apache_tomcat_howto.txt

java windows mda and reveus

Apache+Tomcat with SSL How-To
=============================
 

Software Requirements:
======================

openssl-0.9.6				
(http://www.openssl.org)

Apache 1.3.17				
(http://www.apache.org)

mod_ssl-2.8.0-1.3.17		
(http://www.modssl.org)

mod_jk_apache_1.3_eapi.so	
(http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-howto.html)

mm-1.1.3.tar.gz [optional suggestion]
(http://www.engelschall.com/sw/mm)

Tomcat (latest stable is 3.2.1, you will need the source, 
which comes with the mod_jk, and when you build from source you will
also need the servlet-api package)
(http://jakarta.apache.org/tomcat/index.html)


If you don't know how to find your way around Apache and it's module world,
then it is probably a good idea if you decide for a Tomcat standalone installation
with SSL enabled. However, here are the steps you might want to follow,
however, you can also just read the mod_ssl INSTALL file.
 
1) Extract the downloaded packages:
 
$tar -xvzf <name>.tar.gz 

2) Build and install openssl
   (You might want to avoid IDEA, because of the patent issue, see README) 
   I prefer to use the prefix, and run of packages to keep the system tidy,
   you can also opt for the default, or just use another path.
   The -fPIC is a compiler flag for position independent code.

$ cd /path/to/openssl-0.9.6 
$ ./config no-idea -fPIC --prefix=/usr/local/openssl 
$ make 
$ make test 
[ You can only install as root ]
$ make install

3) Build and install mm [optional]
   This is done for performance reasons (ram based cache for mod_ssl). The disable shared
   will build only the static version, and will release you from establishing an LD_LIBRARY_PATH.
   Alternatively you can opt for building the shared, and add the path (in Linux that should work with
   editing /etc/ld.so.conf  and running /sbin/ldconfig). 

	
$ cd /path/to/mm-1.1.3
$ ./configure --disable-shared --prefix=/usr/local/mm
$ make
[ You can only install as root; it's optional specially if you built only the static ]
$ make install


4) Build and install mod_ssl
   I suggest you follow the path of the INSTALL file, probably you will figure out
   that most of the above is described there too.

   Don't forget to configure other modules as needed for your local installation.

5) Build Apache following the mod_ssl INSTALL file, I suggest you take the Hackers way to
   do so.
   Don't forget to see about all the SSL settings in your config file.     


Congratulations, you should now have a system that is able to handle SSL and non SSL requests :)


Now let's see about Tomcat. You will have to build it from the scratch, so you get your
mod_jk nicely.

1) Install the mod_jk, the module that links Tomcat and Apache
   This can be done by moving the mod_jk_apache_1.3_eapi.so into 
   your modules libexec path. 
   As far as known, you should remove any references to existing mod_jserv modules.
   If your configuration loads both, it is most likely going to fail. 


   
6) SSL was my ultimate target. The documentation states that Apj12 does not
work so well with SSL. I added this to tomcats server.xml file:

	<Connector className="org.apache.tomcat.service.PoolTcpConnector">
        <Parameter name="handler" 
        value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
        <Parameter name="port" value="8009"/>
    </Connector>
    
        
        
    

7) Restart Tomcat. Access the webmail again to make sure that everything
still works. If Apache is running on port 80 you may need to stop it or just
reconfigure Tomacat to run on port 8080 again.

8) Copy /conf/mod_jk.conf-auto to some other file (I copied
it to /conf/mod_jk.conf). This file has some asteric (*)
separated areas covering all of the contexts that Tomcat loads on startup
(everything in /webapps). Edit out anything that does not need to be there.
Next we need to change all of the "ajp12" to "ajp13" instances.

9) By default mod_jk.conf-auto will include a line that tries to map all
servlets into a directory called servlets (See the line below). When left
like this webmail is unable to find jwma. I modified it slightly as you can
see below.

10) Add a an include line to the bottom of the apache httpd.conf file
(Include https://. At this point I can handle all URLs which
point to a specific jsp. I cannot go to http://domainname/webmail and get to
login.jsp. Even though I have configured Apache to handle index.html and
index.jsp. I suspect I need another rule. I have not had a chance to look at
it yet. Below is the pertinent information from mod_jk.conf. It is this
rewrite rule that keeps me from saying that I am offering %100 percent jwma
fuctionality.

#########################################################
# Auto configuration for the /webmail context starts.
#########################################################
#
# The following line makes apache aware of the location of the /webmail
context
#
Alias /webmail "/usr/local/jakarta-tomcat-3.2.1/webapps/webmail"

    Options Indexes FollowSymLinks
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*) https://%{SERVER_NAME}/webmail/$1

#
# The following line mounts all JSP files and the /servlet/ uri to tomcat
#
# JkMount /webmail/servlet/* ajp13  #### This does not work #####
JkMount /webmail/* ajp13            #### This works !! ######
JkMount /webmail/*.jsp ajp13
#
# The following line prohibits users from directly accessing WEB-INF
#

    AllowOverride None
    deny from all

#
# The following line prohibits users from directly accessing META-INF
#

    AllowOverride None
    deny from all

#######################################################
# Auto configuration for the /webmail context ends.
#######################################################


If you wanted jwma to work out of the box with Apj12 (without ssl) then you
would need to find a way to get the webmail servlets into a the default
servlet directory. Thats about it. Sorry for the length. jim

>Hi Jim,
>
>Yes I am definately interested in your config, on one hand because
>I can try to put up some generic information on how to deploy jwma with
Tomcat
>via Apache and on the other hand, because I might figure out how I can make
>your life (and that of others that opt for such a config) easier.
>
>Regards,
>Dieter  
>
>>Dieter
>>Do you have any interest in my current config? I now have webmail served
via Apache. I am using mod_rewrite to remap ^/webmail/(.*) to href='https://server/webmail/login.jsp.'
https://server/webmail/login.jsp.' target='_top'>target='_top'>https://server/webmail/login.jsp. This gives me 99%
functionality of jwma within Apache. The one remaining issue is a subtle URL
mapping issue that I am too tired to fix. I guess I could have rebuilt
Tomcat with SSL but this makes more sense to me. Thanks again.   jim
>>
>

 
 
 
   RewriteEngine On<br>

  RewriteCond %{HTTPS} !=on<br>

  RewriteRule ^/webmail(.*) https://{%SERVERNAME}/webmail$1</code>