Wednesday, December 22, 2010

mod_security, apache httpd, glassfish - Part 1

This post is going to be about building the above from scratch using as little system dependencies as possible.  You may ask yourself why you need to do this.  Well sometimes you work in an organization where your unix team doesn't do this stuff for you.  If they do, you would be subject to the yum rage that would happen every quarter, even if you didn't really need to upgrade your apache version.  Upgrading certain dependencies could mean having to recompile entire applications in order to meet patching schedules.  Of course, you should be upgrading your installations when new updates are found ..... but I digress.
The setup is going to be quite simple.  We are going to use apache httpd in a reverse proxy configuration with mod_security.  We are then going to use mod_proxy (I'll get to this later) to connect the apache httpd reverse proxy with the glassfish back end.  I am doing all of this on a CentOS 5.5 machine.
Before we start, there are a few dependencies that you are going to have to download:
1) libapr and libapr-util
If you were just compiling apache by itself, you could use the built in modules.  But it is very important that mod_security be compiled with the same versions as apache.  You can download them at .  We are going to use version 1.4.2(apr) and 1.3.10(apr-utils)
2) libpcre
A perl regular expression library.  Same as above, it is very important that the same versions be used for mod_security and apache httpd. version 8.11
3) openssl
Any respectable website these days has SSL capabilities.  Even if you are not using it right away, we should configure your reverse proxy to be able to handle it. v1.0.0c
4) mod_security v2.5.13
7) Java JDK
JDK 6u23 (From the oracle website)
That should be good for now.  Lets start getting our environment built.  I'm going to start with getting glassfish up and running since it is nice and easy.  If you are thinking about a folder structure, I usually make a separate folder that I'm going to do all my work in.  I make a files directory (it is ALWAYS handy to have the source with you later on... say when you want to rebuild).  I download all my files in there.  I make a dependencies folder and that is where I will install the dependencies that I need (for the most part).
Glassfish InstallGlassfish depends on a JAVA JDK being installed.  With the way most JAVA stuff is distributed, this is a fairly simple process.
1)  Unpack JAVA JDK
With the bin distribution, this is quite easy.
chmod 700 jdk-6u23-linux-x64.bin
mv jdk1.6.0_23 ../
ln -s jdk1.6.0_23 java

Quick explanation.  I had to make the bin executable (1).  I ran the bin which created the java jdk directory.  I moved that directory one directory back so it isn't under files.  I created a soft link called java.  The soft link comes in handy when you are upgrading versions.  You won't need to keep changing your bashrc to the new java folder, just change the soft link.
2) Update environment variables
Now that you have installed java, you are going to want to update your environment variables.  You can do that multiple ways.  If you are running everything from the command line and are using bash, you need to update your .bashrc in your home directory.
export JAVA_HOME=<path/to/java>
export PATH=<path/to/java/bin>:$PATH
Don't forget to source the bashrc (source ~/.bashrc) when you are done so the changes take effect.
3) Unpack glassfish
You should have downloaded the zip file for the glassfish distribution.  Most linux distros these days come with unzip.  If you don't have it, you'll have to get creative (or go build it...)
mv glassfishv3 ../
ln -s glassfishv3 glassfish

Once again you'll want to edit your environment variables.  In this case, you will want to edit your path.
export PATH=</path/to/java/bin>:</path/to/glassfish/bin>:$PATH
Once you have sourced your bashrc, you can now try to run glassfish.
asadmin start-domain

You should see it successful start up.  Try it by trying to hit localhost:8080 and localhost:4848 in a web browser.
Glassfish will need to be secured.  I'm not going to go into this in this series of posts, but you would want to do basic things like (not an exhaustive list):
1)  Block 8080 from being accessible (except for local).  After all, that is why we are installing apache and mod_security
2)  Block 4848 from being accessible  (except for local)
3)  Enable the security manager inside of glassfish