I am trying to integrate the liferay tomcat with apache web server.I successfully integrate the liferay with web server.
Condition:
Life ray deployed on ip say : 10.10.10.70
Apache web server on ip say: 10.10.10.80
I provided all the requirement virtual host requirement in httpd.conf file..and provided the web.server.host in portal-ext.properties file.
Problem: When i run liferay portal i can open it on ip: 10.10.10.70
but when i click on any page link (let say /home)that is present in my portal it moved the request to
10.10.10.80:8080/home instead of 10.10.10.70:8080/home
I want to know how to handle this condition.
Because i dont have any page resource on web server doc folder only contain static css..
You might be a bit more precise what "all the required virtual host settings" are, e.g. what did you configure?
Note that by explicitly configuring hostnames/IP-addresses, you're explicitly overriding the autodetected settings from the request - no matter how you get to your portal, Liferay will generate URLs based on the explicitly configured hostname/port.
What's the point in having an Apache in front and then trying to reach tomcat through the non-apache IP/Port? Typically you might have static resources, rewrites, caches on Apache, so that you'll get different results when you alternatively access tomcat through both URLs.
If you configure Apache to "properly" handle the requests before tomcat sees them, you'll typically not need to configure Liferay at all, because Apache will make the actual hostname that it's requested under available to Tomcat. I'm typically using mod_jk for this and it beautifully handles all the configuration with almost no need to explicitly configure tomcat/liferay. If you don't like this, keep in mind that you're explicitly configuring Liferay for the virtual host setup - naturally this explicitly configured name is what Liferay uses. It would be weird if the explicit value would not be used, right?
Related
I have an OpenShift environment built with an Apache AAA Pod (service and route) that allows external (to OpenShift) https requests via an intranet browser (yes, I mean intranet and not internet). Apache is setup as a proxy server for multiple pods/services inside of OpenShift. I also have a new pod that was recently created that runs Jenkins. Jenkins has a web interface built in. I am able to get to the Jenkins web GUI by setting up a ProxyPass and ProxyPassReverse for the default Jenkins web address.
Now here comes the problem...
When I go to example.com/jenkins, Apache sees the request and passes it to the Jenkins Pod but the Pod returns another address example.com/login. For this I have to enter another ProxyPass and Reverse into Apache. I then get that in and find that every link on the presented Jenkins Web GUI has another link that seems to present https://example.com/*. This is a problem because there are dozens of sub links and sub pages that each seem to require a separate ProxyPass and Reverse entry.
To add to this, I cannot simply pass "/" to the Jenkins pod because there are other pods and services that are being passed through the Apache server. My department does not have access to create new URLs on a whim so I have to stick with example.com/ as my only path into my OpenShift setup.
How can I do one of the following:
Change Jenkins to force the presented URL to include a header for every link. Like putting .../jenkins/* in front of every link so that I can use .../jenkins/ as my ProxyPass & Reverse to cover all jenkins web GUI URLs.
Configure Apache to convert the URLs coming from the Jenkins Pod into a URL that is presented to the web browser in such a way that .../jenkins/ is added between & /login or any other jenkins web links.
Some other option that I have not thought of yet that may have worked for others with similar setups.
(Sorry for the long question but there are a lot of details that needed to be included as this is a complex issue.)
You could startup jenkins at a different context path: java -jar jenkins.war --prefix=/jenkins, or start it up behind tomcat with a different context path.
Have you set the Jenkins URL in the Jenkins->Manage Jenkins->Configure System?
you can achieve this in two steps
implement the route changes at proxy level
implement the route changes at app level
I have implemented the same with Openshift environment.
Thanks.
I have a website that I am trying to convert to a docker-compose solution.
Part of the website is a CMS (WordPress, specifically), and there are also a few Java web applications that are currently handled by tomcat.
The current approach is that I have an official WordPress container and an official Tomcat container. I load my custom content in the WordPress (via a MySQL container which is not really a part of this question) and the WAR files into tomcat.
So the problem is this:
Parts of the WordPress website have links to Java applications. Previously, some of these links were relative links as simple as /Application1 and the user would be able to access the Java application.
Now, since they are hosted in separate containers, I cannot do this because there is nothing named "Application1" in the WordPress container. I have modified the htaccess file for the WordPress container with a RewriteRules like this:
# Tomcat exposes port 8085
RewriteRule ^.*Application1/(.*)$ http://localhost:8085/Application1/$1 [R,L]
But this means that if the user clicks the link for Application1 in wordpress, their browser will then redirect them to localhost:8085 - which works fine if you run this set of containers locally, but does not work for remote users.
I could change localhost to the actual name of the server this will run on. But then it would need to be manually updated for every server this stack will run on, or reset to localhost for developers.
I could combine WordPress and Tomcat into a single container, but we were hoping to keep them separate so that when we need to upgrade, we just change the version of the container we are pulling rather than having to rebuild a custom container from scratch.
Is there a more seamless way to do this, so that the URL in the user's browser never changes? Is there way to get this working so that remote users won't even know that the different parts of the site are hosted in different containers?
Assuming you do docker-compose in development and also in production, you replace localhost with servicename of the corresponding upstream.
Lets say, you have 3 containers: httpd, fpm ( wordpress) and java ( tomcat ). You configure httpd, to redirect to fpm:9000 if its domain.tld/php and redirect to java:8086 if the request is domain.tld/Application1.
All you need to understand is, that the actual service-name you have in docker-compose is available as a hostname in the container ( all containers ) - so containers can reach themselfs using the service-name of the other container - that makes inter-container communication very easy and pre-configureable, without knowing the actual container IPs ( which will change during development / production and host migrations )
I think I figured it out: I should have been using a proxy instead of a RewriteRule.
This seems to get me what I want:
ProxyPass "/Application1" "http://my-tomcat-server:8080/Application1"
ProxyPassReverse "/Application1" "http://my-tomcat-server:8080/Application1"
We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(
Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server
I am trying to create a login module that could use facebook login too . I am using Jboss 7.1 as my server and i run it from inside eclipse and my OS is Ubuntu.
The problem now is that Facebook doesn't seem to accept requests when the url is of type say
http://localhost:8080/myApp/
and expects something of the form http://localhost.test/myApp.
(Testing facebook connect on localhost)
My problem is that I am not aware of how to change the above pattern (from localhost:8080 to say localhost.mysite) in JBOSS server.
Can someone let me know on how this has to be done.
Thanks
You can use the -b parameter to specify the bind address JBoss should use, see:
https://docs.jboss.org/author/display/AS71/Admin+Guide?_sscc=t
This switch should be available in the Eclipse JBoss Tools as well.
I discovered just recently that JBoss 7.x (as well as JBoss EAP 6) does not accept connections from outside if you don't specify the Host/IP-Address via the aforementioned parameter; even responses to web service requests it sends itself are not received.
If you want to change things like the web service endpoint host, port etc. you can do this via standalone.xml. For Web Services or ReST you simply specify subsections whose schema is defined by the XSDs located in the docs/schema folder (jboss-as-webservices_1_1, jboss-as-jaxrs_1_0 respectively ). For convenience (auto-completion, validation) you can put them into an XML catalog and registered the catalog within Eclipse.
I am trying to use CloudBees PaaS (RUN#CloudBees) to consolidate essentially three different distinct uses under the same URL space:
root (/) main landing, marketing page
app (/app) java app running in CloudBees
blog (/blog) another java app running in cloudbees or possibly outside (example.wordpress.com)
If I was doing it myself in a datacenter or in AWS I would setup a reverse proxy (possibly like Varnish and configure reverse proxy to map the URL space as follows:
root (/): www.example.com/ --> CMS running as cloudbees app example-cms.cloudbees.net
app (/app) java app running in CloudBees www.example.com/app -> app.example.com
blog (/blog) similarly www.example.com/blog -> example.wordpress.com or exampleblog.cloudbees.net
How can I achieve the same with CloudBees. Can it be done? Is this too much to expect from a PaaS vendor?
An interesting problem, and a few solutions:
Use domains instead of paths (eg blog.example.com etc) - so you can use DNS to direct things
Build an app that essentially proxies traffic for you (this could run on cloudbees or elsewhere) - there are lots of ways to do this.
Use some routing/proxy service (like CloudFlare) which may let you set up routing rules (so it can proxy traffic).
My preference would always be for number 1 - DNS is a great way to do things like this.
You can with this approach have /blog similar Urls in your paas application, and have it do a 302 redirect to the real blog.example.com - that kind of gives you a bit of both.