apache tomcat and mod_jk

[rjlemley]

Has anyone gotten Scalix Webmail and Admin Console working with Apache and mod_jk? I think it's what I need to use...

I'd like to have Apache listening on port 443 with SSL, and forward necessary connections to Tomcat for the admin console and webmail. I'm trying to get this to work since you need to have Apache running for the Rules Wizard and such. I'd rather not have to keep Tomcat using port 8443 as I suspect that will just confuse my users.

Thanks,

-Rob

[rjlemley]

Okay, I have it sort of working. This is with mod_jk 1.2.14.1 on RHEL4 (Apache 2)

Code: Select all

This went into my httpd.conf:
# Load mod_jk module
LoadModule    jk_module  modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk logs
JkLogFile     /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    debug
# SHM info
JkShmFile   /etc/httpd/logs/jk.shm
JkShmSize   10M
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat     "%w %V %T"
# JkMount points
JkMount / ajp13
JkMount  /webmail/* ajp13
JkMount  /sac/* ajp13
JkMount  /caa/* ajp13


Everything works now on port 80, but when I try to use the SSL port I cannot log into Webmail. I get the login screen, but when I click the button it just hangs. The admin console works in both SSL and non-SSL modes.

If there something I need to change in server.xml maybe?

-Rob

[natkins]

Hi Rob,

Try applying the following variables to your httpd.conf:

# Should mod_jk send SSL information to Tomcat (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT

The first one is key I think.

Cheers,

Nick.

[axsom1]

I use an apache rewrite like so:

RewriteCond %{SERVER_PORT}% !^/443
RewriteRule ^/webmail(.*) https://www.example.com/webmail$1 [L,R]

Do I still need to have the JkSSL stuff in my config?

Thanks,
John

[natkins]

I think you do, yes. You still need to tell Apache to tunnel requests to /webmail* to Tomcat via the JK connector.

Nick.

[axsom1]

Hey Nick,

Forgive the newb nature of my post, just want to make sure I understand correctly.

Here is my workers.properties file (/etc/httpd/conf).

Code: Select all

workers.tomcat_home=/opt/tomcat
workers.java_home=$JAVA_HOME
ps=/
worker.list=scalix

worker.scalix.port=8009
worker.scalix.host=localhost
worker.scalix.type=ajp13
worker.scalix.lbfactor=1


And here is my jk.conf (/etc/httpd/conf.d).

Code: Select all

LoadModule jk_module modules/mod_jk.so

<IfModule mod_jk.c>
  JkWorkersFile "conf/werkers.properties"
  JkLogFile "logs/mod_jk.log"
  JkLogLevel "error"
  JkShmFile "/etc/httpd/logs/jk.shm"
  JkShmSize "10M"

  <Location />
    AddOutputFilterByType DEFLATE text/xml text/html text/css
    AddOutputFilterByType DEFLATE application/x-javascript
  </Location>

  JkMount /webmail scalix
  JkMount /webmail/* scalix

  JkMount /sac scalix
  JkMount /sac/* scalix

  JkMount /caa scalix
  JkMount /caa/* scalix
</IfModule>


With the apache rewrite rule, the traffic is SSL'd to apache but not between apache and the JK connector at localhost correct?

Is this a security issue?

Thanks,
John