How can I configure tomcat7 & SSL to only require authentication on selected subfolders of my web site?
For example, I have a folder that I want to be publicly accessible:
/nonSecure/
While I have another folder that requires authentication:
/secureStuff/
What do I need to do? I have a feeling the answer lies in the conf/web.xml or the conf/server.xml files but so far have had no luck.
You have to provide appropriate <security-constraint> entries in your web.xml, that specify <transport-guarantee>CONFIDENTIAL</transport-guarantee> for the URLs you want to secure with HTTPS.
Assuming you are using Container Managed Authentication. If you aren't, you should be.
Related
My domain provider uses only A records with IP addresses for root domains and Heroku doesn't accept that. I was told to use an .htaccess file to point mydomain.com to www.mydomain.com which is linked with a CNAME record and secured with SSL on Heroku.
I have no idea how this works and according to the apache doc, using an htaccess file reduces the HTTP server's speed. Instead I should write the configuration inside a <Directory> block in the main server configuration file.
Has anyone any recommendations? If I have to use the <Directory> block, where can I find the main server config file?
You could use a Heroku add-on like PointDNS, where you can point your root domain to Heroku via PointDNS Nameservers.
For steps, follow: https://www.mirrorcommunications.com/blog/how-to-correctly-point-your-domain-to-heroku, Option #1
i am running GitLab under apache as per documentation and instructions.
Now i would like to secure it with letsencrypt, but have no idea hot to let certbot/letsencrypt access /.well-known which is needed to have it issue an certificate by that method.
I know i can do it with DNS, but that is cumbersome as it can't really be automated.
Thx
You'll need to add a couple of additional configuration lines to your Apache. Mainly you'll need to exclude requests with .well-known being intercepted and processed by gitlab-workhorse:
https://serverfault.com/questions/850175/apache-2-4-gitlab-letsencrypt-not-working
I have a webapp deployed in Tomcat server with Apache in front of it. One of the requirements, is that the webapp has to be accessible using two different paths. For example:
http://domain.com/aa/bb/v1/*
and
http://domain.com/cc/v1/*
My webapp is configured with the first URL, so any request to /aa/bb/v1/* is handled correctly by Tomcat.
Then, to be able to "forward" the calls to the second URL to the first one, I've used mod_rewrite in apache, like this:
RewriteEngine on
RewriteRule /aa/bb/v1/(.+) cc/v1/$1 [NC,L,P]
This works fine! Except when I activate the digest authentication in Tomcat. In digest, the password sent by the browser is some more or less complex hash value calculated including the username, the realm and among other things, the URI. The URI of the browser, is not the URI of the webapp (I've modified it with mod_rewrite) so the authentication fails.
Any ideas in how to solve this?
Finally I've found one easy solution. One of the configurable values of the Tomcat's Digest valve is to do not validate URIs. This can be done by adding the digest valve configuration in the context.xml file:
<Context>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<Valve className="org.apache.catalina.authenticator.DigestAuthenticator" validateUri="false" />
......
I'm not sure if somebody will say that this is insecure... however, for my case is enough.
I'm running tomcat and I want to change the default webroot so that it points to another location. Is there a way to find out what's running tomcat or where the default webroot is set as I can't find httpd.conf which is where I believe it's usually set?
Cheers,
Alexei Blue.
**UPDATE:**
It's been a long time since I looked at this question that I forgot about it. In the end it turned out that we were using Apache HTTPD to accept requests from port 80. From there we had the webroot and ProxyPass rules set in the /etc/httpd/conf/virtual-hosts/default.conf file (these can also be set in /etc/httpd/conf/httpd.conf). From there we had several tomcat instances running, all hosted on different ports which are setup in apache-tomcat-x/conf/server.xml.
When I wrote this question I was trying to setup a new tomcat instance to run an application in development and was told I would need to change the webroot to access my application, which was incorrect. Instead what I needed was to include a ProxyPass rule so that when my application name was recognised in the URL, HTTPD would send the request to the correct tomcat instance to be processed.
E.g.
www.domain.com/myApplication
In /etc/httpd/conf/virtual-hosts/default.conf
ProxyPass /myApplication/ ajp://127.0.0.1:<ajp_port>/myApplication/
ProxyPassReverse /myApplication/ ajp://127.0.0.1:<ajp_port>/myApplication/
Where the ajp_port is setup in apache-tomcat-x/conf/server.xml. I needed to ensure that non of the ports conflicted with other tomcat instances so remember to check all ports i.e. Shutdown, HTTP, HTTP with SSL, AJP etc.
Tomcat doesn't use httpd.conf, that is an apache file. The location of the individual webapps are kept in their individual web.xml files, but the location of all the configs are in ../tomcat6/conf/server.xml and web.xml
Is it where the files come from you want to move, or where it compiles and executes them from?
As #Woody says, Tomcat does not use httpd.conf files: that's an Apache httpd thing (httpd is a web server, Tomcat is a Java application server).
You didn't mention what OS you are using or what package management software you are using (e.g. yum, apt, etc.) so I'll give you generic information as if you had downloaded and installed Tomcat directly from apache.org (which I usually recommend people do for a number of reasons).
Tomcat keeps its server-wide configuration in the conf/server.xml file in the Tomcat base installation directory (often called $CATALINA_BASE for convenience): here, you configure things like what types of connectors (e.g. HTTP, HTTPS, AJP, etc.) to use and which ports they should listen to, clustering configuration, session persistence, global JNDI and realm resources. There are also conf/web.xml and conf/context.xml files that define defaults for all webapps deployed on that instance of Tomcat, but it's best to leave those files alone unless you have a really good reason to modify them.
When you want to deploy a webapp (under the default configuration), all you need to do is drop a .WAR file into the $CATALINA_BASE/webapps/ directory and the webapp will be deployed into a "context path" (aka URL prefix) that matches the name of the file minus the ".WAR" suffix. So, if you have a WAR file called mygreatwebapp.war, then it will be deployed such that your clients can reach it at http://yourhost/mygreatwebapp/. There is a special name you can give a WAR file so that it has an empty context path: if you name your WAR file ROOT.war (case matters), then your webapp can be reached at http://yourhost/. (If you would rather use exploded-WAR directories instead of WAR files, everything above still applies except the directories simply don't have the .war extension).
Given your original question, it sounds like all you want to do is drop a ROOT.war file into $CATALINA_BASE/webapps (or replace the one that is already there): this will deploy whatever webapp you want into the URL space that you might call the "default webroot".
Update
If you want to change the directory where all the webapps live for a host, you can modify $CATALINA_BASE/conf/server.xml and change the <Host>'s appBase attribute to point to, say, /cfusion/main/www/. That will deploy all the WAR files and directories in /cfusion/main/www/ as separate webapps.
If you just want to serve a single webapp from an arbitrary location, you may create a deployment file under $CATALINA_BASE/conf/[EngineName]/[HostName]/[appname].xml. This is a standard file like META-INF/context.xml and contains a <Context> element except that you will have to specify a docBase which points to your webapp (e.g. /cfusion/main/www/mywebapp).
I'd like run jsp files directly from /srv/http without deploying them the Tomcat-way. For example, I want to be able to create symbolic link to my webapp directory (e.g. /home/user/myapp/) in /srv/http and access some app's page through http://localhost/myapp/page.jsp.
Is this possible and how would I set this up?
NOTE: This is not for production. We have to use JSP at university and I want to be able to quickly test my pages.
Open the server.xml of your Tomcat. Assuming if your are using Tomcat 6.x+ then it would be at /tomcatDir/conf/server.xml.
Make an entry with your path
<Context path="/myapp" docBase="yourPathGoesHere" debug="0" reloadable="true" />
Restart Tomcat if already running.
What I did at the moment was creating a symlink in /var/lib/tomcatX/webapps to my project path. This is not the answer I was looking for though, but it is a way to deploy an app without much work.
(X in the above path means your Tomcat version)
If you set <Host name="localhost" appBase="/srv/http"> then all of the directories in it will be deployed as web applications.
If you want /srv/http to be the ROOT application/directory add a file: tomcat/conf/Catalina/localhost/ROOT.xml
with the Context docBase="/srv/http", rather than adding a Context definition to server.xml - this has been strongly discouraged for years.