Personal tools
 

6.3.3.2.1. Fedora Core 3 and 4

Up one level
How to configure Apache to use HTTPS on Fedora Core 3 and 4

Apache2 RPM Packages

Make sure the following packages are installed:

  • httpd-manual-2.0.52-3
  • httpd-suexec-2.0.52-3
  • system-config-httpd-1.3.1-1
  • httpd-2.0.52-3
  • mod_ssl-2.0.52-3

e.g. check installed packages using:

# rpm -qa | grep "httpd\|mod_ssl"

Connecting Tomcat with Apache

Install the Apache mod_jk Module

The mod_jk package comes with the Fedora Core 4 operating system. To install it, log in as root and execute this command:

# yum install mod_jk

For Fedora Core 3, the mod_jk module may be obtained from the jpackage site. The required package is called "mod_jk-ap20". The easiest way to download and install the package is to execute the following commands as root:

# cd /tmp
# wget http://mirrors.dotsrc.org/jpackage/1.6/fedora-3/RPMS.free/mod_jk-ap20-1.2.8-1jpp.i386.rpm
# rpm --import http://www.jpackage.org/jpackage.asc
# yum localinstall mod_jk-ap20-1.2.8-1jpp.i386.rpm

wget downloads the file from the primary jpackage mirror site. The rpm command installs the jpackage public key for package verification, and the yum command performs the installation.

Configuring Apache to use mod_jk

To cause Apache to load and use mod_jk, you must create a file in /etc/httpd/conf.d. The file should be called jk.conf and should be similar (if not the same) to this:

# Load mod_jk module
LoadModule    jk_module  /etc/httpd/modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk logs
JkLogFile     /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE, 
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format 
JkRequestLogFormat     "%w %V %T"
# Send everything for context /examples to worker named worker1 (ajp13)
JkMount /gria-basic-app-services worker1 
JkMount /gria-basic-app-services/* worker1
JkMount /gria-client-mgt worker1 
JkMount /gria-client-mgt/* worker1
JkMount /gria-service-provider-mgt worker1
JkMount /gria-service-provider-mgt/* worker1

As well as configuring the mod_jk module, this also instructs Apache to pass on requests for GRIA to "worker1".

Configuring the Tomcat Worker

To complete the configuration, another file must be created. This is the workers.properties file referenced in the last section. Create the file /etc/httpd/conf/workers.properties with the following contents:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.reclycle_timeout=300

This configuration instructs "worker1" to pass on requests to port 8009 using the ajp13 protocol. The default Tomcat installation will already be listening for this sort of communication and as a result, request for the GRIA web application will be passed on to Tomcat.

Securing Apache

Add gria-services.conf File in conf.d

Download the gria-services.conf sample file and place it in /etc/httpd/conf.d.

Edit gria-services.conf so that the file locations of the following settings give the locations of the files you exported from your keystore in the previous page.

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACertificateFile
  • SSLCARevocationFile

In addition, replace apache2 by httpd in the ErrorLog and TransferLog lines, i.e.

     ...
     ErrorLog /var/log/httpd/grid-error.log
     ...
     TransferLog /var/log/httpd/grid-access.log
     ...

Edit /etc/httpd/conf.d/ssl.conf

Edit /etc/httpd/conf.d/ssl.conf to contain the following directives only

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

Start Apache

Start Apache using the command below. Entering this command may also prompt you for the private key password if it was encrypted:

# service httpd restart

You may also want to configure your system to start Apache if it is rebooted:

# chkconfig httpd on

N.B. Apache will not be able to start automatically if your server's private key is encrypted, as it cannot start without the password being entered.

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/GRIA.

Next: Fedora Core 5 Previous: Fedora