-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ironclaw,
Let's take a step back. On 4/23/12 10:19 AM, ironclaw hand wrote: > Thanks Christopher I will address the security issues if I am > actually able to get mod_jk to execute a jsp! I tend to agree with André, here and his assertions that there's no reason to wait "until it's working". Presumably, since you've been tasked with getting this to work, it /must/ work at the end... scrapping httpd isn't an option for you, so you may as well solve this problem since it's the easier one to solve. Honestly, I'm not sure exactly why your configuration doesn't work: I've never had trouble configuring mod_jk. > I have now removed everything from mod_jk.conf except for the > global directives and I now have my httpd.conf looking like: So what *is* in your mod_jk.conf file? I would have expected "LoadModule" and "Include" to be in there, as well as JkWorkersFile, JkLogLevel, etc. Basically, everything but Jk(Un)?Mount directives. Oh! I also usually recommend setting "JkStripSession On" so that URLs to static content that happen to contain jsessionid path parameters don't confuse httpd and prevent those resources from loading. > # # JK for connections to Tomcat # LoadModule jk_module > modules/mod_jk.so Include /etc/httpd/conf/mod_jk.conf > > <IfModule jk_module> JkWorkersFile > /etc/httpd/conf/workers.properties JkLogFile > /var/log/httpd/mod_jk.log JkLogLevel info Put all of the above at the top-level. It's not surprising that it doesn't work, but I didn't actually know that you can't put JkWorkersFile in a VirtualHost. I guess the documentation[1] is fairly clear: " JkWorkersFile The name of a worker file for the Tomcat servlet containers. This directive is only allowed once. It must be put into the global part of the configuration. " [1] http://tomcat.apache.org/connectors-doc/reference/apache.html > Alias /sft "/var/webapps/sft" [security]: we've discussed this > <Directory "/var/webapps/sft"> Options Indexes FollowSymLinks [security]: do you really need Indexes enabled? I find that to be a security vulnerability unless you want people to be able to browse and download arbitrary files. Sometimes that's what you want, but usually not within a webapp. > </Directory> > > <Location "/sft/WEB-INF/"> AllowOverride None deny from all > </Location> [security]: I would definitely do this as a <Directory> instead of a <Location>: that way, you're protected no matter how the URL resolves to the filesystem. > <VirtualHost sfta.a.b.c:443> JkMount /sft/* loadbalancer JkUnMount > /*.html loadbalancer Just for parity, I'd make that: JkUnMount /sft/*.html loadbalancer That way, you don't accidentally unmount everything on the whole site when you really only wanted to allow static files form that one webapp to be unmounted. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+YELYACgkQ9CaO5/Lv0PDqmACgiPptfKAAC+Lah1I8B1tszZ4f a0wAoJxU9ft/xII/8ubKM14ariJT5sWL =lokh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
