Sunday, January 9, 2011

mod_security, apache httpd, glassfish - Part 2

Part deux!


Just a recap, part 1 took us through installing glassfish. We now have glassfish up and running on our system.
This part will focus on setting up the apache httpd.

1) Compile and install apr-1.4.2

tar xzf apr-1.4.2.tar.gz
cd apr-utils-1.3.10
CC="gcc -m64" ./configure --prefix=/path/to/deps --with-apr=/path/to/deps/bin/apr-1-config
make; make test
make install


The above code is going to be followed a lot (to a certain degree) so I'm only going to explain it this once.  Untar the archive.  Run the config script based on the parameters you want. The CC is compiler arguments and makes it compile for 64 bit (which is what my machine is).  Make the binary, test it, install it.
You will also want to update your bashrc again.

LD_LIBRARY_PATH=<path/to/deps/lib>

Don't forget to source.

2) Compile and install apr-utils


tar xzf apr-util-1.3.10.tar.gz
cd apr-utils-1.3.10
CC="gcc -m64" ./configure --prefix=/path/to/deps --with-apr=/paht/to/deps/bin/apr-1-config
make; make test
make install

3) Compile and install pcre

CC="gcc -m64" ./configure --prefix=/path/to/deps --enabled-shared




5) Compile and install apache httpd
Now that we have installed all the dependencies, we need to configure and install the httpd.  There are a couple of security issues that come up during the installation phase.  Most admins would say (and I'm sure there is a "principle" written about it somewhere) that you should only compile what you actually need.  Apache httpd comes with several built in modules that you would never ever use in a reverse proxy situation.  You could approach this two ways.
1)  Build all the modules with the --enable-shared=all options.  This will build all modules as shared.  Then you can simply edit your config as to which modules you want to load or not.
2)  Use the configure script to only compile the modules you need
There are pros and cons to both approaches.  With (1), all the modules are still there.  If an attacker somehow got access to the conf directory, they could enable modules that could cause futher holes. More realistically, however, someone could accidently turn on a module, and that module could have a vulnerability.  Option two allows you to have complete control on what is actually on the system.  If you ever needed an additional module, however, you would have to recompile to build it.  Because I'm game for pain, I'm going to go with option 2.





C="gcc -m64" ./configure --disable-autoindex --disable-auth-basic --disable-cgi --disable-cgid --disable-userdir --enable-expires=shared --enable-headers=shared --enable-proxy=shared --enable-proxy-http=shared --enable-rewrite=shared --enable-so --enable-ssl=shared --enable-unique-id=shared --with-apr=/path/to/deps/bin/apr-1-config --with-apr-util=/path/to/deps/bin/apu-1-config --with-pcre=/path/to/deps/bin/pcre-config --with-ssl=/path/to/deps --prefix=/path/to/root/httpd-2.2.17



You can go through the configure options on your own if you wish.  The only real requirements are ssl, rewrite, proxy, proxy-http, and unique-id.
After you have that all installed, you will want to run apache to ensure that it starts up.  Because apache is currently configured for port 80, you will have to run it as root.  Ideally you would get a startup script and sudo access to run it, but in this case, just su to root and run apachectl from the bin directory.  You should get a Forbidden error message when you type localhost into your browser.
In the next part, I will talk about configuring apache httpd and using mod_proxy to connect to glassfish.