want that.
We have an Apache web server that receive user requests. It only allows https connections JkHTTPSIndicator HTTPS. But now we have a new requirement, which will allow a particular url pattern like /myurl on http via Apache. That is, we want Apache to only accept http if a particular url pattern is thrown at it.
You can use a Location block to restrict/allow access
http://httpd.apache.org/docs/2.2/sections.html
I'm not quite sure if this is what you want, but you could block the root location:
<Location />
Deny from all
</Location>
And then add a location to allow
<Location /myurl>
Allow from all
</Location>
The above suggestion did not work for me with Apache 2.2.15. I had to do something different although still along the lines suggested above:
<VirtualHost *:80>
...
<Location / >
Require all denied
</Location>
<Location /my-dir>
Require all granted
</Location>
</VirtualHost>
I'm having a hell of a time setting up a web2py server in a way that allows me to access the admin and appadmin interfaces from anywhere other than localhost, which is a requirement for me because the web2py server is hosted in a cloud location without a browser or X server. I understand that to access web2py's admin or appadmin interfaces from outside localhost that I must use SSL/HTTPS.
The web2py documentation seems to declare two different ways to do this. First, from the general web2py startup tutorial:
The administrative interface, admin, is only accessible from localhost
unless you run web2py behind Apache with mod_proxy. If admin detects a
proxy, the session cookie is set to secure and admin login does not
work unless the communication between the client and the proxy goes
over HTTPS
This lead me to search the web for how to setup web2py behind and apache which lead me to the web2py deployment recipes page, where it describes setting up web2py behind apache using mod_wsgi instead of mod_proxy. These are the instructions I'm currently following exactly, with the exception of updating the /etc/apache2/sites-available/web2py file to apache2.4 syntax and modifying the ServerName directive's value to "foo.bar.com" (omitted: the domain name of cloud box containing the server, this is replaced with foo.bar.com throughout this question).
However, when I get to the
When you restart Apache, it should pass all the requests to web2py without going through the Rocket wsgiserver.
part of the that web2py+apache+mod_wsgi tutorial, apache does not appear to be passing anything to web2py for me. I went ahead and moved the wsgihandler.py file as the next step in the tutorial describes, and here's my current state:
If I browse to foo.bar.com:80 from another machine, I get the Apache2 Ubuntu Default Page (the "It works!" page).
If I browse to foo.bar.com:8000 (web2py port), I the web2py server's default interface, but with no access to admin or appadmin because of the unsecure channel.
If I try to browse to foo.bar.com:443, I get the generic "Index of /" apache server
page. On this page "/" contains one directory link "html", which
is a link to the Apache2 Ubuntu Default Page (the "It works!" page).
Other information:
I have an untouched instance of web2py installed at /home/www-data/web2py except that I've moved /home/www-data/web2py/handlers/wsgihandler.py to /home/www-data/web2py/wsgihandler.py
The contents of my /etc/apache2/site-available/ directory are:
000-default.conf (not touched by me)
default-ssl.conf (not touched by me)
web2py (created by me)
I've manually started up web2py with python ~/web2py/web2py.py --ip 10.7.166.27 (that's the IP for foo.bar.com (real domain name omitted))
apache2 is running as user www-data
The server OS is Ubuntu Server 14.04 x64
This is my /etc/apache2/sites-available/web2py file:
<VirtualHost *:80>
ServerName foo.bar.com
WSGIDaemonProcess web2py user=www-data group=www-data display-name=%{GROUP}
WSGIProcessGroup web2py
WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py
<Directory /home/www-data/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>
<Location /admin>
Require all denied
</Location>
<LocationMatch ^/([^/]+)/appadmin>
Require all denied
</LocationMatch>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>
<VirtualHost *:443>
ServerName foo.bar.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
WSGIProcessGroup web2py
WSGIScriptAlias / /users/www-data/web2py/wsgihandler.py
<Directory /users/www-data/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Require all granted
</Directory>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>
Alright! I found my stupid mistake while writing this up. I had never bothered to properly configure apache itself:
/etc/apache2/sites-available/000-default.conf and /etc/apache2/sites-available/default-ssl.conf were why I was seeing what I was seeing when browsing to foo.bar.com:80 and foo.bar.com:443 respectively.
apache2.4 seems to require the .conf on configuration files, I didn't have that so I renamed /etc/apache2/sites-available/web2py to /etc/apache2/sites-available/web2py.conf
I didn't have a symlink to /etc/apache2/sites-available/web2py at /etc/apache2/sites-enabled/web2py, so I made one.
So, as of now:
When I browse to foo.bar.com:80 I get the same Apache2 Ubuntu Default Page, BUT
When I browse to foo.bar.com:80/web2py I get an internal server error which the apache logs tell me is a python import error from wsgihandler.py, which means the apache<->mod_wsgi<->web2py link is up and running
When I browse to foo.bar.com:443/web2py I get Chrome's yellow screen complaining about my self-signed certificate and after clicking through I get a permissions-denied page, presumably because of something I haven't set up yet in web2py/SSL
This means my original question is answered, but I might come back here and comment/edit if I get stumped again getting SSL to work.
(I must be dense - I just can't figure out the Apache documentation on how to do this.)
To speed up some swf development I'm doing, I want to have my local machine fetch my local swf when I browse to our studio's test website. Just the one local swf only - with the rest pulled from the test website.
So I set up apache on port 80 with mod_proxy and proxy_http_module, then added an entry for HOSTS to say the test server is 127.0.0.1. What I need are the magical incantations to put in httpd.conf to say "every call requesting http://test/blah goes to 10.1.1.whatever EXCEPT http://test/blah/foo.swf which goes to c:\proj\foo.swf".
Can someone help with this? Thank you.
There is a simple syntax for disallowing a particular URL from proxying:
ProxyPass /blah/foo.swf !
ProxyPass /blah http://10.1.1.whatever
For the record here's what I ended up with, roughly:
<VirtualHost *>
ServerName (testserver-dns)
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /path/to/swf !
ProxyPass / http://10.1.2.3/
ProxyPassReverse / http://10.1.2.3/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>