Sunday, January 9, 2011

mod_security, apache httpd, glassfish - Part 3

Part three.

Just to recap, we have now installed Glassfish, Java, all the deps for apache httpd, and the httpd itself.  At this point you can startup apache httpd, and then try to navigate to the main page.  You should get a 403 Forbidden. This is because we have not configured apache yet.

The apache httpd configuration file (located in apache_httpd_root/conf/httpd.conf) is a very well documented file.  I'm not going to go through all of the details in the file, but I will touch on a few.  Ideally, you will make a copy of the httpd.conf and start with a fresh file.  From a security perspective, you want to have the configuration file to contain as little "junk" as possible.  This will assist when you are trying to figure out a problem with your server configuration.  It is just easier to read without all the explanations, plain and simple.

## Sample Apache httpd.conf configuration

ServerRoot "/path/to/apache/httpd"
ServerAdmin ""
ServerTokens Full
Listen 80

User apache
Group apache

LoadModule expires_module modules/
LoadModule headers_module modules/
LoadModule unique_id_module modules/
LoadModule proxy_module modules/
LoadModule proxy_connect_module modules/
LoadModule proxy_ftp_module modules/
LoadModule proxy_http_module modules/
LoadModule proxy_scgi_module modules/
LoadModule proxy_ajp_module modules/
LoadModule proxy_balancer_module modules/
LoadModule ssl_module modules/
LoadModule rewrite_module modules/

DocumentRoot "/path/to/httpd/htdocs"

<Directory />
     Options FollowSymLinks
     AllowOverride None
     Order deny,allow
     Deny from all

ErrorLog "|/.../httpd/bin/rotatelogs -f /.../httpd/logs/error_log.%Y%m%d  86400"
TransferLog "|/.../httpd/bin/rotatelogs -f /.../httpd/logs/access_log.%Y%m%d 86400"

include conf/site.conf

So basically, the first section is just getting general information.  Don't worry about the ServerTokens Full just yet, we are going to use mod security to change our server signature in order to try and fool the script kiddies.  The next section sets up the user you want apache to run as.  If you want apache to run on port 80, we need to start apache as root.  The user/group defined in the file is what apache will switch to after it binds to port 80.  The load_modules section is simply loading all of our shared modules that we need.  The Directory tag is setting up the base permissions.  Basically, deny everyone for right now, until we get our site configured.  As mentioned before, apache has wicked documentation, so I suggest you read it.  Lets move on.

Our goal here is to get apache httpd talking to Glassfish.  Once we establish that, we can work on implementing the advanced features of mod_security.

There are two ways to get apache httpd to play nice with Glassfish.  One is to use mod_proxy.  The other is to use mod_jk.  Here is a very short list of pros and cons.

pro:  Super simple to setup.
con:  Glassfish will see every request as originating from the apache httpd installation as opposed to someone out in the net.  This is bad if you want glassfish to handle some type of security based on ip addresses.

pro:  More information provided to glassfish (ip address of originator etc.)  Works on a specific language to connect which is faster than mod_proxy.  Has built in support for workers to help support load.
cons:  Hard to setup

For the purpose of this article, we are just going to use mod_proxy.  I may come back later an make another post on using mod_jk.

We need to create a site.conf file with the following information.

<VirtualHost *:80>
  ProxyPass / http://localhost:8080
  ProxyPassReverse / http://localhost:8080

Start up your Glassfish (and confirm that it is running).  Then start up your apache httpd.  You should be able to go to http://localhost and get served the glassfish page.