I am working on a web application that allows users to upload attachments. These attachments are stored on a different drive than that of the web application. How can I create an alias (equivalent to Apache HTTP server's aliases) to this drive so that users can download these attachments?
Currently I am creating a context file and dumping it in CATALINA_HOME/conf/Catalina/localhost, but it gets randomly deleted every so often. The context file is named attachments.xml and the contents are shown below. I have also read about virtual hosts, but if I understand correctly, then a virtual host is not what I am looking for. I am using version 6.0.18 of Apache Tomcat.
attachments.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase = "e:\uploads\attachments"
reloadable = "true"
crossContext = "true">
</Context>
I spent a lot more time researching this and found a solution that solves the random deletion of the context files. I found this excerpt on Apache's website under the host configuration section:
You can nest one or more Context
elements inside this Host element,
each representing a different web
application associated with this
virtual host.
The virtual hosts are stored in the server.xml file located at CATALINA_HOME\conf. Tomcat comes configured with localhost as the default host. So, if we add the contents of attachments.xml from the first post, we get the following:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/attachments"
docBase="e:\uploads\attachments"
reloadable="true"
crossContext="true" />
</Host>
This is as close as one can get to defining aliases similar to Apache's HTTP server, I think.
There are multiple options.
Use Apache as frontend, delegating to tomcat by mod_jk or mod_proxy
Provide a download servlet in your own application, serving the requested file
Make the directory that you want tomcat to deliver a web application
each has some drawbacks and some advantages. I strongly prefer the first solution for multiple reasons:
My main reasons apply to unixoid systems, which you are obviously not talking about: Only root can bind ports lower than 1024, e.g. 80. Therefor tomcat would need to run as root (I know that there are mechanics to allow users to bind to low ports, but I've never gotten to use them). Apache is usually started as root but drops these privileges as soon as port 80 is bound.
Apache is said to be a lot better in serving static resources than tomcat (I've never measured it, but find it hard to believe the contrary)
You obviously know how to create aliases in apache - it would be trivial to do so.
About the download servlet:
This way you'd have a servlet serving your static resources, which you might bind to the urls "/download/*" (e.g. in the application that also handles file uploads) You'd gain:
You need to configure the directory where your files are stored only once
If you need you might easily implement permission checks (e.g. login required for downloading)
You need to deploy only one completely selfcontained application.
The download servlet is trivial - find the file, set it's name and filetype in the output stream and stream it byte by byte, then close the output stream (be sure to handle attacking file names like "/download/../../../../etc/passwd" or "/download/C:/WINDOWS/someimportantfile.xxx"), e.g. by using the java.io.File constructor that gets the base directory as a separate parameter.
The third option has some severe drawbacks and opens you for attacks if you don't take special care of them:
Tomcat does not serve directories, but webapps. Therefor "E:/upload/attachments" would need at least a directory named "WEB-INF", containing "web.xml". Take care to not provide write access to this directory and file from the uploading web application. With this provision you might let tomcat serve the directory.
However: Configure the contained web.xml to not serve "*.jsp" as a jsp, otherwise tomcat would not just deliver jsp files but execute them. Imagine someone uploading "index.jsp" with <% System.exit(0); %> or more malicious content.
One additional thought: You don't need the extra crosscontext="true". This would imply that the webapplication that you deploy just to serve your files has access to other webapplications, e.g. is able to manage them or access their private data. Usually you don't need that at all, in the case of your question you definitely don't want that.
See the initial part of my newer question for ways to do this by editing the context.xml file
How do I add aliases to a Servlet Context in java?.
According to several people now, it is no longer necessary (2012: Tomcat 6 or 7) to use Apache for performance reasons over Tomcat for serving static content.
Related
I am running into some sort of issue when trying to access my local website:
Forbidden
You don't have permission to access /index.html on this server.
Apache Server at ffghost.local Port 34580
I'm using macOS X Server 5.2 with Apache 2.4.18. OS X Server automatically creates two default websites (one on port 80 and one on port 443). I created a new website. It was my understanding that Apache would redirect from the default site to the created site automatically once created. This didn't happen. So, in an attempt to begin de-conflicting I replaced the files where the default site was located with the new website files and all of the sudden am getting the above 404 message.
I have read a lot of possibilities as to why this may be happening. I've run a syntax checker for Apache in terminal and terminal says syntax is ok. So from there I was going to check into the config files, but there are several, and I just want to know the gist behind them.
There seem to be about 4 file extension types. I don't know what they all mean or if they are active.
.config (I'm assuming this is the active file)
.config.prev (I'm assuming this is a previous version or copy of an active config file and is no longer active)
.config.orig (original file? and is no longer active)
.config.default (???)
Also, OS X Server and Apache seem to have the same files in two different places and I'm a little confused on which one to change. If I change one of them will it be reflected in the other? Do I need to change both of them? Additionally, I don't have DNS set up and am unsure if that was the original issue of not pulling up the new website over the default site.
You are mixing several aspects in your question which makes it complicated to give a helpful answer. For example, you say you get Forbidden when accessing your site, but later you mention a status 404. The former might be due to configuring a user group being allowed to access the site, while the latter just means Not found.
As to your actual question about the config files:
The file just ending in .conf is the one that is being used.
However, the Server app uses a lot of of different config files which might be relevant:
Path /Library/Server/Web/Config/apache2 contains the general config files
httpd.conf - general Apache configuration
httpd_server_app.conf - more general configuration
the other files contain configurations for specific applications or webapps (the latter being defined in plist files in /Library/Server/Web/Config/apache2/webapps)
Path /Library/Server/Web/Config/apache2/sites contains config files specific to your websites. They are named something like 0000_127.0.0.1_34543_your.domain.name.conf where 34543 is the configuration for the https (SSL) port, while 35480 would indicate the http port. There is also a file like 0000_127.0.0.1_34543_.conf (no domain name in the file name) which defines the default site.
In addition to these, there are two more configuration file in /Library/Server/Web/Config/proxy which configure the proxy services.
It is not recommended to manually adjust the config files, except for those in the sites subdirectory, because they may get overwritten by the Server app or when updating the Server app.
Important: If you change the files manually, you must re-start the Apache server in order to make the changes effective. Use sudo serveradmin stop/start web to do so.
However, I do not know of a detailed documentation of of all these files, so I try to stay on the safe side and possibly not edit the general config files (only those in sites). I also recommend to write down any manual changes, so they can be reapplied if necessary.
Without exactly knowing what you configured in the Server app and which files you changed how, I'm afraid it is impossible to say what might have gone wrong. I recommend to start all over by removing and re-adding the web sites.
I have moqui running on system1 which is accessible using URL http://localhost:8080/Login.
Trying to access it from other system2 (in network) with URL replacing 'localhost' with the IP of first system; it shows the first (log-in) page, but afterwards, when submitting the pages from system2, the IP in URL automatically gets changed to 'localhost'. I have looked in to the book and also searched in framework code but couldn't find something related to this.
What could be the cause of this, is there any setting in app to fix this?
There are two parts to configuring hosts and ports for a webapp. One is is for the servlet container so it knows what to listen to and the other is in Moqui Framework itself so it knows what to use when generating URLs. It sounds like the issue you are having is with the second, with URL generation.
In your runtime Moqui XML Conf file there should be a webapp element somewhat like this one from the MoquiProductionConf.xml file:
<webapp name="webroot" http-port="" http-host=""
https-port="" https-host="" https-enabled="false"
content-prefix-secure="" content-prefix-standard="" cookie-domain="">
<root-screen host=".*" location="component://webroot/screen/webroot.xml"/>
</webapp>
When no #http-host/etc attribute is specified the values from the HttpServletRequest object will be used. These will vary depending on the settings of the servlet container you are using to deploy Moqui Framework.
To set it to something explicit you can use the http-host and if needed the https-host, http-port, and https-port attributes. For virtual host support the http-host and https-host attributes should be empty and the servlet container (and any proxy/etc in front of it) should be configured to pass through the hostname requested.
We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(
Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server
I am trying to integrate the liferay tomcat with apache web server.I successfully integrate the liferay with web server.
Condition:
Life ray deployed on ip say : 10.10.10.70
Apache web server on ip say: 10.10.10.80
I provided all the requirement virtual host requirement in httpd.conf file..and provided the web.server.host in portal-ext.properties file.
Problem: When i run liferay portal i can open it on ip: 10.10.10.70
but when i click on any page link (let say /home)that is present in my portal it moved the request to
10.10.10.80:8080/home instead of 10.10.10.70:8080/home
I want to know how to handle this condition.
Because i dont have any page resource on web server doc folder only contain static css..
You might be a bit more precise what "all the required virtual host settings" are, e.g. what did you configure?
Note that by explicitly configuring hostnames/IP-addresses, you're explicitly overriding the autodetected settings from the request - no matter how you get to your portal, Liferay will generate URLs based on the explicitly configured hostname/port.
What's the point in having an Apache in front and then trying to reach tomcat through the non-apache IP/Port? Typically you might have static resources, rewrites, caches on Apache, so that you'll get different results when you alternatively access tomcat through both URLs.
If you configure Apache to "properly" handle the requests before tomcat sees them, you'll typically not need to configure Liferay at all, because Apache will make the actual hostname that it's requested under available to Tomcat. I'm typically using mod_jk for this and it beautifully handles all the configuration with almost no need to explicitly configure tomcat/liferay. If you don't like this, keep in mind that you're explicitly configuring Liferay for the virtual host setup - naturally this explicitly configured name is what Liferay uses. It would be weird if the explicit value would not be used, right?
I have been a web developer for a couple of years (some ASP, mostly PHP) and have recently taken on Java/JSP in the last two years.
The one thing I have tried repeatedly but continue to fail to wrap my head around is the way to setup a working JSP application in another location that is NOT the webapps folder. Rocking my application out of webapps does not seem to be a problem for me.
Could anyone help break this down, or point me to post somewhere which outlines it?
I have Googled repeatedly and read and re-read the documentation on the apache.org website, but I still cant seem to get it :(
I am trying to setup an "exploded" site (folders and files separated - not part of a WAR).
I know that I CAN edit the server.xml file, but am not supposed to (not that it matters... even when I attempt to edit that I fail).
I know I am missing something with the way the paths work. I THOUGHT I understand but I dont thinks so.
Any help is mucho appreciated!!
Love this site.
-- I have decided to re-phrase my question with more detail --
Let's say I have a directory structure as follows (**NOTE: webproject is NOT in the tomcat/webapps directory)
/webproject
/webproject/htdocs
/webproject/htdocs/images
/webproject/htdocs/images/logo.gif
/webproject/java
/webproject/java/page1.jsp
/webproject/java/page2.jsp
I would like to setup a virtual host so that I can view my project via a URL: http://webproject
I THINK all I need is two things (I am using apache):
a 'VirtualHost' entry in my httpd.conf file.
some type of 'context' file or fragment somewhere.
Am I right? If so, could someone help me define these two elements?
Also, if I want to use a domain-relative URL for referencing my logo.gif file from either of my jsp pages what would my path look like?
What if I want to use a domain-relative URL for referencing page2.jsp from page1.jsp?
HOWEVER, if there are paths within my application that reference resources (images, scripts, etc) using a path which starts at the root (ie. img src="/htdocs/images/foo.gif") it is not found.
Are you aware that those paths are supposed to be URL's relative to the current request URL (the one of the JSP page) and thus not local disk file system paths relative to their location at the local disk file system? As you're using /htdocs, it namely look like that you thought the latter.
Thus, if the JSP page is for example to be requested by http://example.com/context/page.jsp and the foo.gif is actually available by http://example.com/context/images/foo.gif, then you need to use either page-relative URL:
<img src="images/foo.gif">
or domain-relative URL:
<img src="/context/images/foo.gif">
or protocol-relative URL:
<img src="//example.com/context/images/foo.gif">
or absolute URL:
<img src="http://example.com/context/images/foo.gif">
OK, after struggling with this I finally got it to work. I aint saying this is the best (or even correct!) way of doing it, but this is what ultimately worked for me locally on my Windows machine (running WAMP) and on a remote server running Linux.
The paths listed are where they were for my environments. Obviously this could be different for your situation.
BEFORE-FIRST (Windows only)
With Windows, you need to setup an entry in your hosts file for the new "domain".
WIN - C:\Windows\System32\drivers\etc\hosts
127.0.0.1 webproject.local
FIRST
Need to edit httpd.conf and add a virtual host
WIN - C:\wamp\bin\apache\Apache2.2.11\conf\extra\httpd-vhosts.conf
LINUX - /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
DocumentRoot "C:\wamp\www\webproject"
ServerName webproject.local
</VirtualHost>
SECOND
Setup a host and context in server.xml. From what I read online, editing server.xml is discouraged but this was the only way I could figure it out.
WIN - C:\Program Files (x86)\Apache Software Foundation\Tomcat 5.5\conf\server.xml
LINUX - etc/tomcat5/server.xml
<Host name="webproject" debug="0" appBase="webapps" unpackWARs="true">
<Context path="" docBase="C:/wamp/www/webproject"/>
<Logger className="org.apache.catalina.logger.FileLogger" directory="logs" prefix="webproject.local_error-log." suffix=".txt" timestamp="true"/>
</Host>
The thing I don't think is right, but worked for me was using "webapps" as the appBase even though my files are not in the "webapps" folder. Not sure why this is working... I fear that it is one of those situations where it works even though it shouldnt. I hope someone a lot smarter than me can offer some insight.