With mod_ssl the following virtualhost is setup using an SSL certificate from GoDaddy. Notice the SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt reference. This intermediate certificate comes from GoDaddy and is required. I didn’t catch this at first and couldn’t understand what my web browser was unhappy about. When I called GoDaddy support they told me my certificate was setup correctly and worked in all of there “off-site” test browsers. They were no help, so I continued to dig around and finally found the answer.

The mod_proxy lines pass all requests to the Tomcat instance listening on port 9014.

/etc/httpd/conf.d/ssl.conf

<virtualhost>
DocumentRoot  /var/www/html/
ServerName    myserver.com:433  SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/myserver.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myserver.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
SetEnvIf User-Agent ".*MSIE.*"
         nokeepalive ssl-unclean-shutdown
         downgrade-1.0 force-response-1.0
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
CustomLog logs/ssl_request_log
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPreserveHost On
ProxyPass / http://localhost:9014/
ProxyPassReverse / http://localhost:9014/
SetEnv proxy-nokeepalive 1
</virtualserver>

For the Tomcat setup, a proxy connector is configured to listen on port 9014 and to proxy port 443 requests (SSL). The communication between Apache and Tomcat is not secure, but this is not a concern since this communication is local to the server. Finally, compression is turned on for several common mime-types.

server.xml

  ...
  <Connector acceptCount="100" connectionTimeout="60000" disableUploadTimeout="true" port="9014" redirectPort="8944"
  scheme="https" proxyPort="443" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript"/>
  ...

org.apache.commons.digester.Digester startElement
SEVERE: Begin event threw exception
java.lang.ClassNotFoundException: com.mikwat.struts.config.AuthorizationActionConfig

The root of the problems appears to be that the Digester defaults to using the same ClassLoader that loaded it and whichever ClassLoader this is, it doesn’t have access to my webapp class com.mikwat.struts.config.AuthorizationActionConfig.

After Googling around, I eventually came across this post regarding a similar problem loading the Quartz plugin: Mailing list archives.

The solution is to call setUseContextClassLoader(true) on the Digester object which forces it to use the ClassLoader found by calling Thread.currentThread().getContextClassLoader().

1. Broadband Reports offers both free and paid services. Their Line Monitoring tool provides a continuous response time graph shown below by sending out pings every 10 minutes. The Line Monitoring tool costs approximately $1 per week. It also provide the ability to setup a HTTP ping to a specific URL.

2. mon.itor.us is a free web site monitor tool. As far as simplicity in setup, mon.itor.us couldn’t be easier. Their website serves as a dashboard with drag-and-drop modules for each of your sites. These modules can also be included in your OS X dashboard, Google Personal, Netvibes, etc. Another nice feature is the ability to be notified when your sites are unavailable. Alerts can be sent to an email address, IM account, or cellphone. The main problem with mon.itor.us is in its ping frequency, which is currently between 30-45 minutes. According to their parent site Monitis they are rolling out a Bronze plan ($10 per month) that will ping every 5 minutes and provide some advanced features.

/etc/httpd/conf.d/proxy_ajp.conf :

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
ProxyPass / http://localhost:9013/


server.xml :

<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" port="9013" redirectPort="8943" proxyName="www.myhost.com" proxyPort="80"/>


After settings things up, nothing worked. I found the following error in the Apache logfile:

[Fri Mar 30 02:23:34 2007] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:9013 (localhost) failed
[Fri Mar 30 02:23:34 2007] [error] ap_proxy_connect_backend disabling worker for (localhost)


After digging around Google a bit, I finally found the following solution:

http://uppertank.net/blog/?m=200512


[root@clue conf]# getsebool -a
allow_execmem –> active
allow_execmod –> active
allow_execstack –> active
allow_kerberos –> inactive
allow_ypbind –> inactive
dhcpd_disable_trans –> inactive
httpd_builtin_scripting –> active
httpd_can_network_connect –> inactive
httpd_disable_trans –> inactive
httpd_enable_cgi –> active
httpd_enable_homedirs –> active
httpd_ssi_exec –> active
httpd_tty_comm –> inactive
httpd_unified –> active
mysqld_disable_trans –> inactive
named_disable_trans –> inactive
named_write_master_zones –> inactive
nscd_disable_trans –> inactive
ntpd_disable_trans –> inactive
portmap_disable_trans –> inactive
postgresql_disable_trans –> inactive
read_default_t –> active
snmpd_disable_trans –> inactive
squid_connect_any –> inactive
squid_disable_trans –> inactive
syslogd_disable_trans –> inactive
use_nfs_home_dirs –> inactive
use_samba_home_dirs –> inactive
winbind_disable_trans –> inactive
ypbind_disable_trans –> inactive
[root@clue conf]# setsebool httpd_can_network_connect true
[root@clue conf]# getsebool httpd_can_network_connect
httpd_can_network_connect –> active
[root@clue conf]#