A coder’s daily explorations through PHP, Java, CSS, JavaScript, Linux, OS X, Apache, Tomcat, and everything else.
{ Category Archives }
Periodically I need to replace a string in multiple files on Linux. I find myself looking up this command or a variant every time.
grep -rl OLDSTRING *.FILEEXTENSION | xargs perl -pi~ -e 's/OLDSTRING/NEWSTRING/'
My setup is a single Fedora Core 6 server running Apache 2.2.4 (with mod_ssl and mod_proxy) and Tomcat 5.
With mod_ssl the following virtualhost is setup using an SSL certificate from GoDaddy. Notice the SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt reference. This intermediate certificate comes from GoDaddy and is required. I didn’t catch this at first and couldn’t understand what my web browser was unhappy about. When I called GoDaddy support they told me my certificate was setup correctly and worked in all of there “off-site” test browsers. They were no help, so I continued to dig around and finally found the answer.
The mod_proxy lines pass all requests to the Tomcat instance listening on port 9014.
/etc/httpd/conf.d/ssl.conf
<virtualhost>
DocumentRoot /var/www/html/
ServerName myserver.com:433 SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/myserver.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myserver.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
SetEnvIf User-Agent ".*MSIE.*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
CustomLog logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyPreserveHost On
ProxyPass / http://localhost:9014/
ProxyPassReverse / http://localhost:9014/
SetEnv proxy-nokeepalive 1
</virtualserver>
For the Tomcat setup, a proxy connector is configured to listen on port 9014 and to proxy port 443 requests (SSL). The communication between Apache and Tomcat is not secure, but this is not a concern since this communication is local to the server. Finally, compression is turned on for several common mime-types.
server.xml
... <Connector acceptCount="100" connectionTimeout="60000" disableUploadTimeout="true" port="9014" redirectPort="8944" scheme="https" proxyPort="443" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript"/> ...
I ran into some trouble configuring Apache/Tomcat on Fedora Core 6 using the Proxy AJP Module this week. Here are my final settings and a brief description of the problem and solution.
/etc/httpd/conf.d/proxy_ajp.conf :
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
ProxyPass / http://localhost:9013/
server.xml :
<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" port="9013" redirectPort="8943" proxyName="www.myhost.com" proxyPort="80"/>
After settings things up, nothing worked. I found the following error in the Apache logfile:
[Fri Mar 30 02:23:34 2007] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:9013 (localhost) failed
[Fri Mar 30 02:23:34 2007] [error] ap_proxy_connect_backend disabling worker for (localhost)
After digging around Google a bit, I finally found the following solution:
http://uppertank.net/blog/?m=200512
[root@clue conf]# getsebool -a
allow_execmem –> active
allow_execmod –> active
allow_execstack –> active
allow_kerberos –> inactive
allow_ypbind –> inactive
dhcpd_disable_trans –> inactive
httpd_builtin_scripting –> active
httpd_can_network_connect –> inactive
httpd_disable_trans –> inactive
httpd_enable_cgi –> active
httpd_enable_homedirs –> active
httpd_ssi_exec –> active
httpd_tty_comm –> inactive
httpd_unified –> active
mysqld_disable_trans –> inactive
named_disable_trans –> inactive
named_write_master_zones –> inactive
nscd_disable_trans –> inactive
ntpd_disable_trans –> inactive
portmap_disable_trans –> inactive
postgresql_disable_trans –> inactive
read_default_t –> active
snmpd_disable_trans –> inactive
squid_connect_any –> inactive
squid_disable_trans –> inactive
syslogd_disable_trans –> inactive
use_nfs_home_dirs –> inactive
use_samba_home_dirs –> inactive
winbind_disable_trans –> inactive
ypbind_disable_trans –> inactive
[root@clue conf]# setsebool httpd_can_network_connect true
[root@clue conf]# getsebool httpd_can_network_connect
httpd_can_network_connect –> active
[root@clue conf]#