July 2018
M T W T F S S
« Jun    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Categories

WordPress Quotes

I've learned that you shouldn't go through life with a catcher's mitt on both hands; you need to be able to throw something back.
Maya Angelou

Recent Comments

July 2018
M T W T F S S
« Jun    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (30)
Ansibile (18)
Apache (125)
Asterisk (2)
cassandra (2)
Centos (208)
Centos RHEL 7 (254)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (24)
Eassy (11)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (6)
JBOSS (32)
jenkins (1)
Kubernetes (2)
Ldap (5)
Linux (189)
Linux Commands (167)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (21)
MYSQL (82)
Nagios (5)
NaturalOil (13)
Nginx (29)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (34)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (59)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

20 visitors online now
4 guests, 16 bots, 0 members

Hit Counter provided by dental implants orange county

mod_proxy apache 2.4

Using Apache with mod_proxy

This page describes how to integrate Confluence into an Apache website using mod_proxy.

There are some common situations where you might use the configuration:

Note: This page documents a configuration of Apache, rather than of Confluence itself. Atlassian will support Confluence with this configuration, but we cannot guarantee to help you debug problems with Apache. Please be aware that this material is provided for your information only, and that you use it at your own risk.

Base configuration

In these examples, we use the following:

http://www.example.com/confluence – your intended URL

http://example:8090 – the hostname and port Confluence is currently installed to

/confluence – the intended context path (the part after hostname and port)

Please substitute the examples below with your intended URL’s in your own server. Copy/pasting these suggestions will not work on your server.

Set the context path

Set your Confluence application path (the part after hostname and port). To do this in Tomcat (bundled with Confluence), edit conf/server.xml, locate the “Context” definition:

<Context path="" docBase="../confluence" debug="0" reloadable="true">

and change it to:

<Context path="/confluence" docBase="../confluence" debug="0" reloadable="true">

Then restart Confluence, and ensure you can access it at http://example:8090/confluence

Set the URL for redirection

Set the URL for redirection. In the same conf/server.xml file, locate this code segment:

    <Connector port="8090" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />

And append the last line:

    <Connector port="8090" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true"
               proxyName="www.example.com" proxyPort="80" />

If this isn’t working for you and you’re using SSL, try adding a scheme attribute to your Connector tag: scheme=”https”.

 

Now we have two options:

Simple Configuration

Configure mod_proxy

Now enable mod_proxy in Apache, and proxy requests to the application server by adding the example below to your Apache httpd.conf (note: the files may be different on your system; See Integrating JIRA with Apache for the process for Ubuntu/Debian layout):

Apache 2.2
# Put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so

# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>

ProxyPass /confluence http://app-server.internal.example.com:8090/confluence
ProxyPassReverse /confluence http://app-server.internal.example.com:8090/confluence
<Location /confluence>
    Order allow,deny
    Allow from all
</Location>
Apache 2.4
# Put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so

# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
	# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
    Require all granted
</Proxy>

ProxyPass /confluence http://app-server.internal.example.com:8090/confluence
ProxyPassReverse /confluence http://app-server.internal.example.com:8090/confluence
<Location /confluence>
	# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
    Require all granted
</Location>

Click here to expand…

It is recommended that you specify the absolute path to the mod_proxy.so and mod_proxy_http.so files.

Complex configuration

Complex configuration involves using the mod_proxy_html filter to modify the proxied content en-route. This is required if the Confluence path differs between Apache and the application server. For example:

Externally accessible (Apache) URL http://confluence.example.com/
Application server URL http://app-server.internal.example.com:8090/confluence/

Notice that the application path in the URL is different in each. On Apache, the path is /, and on the application server the path is /confluence.

For this configuration, you need to install the mod_proxy_html module, which is not included in the standard Apache distribution.

Alternative solutions are discussed below.

Apache 2.2
# Put this after the other LoadModule directives
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so

<VirtualHost *>
    ServerName confluence.example.com
    
    # Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    
    ProxyPass / http://app-server.internal.example.com:8090/confluence
    ProxyPassReverse / http://app-server.internal.example.com:8090/confluence
    
    ProxyHTMLURLMap / /confluence/
    
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>
Apache 2.4
# Put this after the other LoadModule directives
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so

<VirtualHost *>
    ServerName confluence.example.com
    
    # Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy *>
		# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
    	Require all granted
    </Proxy>
    
    ProxyPass / http://app-server.internal.example.com:8090/confluence
    ProxyPassReverse / http://app-server.internal.example.com:8090/confluence
    
    ProxyHTMLURLMap / /confluence/
    
    <Location />
		# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
    	Require all granted
    </Location>
</VirtualHost>

The ProxyHTMLURLMap configuration can become more complex if you have multiple applications running under this configuration. The mapping should also be placed in a Location block if the web server URL is a subdirectory and not on a virtual host. The Apache Week tutorial has more information how to do this.

Final Configuration Steps

Restart your Apache server

This is needed to pick up on the new configuration. This can be done by running the following on your command line/terminal/shell:

sudo apachectl graceful

Disable HTTP Compression

Having compression run on both the proxy and Tomcat can cause problems integrating with other Atlassian applications, such as JIRA. Please disable HTTP compression as per our Compressing an HTTP Response within Confluence docs.

Set the Confluence Base URL

The last stage is to set the Base URL to the address you’re using within the proxy. In this example, it would be http://www.example.com/confluence

Adding SSL

If you’re running Apache in front of Tomcat, it’s a good idea to terminate your SSL configuration at Apache, then forward the requests to Tomcat over HTTP. You can set up Apache to terminate the SSL connection and use the ProxyPass and ProxyPassReverse directives to pass the connection through to Tomcat (or the appropriate application server) which is running Confluence.

  1. Create a new SSL host by creating a virtual host on 443
  2. The standard http connection on apache could be used to redirect to https if you want or it could just be firewalled.
  3. Within the VirtualHost definition:
    1. define the SSL options (SSLEngin and SSLCertificateFile)
    2. define the ProxyPass and ProxyPassReverse directives to pass through to Tomcat.

Most of the relevant Apache Config:

Listen 443

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/apache.pem
    ProxyPass / http://localhost:8090/
    ProxyPassReverse / http://localhost:8090/
</VirtualHost>

Apart from the Apache configuration there are a couple of things you will need to do before you get your server working:

  1. You will have to change your base URL to point to https addresses. See the documentation on configuring the server base URL.
  2. We need to set up the connector to use https. In your installation directory, edit the file server.xml and add this attributes to your connector:
proxyName="proxy.example.com" proxyPort="443" scheme="https" secure="true" 

More information

 

 

Control File Access by IP in Apache 2.4

Denying access to wp-login.php for all but a set of whitelisted IP can be a good way of enhancing site security – provided that the client has a fixed IP address.

We typically add such access controls within a .htaccess file in the document root of a project, leaving login access for our own IP address and that of the site owner.

You might occasionally need to temporarily whitelist an additional IP address, but this is easy to do.

Restricting access by IP address is no substitute for a proper username/password policy – but it may be a useful additional layer, since would-be attackers don’t even get a chance to knock on the door.

Under Apache 2.2, you could use these directives within a .htaccess file:

# ==============================================================================
# Whitelisted IP access for wp-login.php
# ==============================================================================
<files wp-login.php>
order deny,allow
deny from all

# whitelist Your First IP address
allow from xxx.xxx.xxx.xxx
# whitelist Your Second IP Address
allow from xxx.xxx.xxx.xxx
# whitelist Your Third IP Address
allow from xxx.xxx.xxx.xxx

</files>

# ==============================================================================
# Protect specified files from direct access
# ==============================================================================
<FilesMatch “^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)”>
Deny from all
</FilesMatch>

Whilst the Allow, Order, and Deny directives still work in Apache 2.4, they are deprecated:

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.

-Apache 2.4 Documentation

Unfortunately, there is not a lot of literature on how to properly set up such restrictions on Apache 2.4 – without relying on mod_access_compat.
Deny Access Completely

In Apache 2.2:

Order deny,allow
Deny from all

In Apache 2.4 this becomes:

Require all denied

Restrict Access by IP address: Comparison of Apache 2.2 and 2.4

Allow from a particular IP in Apache 2.2:

Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx

Allow from a particular IP in Apache 2.4:

Require ip xxx.xxx.xxx.xxx

TL;DR Restrict Access Apache 2.4

# ==============================================================================
# Restrict access to WordPress login page by IP
# See: http://httpd.apache.org/docs/2.4/mod/core.html#files
# ==============================================================================
<Files “wp-login.php”>
Require ip 123.123.123.123
</Files>

If you have full access to Apache config on your server, you can enable these directives for all virtual hosts by adding them to the Apache config file:

sudo nano /etc/apache2/conf-enabled/security.conf

 

 

Access Control by host and ip address in Apache 2.4
In this post we will learn about access control by host and ip address in Apache 2.4. The Apache 2.4 released with lots of new feature. While working on Apache 2.4 you will surely get attention on new format of access control. The method of using allow,deny or vice-versa is deprecated, it was old styled method before Apache 2.4 versions.

We do expect users have some experience on Apache webserver. Hence, we are directly jumping on ACL of apache 2.4 . We have used all the below given methods inside Apache Virtual Host.
In trailing post, we are going to use directive called RequireAll. So as per Apache 2.4 documentation, know what is RequireAll directive :

apache 2.4 RequireAll
Allow only particular IP Address or Host to access website in Apache 2.4

In this scenario we will allow only particular IP address or hosts to access the website. Rest of the world will not be able to access the website hosted on Apache 2.4 .

Note: Replace Directive value as per your server’s web data path.

<Directory “/var/www/html/website”>
Options All
AllowOverride All
Require all denied
## “Require ip” is used here for IP Address/CIDR/Network
Require ip 192.168.56.4 10.10.1.1

## “Require host” is used here for hostname/FQDN
Require host www.example.com server01
</Directory>

As per your requirement you can set ACL either on ip address or Host or both.

Alternatively for this same scenario you can write in below given format also. You should notice the written in below given example.

<Directory “/var/www/html/website”>
Options All
AllowOverride All
<RequireAll>
## “Require ip” is used here for IP Address/CIDR/Network
Require ip 192.168.56.4 10.10.1.1

## “Require host” is used here for hostname/FQDN
Require host www.example.com server01
</RequireAll>
</Directory>

Deny only particular IP Address or Host to access website in Apache 2.4

In this section, we will deny particular ip address/host to access the website. As mentioned in above section as same as according to your requirement you can set ACL either on ip address or Host or both. Check the directive section where we have applied the ACL.

Note: Replace Directive value as per your server’s web data path.

<Directory “/var/www/html/website”>
Options All
AllowOverride All
<RequireAll>
Require all granted
## “Require ip” is used here for IP Address/CIDR/Network
Require not ip 192.168.56.4 10.10.1.1

## “Require host” is used here for hostname/FQDN
Require not host www.example.com server01
</RequireAll>
</Directory>

Deny All to access website running on Apache 2.4

In this section, we will define Require all denied directly inside directive. This configuration will deny all to access the website.

Note: Replace Directive value as per your server’s web data path.

<Directory “/var/www/html/website”>
Options All
AllowOverride All
## “Require all denied” will deny all to access the website.
Require all denied
</Directory>

Allow All to access website running on Apache 2.4

In this section, we will define Require all granted directly inside directive. The below given configuration helps all to access the website.

Note: Replace Directive value as per your server’s web data path.

<Directory “/var/www/html/website”>
Options All
AllowOverride All
## “Require all granted” will allow all to access the website.
Require all granted
</Directory>

Restart apache service

After doing changes in apache config file, do not forget to restart the apache service.

### In Ubuntu/Debian/
sudo service apache2 restart

### In CentOS 7/RHEL 7
systemctl restart httpd

### In CentOS|RHEL 5.x,6x.
service httpd restart

Apache Forbidden Error Message

On denying the ip address/host from Apache 2.4. The user will get the “Forbidden” message. Given below is the image reference.

 

 

<VirtualHost *:80>
        ServerName www.company.com
        ProxyPreserveHost On
        AllowEncodedSlashes NoDecode

        <IfModule mod_rewrite.c>
                RewriteEngine On
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        </IfModule>

</VirtualHost>

<VirtualHost *:443>
        ServerName www.company.com
        ProxyRequests Off
        SSLProxyEngine on
        AllowEncodedSlashes NoDecode

        RequestHeader set X-Forwarded-Proto "https"

        # Always use HTTP Strict Transport Security (HSTS)
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdo:mains; preload"

        SSLEngine on
        SSLCertificateFile      /etc/httpd/ssl/com.crt
        SSLCertificateKeyFile   /etc/httpd/ssl/com.key
        SSLCertificateChainFile /etc/httpd/ssl/CA.crt

        # Set a cookie so the client gets the same backend server each time
        Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

        ProxyPass /balancer-manager !
        ProxyPass / "balancer://mycluster/" nocanon
        ProxyPassReverse / "balancer://mycluster/"

        <Proxy balancer://mycluster/>
                BalancerMember http://10.0.0.2 route=1
                BalancerMember http://10.0.0.3 route=2
                ProxySet stickysession=ROUTEID
        </Proxy>

        <Location "/balancer-manager">
                SetHandler balancer-manager
                Require host localhost
                Require ip 192.168.2.0/24
                Require host 1982.168.1.10
        </Location>

</VirtualHost>

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

Blue Captcha Image
Refresh

*

Protected by WP Anti Spam