Kohei Nozaki's blog: Notes of my experiments

Entries tagged [apache]

Enabling SSL for Apache/WildFly

Posted on Monday Feb 09, 2015 at 05:56PM in Technology

Environment

WildFly 8.2.0.Final
httpd-2.2.15-39.el6.centos.x86_64
CentOS 6.5

Put SSL related files

public.crt: begins with BEGIN CERTIFICATE
intermediate.crt: begins with BEGIN CERTIFICATE
private.key: begins with BEGIN RSA PRIVATE KEY

Edit /etc/httpd/conf.d/ssl.conf

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /usr/local/ssl/public.crt
SSLCertificateKeyFile /usr/local/ssl/private.key
SSLCertificateChainFile /usr/local/ssl/intermediate.crt
SSLPassPhraseDialog exec:/usr/local/ssl/passphrase.sh

Put passphrase.sh

#!/bin/sh
echo "put the passphrase here"

Define an ajp-listener

Execute following command with jboss-cli:

/socket-binding-group=standard-sockets/socket-binding=https-external:add(port=443)
/subsystem=undertow/server=default-server/ajp-listener=myListener:add(socket-binding=ajp, redirect-socket="https-external", enabled=true)

Put /etc/httpd/conf.d/jk.conf

<VirtualHost *:80>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / http://www.example.org/
</VirtualHost>

Put following inside VirtualHost element of /etc/httpd/conf.d/ssl.conf

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / https://www.example.org/

Tags: apache ssl wildfly

PUTメソッドとmod_jkについて調べる

Posted on Tuesday Jan 21, 2014 at 09:34AM in Technology

環境

さくらVPS 1G
CentOS 6.5
Apache 2.2.15
mod_jk設定済み

$ /usr/sbin/httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Aug 13 2013 17:29:28
$

GETを送ってみる

全部APサーバに飛ばす設定にしているのでAPサーバのウェルカム画面的なものが返る。

$ curl -v http://localhost:80/ -X GET
* About to connect() to localhost port 80 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 21 Jan 2014 00:28:59 GMT
< Server: Apache/2.2.15 (CentOS)
< Last-Modified: Sun, 22 Dec 2013 06:12:49 GMT
< Content-Length: 2417
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
<!--
  ~ JBoss, Home of Professional Open Source.
  ~ Copyright (c) 2011, Red Hat, Inc., and individual contributors
  ~ as indicated by the @author tags. See the copyright.txt file in the
...

PUTを送ってみる

デフォルトで拒否されるっぽい

$ curl -v http://localhost:80/ -X PUT
* About to connect() to localhost port 80 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> PUT / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Date: Mon, 20 Jan 2014 23:55:11 GMT
< Server: Apache/2.2.15 (CentOS)
< Content-Length: 83
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
* Closing connection #0
<html><head><title>Error</title></head><body>405 - Method Not Allowed</body></html>

インストールしてからmod_jkでAPサーバに全リクエスト飛ばす設定をした他は、何も設定変更していないのだけど拒否されている。PUTも飛ぶのかと思っていたけど違うようだ。

他のメソッドも試してみる

PUT, DELETE, OPTIONSは405

$ curl -LI http://localhost:80/ -X GET -o /dev/null -w '%{http_code}\n' -s
200
$ curl -LI http://localhost:80/ -X POST -o /dev/null -w '%{http_code}\n' -s
200
$ curl -LI http://localhost:80/ -X PUT -o /dev/null -w '%{http_code}\n' -s
405
$ curl -LI http://localhost:80/ -X DELETE -o /dev/null -w '%{http_code}\n' -s
405
$ curl -LI http://localhost:80/ -X OPTIONS -o /dev/null -w '%{http_code}\n' -s
405
$

知らなかった。そういえば少し前に脆弱性が報告されていたような。そのせいでApache側でデフォルトオフになったのだろうか。mod_jkの設定がどうのというよりそもそもApacheで受け付けない設定になっている感じ。

許可するには？

そもそも最近のApacheでは全面的にオフになっていて、[7]によると何やらモジュールの有効化などが必要らしい。何か大変そうなので今回はここまでにしておく。

参考文献

Tags: apache

Hot tags

Below are the most often used tags in the blog. Hover over a tag to see a count of entries, click a tag to see the most recent posts with the tag.