HELP: Apache 2 / Tomcat 6 / mod_jk / Windows XP

HELP: Apache 2 / Tomcat 6 / mod_jk / Windows XP

am 05.10.2007 22:25:45 von lefebvre

Hello All...

Im trying to get Apache/Tomcat connected on my windows box. I have
followed the instructions online that I have found (however, all the
instructions are for Tomcat5.5 or older) and think I am close but
still not working.

For your reference I am getting this error when I try:
http://localhost/examples/jsp/index.html

I get:
This error (HTTP 403 Forbidden) means that Internet Explorer was able
to connect to the website, but it does not have permission to view the
webpage.


When I checked the server log and it is giving me these details:
[Fri Oct 05 09:46:25 2007] [error] [client 127.0.0.1] client denied by
server configuration: C:/apache/tomcat/webapps/examples/jsp/index.html

However, this works:
http://localhost:8080/examples/jsp/index.html


So, this makes me think I just need to tweak some values. Any ideas
on how to fix and get these connected?

Here is an overview of my setup:
Windows XP Pro: SP3
Java: 1.6 (JAVA_HOME is set)
Tomcat: 6.0.14 (CATALINA_HOME is set)
Apache: 2.2.6
JK 1.2.25 (mod_jk-apache-2.2.4.so) (there wasnt a 2.2.6 available
yet)

One thing to note, there is no longer a DLL for Win32k, only SO
files.


Here is a summary of my changes to get things connected:
1. Installed latest Java, Tomcat, and Apache.

2. Copied mod_jk-apache-2.2.4.so into apache/modules directory and
renamed it mod_jk.so

3. Edited Apache2's httpd.conf file and added these lines:

LoadModule jk_module modules/mod_jk.so

Include c:/apache/tomcat/conf/auto/mod_jk.conf

4. Edited Tomcat6's server.xml file and added these lines:

Just below the line:


added the following:




and just below the line:
autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">

added the following line:

forwardAll="false" modJk="c:/apache/httpd/modules/mod_jk.so" />


I saved the changes made to server.xml. Restarted the Tomcat service.
Waited a few seconds, and then checked to see if there is a file
called mod_jk.conf in tomcat/conf/auto directory, and there was.
Good.

5. Created the workers.properties file in tomcat/conf/jk, with the
following lines to it:

# BEGIN workers.properties
# Definition for Ajp13 worker
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
# END workers.properties


6. Now that everything was configured, I restarted Tomcat, and then
Apache. Everything started up and I tested it as follows:

Verified the Apache welcome page at http://localhost

Verifed the Tomcat examples at http://localhost:8080/examples/jsp/index.html

Verifed Tomcat examples available on port 80 at http://localhost/examples/jsp/index.html
(NOPE)

This last one failed with errors described at the top of this posting.

Help!! Hopefully this post will help document this latest
configuration procedure and what tweaks it needs to get it working.

Thanks in advanced.

-Marc

Re: HELP: Apache 2 / Tomcat 6 / mod_jk / Windows XP

am 06.10.2007 03:49:36 von lefebvre

I hate replying to my own threads, however, I found a solution to my
question which may affect others who have or will try to setup Apache2
with Tomcat6 on XP.

My issue had to do with permissions on the Apache server for the
Tomcat directories.

If you are in the same situation as described in previous post go to
your httpd.conf file in your Apache installation. Notice the section
that says:


Options FollowSymLinks
AllowOverride None
Order deny,allow
Satisfy all
Deny from all



The above sets the DEFAULT permissions for directories NOT specified
specifically in the conf files. Notice the line "Deny from All".
That by default denies access to ANY and ALL directories not
specifically given permissions to be accessed.

Here are possible solutions:

1) Change the DENY FROM ALL to ALLOW FROM ALL. This will allow your
Tomcat directories to be access by the Apache webserver. The side
affect of this is that it opens up ALL directories by default, which
means you need to specifically CLOSE access to folder you want to
restrict access to. It changes the mode from restricted to permissive
environment. Not usually a good idea except for testing. Not a good
idea for production environment.

2) A more secure and specific solution is that in your mod_jk.conf
file, that is autogenerated, needs to be tweaked. This however, will
cause you to no longer to be able to use an autogenerated mod_jk.conf
file. You will need to make a copy of this file, move it up to the
tomcat/conf/ level and then edit it adding the ALLOW FROM ALL for each
directory you want to grant access to in Apache. This will require you
to tweak your Apache configuration a little and change the line in
your httpd.conf file

FROM:
Include c:/apache/tomcat/conf/auto/mod_jk.conf

TO:
Include c:/apache/tomcat/conf/mod_jkCustom.conf


This is a more controlled solution, but you loose the flexibility of
the autogeneration script. This will impact your deploying of NEW
apps in your tomcat container, and will require you to edit this NEW
file EVERY TIME, and cut and paste the new app sections into your
Custom conf file form the autogenerated one.

3) Finally, here is the best of both worlds fix and probably the best
and secure aproach. Add the following lines to your httpd.conf file
for EACH DIRECORY you want to open up.

For example:


Order allow,deny
Allow from all



Order allow,deny
Allow from all



Order allow,deny
Allow from all



Order allow,deny
Allow from all



So, any NEW app you put into your container, you will need to add the
directory permission in your httpd.conf directory to allows access
from Apache. However, you wil still be able to use the autogenerated
file that is produced by Tomcat. This is a happy medium between
flexibility and security.

Hope this helps someone...

-Marc