Tag Archives: apache

Jira with SSL and Apache as proxy

1 Reply

If you want to run your installation of Atlassian Jira completely over SSL proxied by Apache please note the following:

Apache configuration example (apache is running not on same machine as jira, jira url is jira.example.com)

ServerAdmin [email protected]
ServerName jira.example.com

ErrorLog /var/log/apache2/jira.example.com/ssl-error.log
LogLevel warn
CustomLog /var/log/apache2/jira.example.com/ssl-access.log combined
ServerSignature On

SSLEngine On
SSLCertificateFile jira.example.crt
SSLCertificateKeyFile jira.example.key
SSLCertificateChainFile CA.crt
SSLProxyEngine on

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://jirahost:8080/
ProxyPassReverse / http://jirahost:8080/


Jira Standalone Tomcat configuration
Besides the usual apache proxy configuration you have to extend the server.xml file of your jira tomcat standalone server (the 3 bold lines at the end are new):

Connector port="8080"
maxThreadv="150"
minSpareThreads="25"
maxSpareThreads="75"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jira.example.com"
proxyPort="443" />

Finally, you have to set the Base URL of your Jira Installation accordingly, in the example above to https://jira.example.com

Related Posts:

Installing Apache Solr on Debian Squeeze 6.0 and tomcat7

4 Replies

Apache solr logoDue to the lack of an official Apache Solr Package in Debian Squeeze 6.0 this post will briefly describe the installation of tomcat7 together with Apache (Lucene) Solr from Source.

Install tomcat7 package:

apt-get install tomcat7

Download Apache Solr from here, for example:

cd /opt/ && wget http://apache.lehtivihrea.org//lucene/solr/3.4.0/apache-solr-3.4.0.tgz

unpack the package

tar xzfv apache-solr-3.4.0.tgz

copy the solr file to tomcat webapps directory

cp apache-solr-3.4.0/dist/apache-solr-3.4.0.war /var/lib/tomcat7/webapps/solr.war

copy example configs and files to tomcat solr directory

cp -fr example/solr/ /var/lib/tomcat7/

change owner to tomcat

chown -R tomcat7:tomcat7 /var/lib/tomcat7/solr/

restart tomcat

/etc/init.d/tomcat restart

If everything went well you should be able to see the Solr Admin page on http://yourhost.com:8080/solr/admin.
Have Fun!

Related Posts:

NGINX, WordPress and php-fpm on Debian Squeeze

2 Replies

A while ago i published a howto on running nginx+serendipiy+php-fpm with apache style rewriting as implemented in s9y. The described installation is obsolete now – php-fpm made the jump into the regular php versions beginning with php 5.3.3 (see here). In addition to that i made s9y obsolete on my blog and migrated it to wordpress.
The netcraft webserver survey from April 2011 shows that nginx is still increasing slightly and is currently providing access to 8,68% of all monitored domains:

Netcraft Webserver survey april 2011
Time for me to switch to nginx again :)

Manual compiling is cool, but also a bit old-school, that’s why we use packages from Dotdeb in this example:

  1. Add the following two lines into your /etc/apt/sources.list file (example for debian squeeze, see lenny instructions here:


    2. deb http://packages.dotdeb.org stable all
    deb-src http://packages.dotdeb.org stable all

  2. fetch and apply GnuPG key:


    3. wget http://www.dotdeb.org/dotdeb.gpg
    cat dotdeb.gpg | sudo apt-key add -

  3. refresh your sources


    4. apt-get update

  4. Install packages including php5-fpm and nginx:


    5. apt-get install php-apc php-auth php-net-smtp php-net-socket php-pear php5 php5-cgi php5-cli php5-common php5-curl php5-dev php5-gd php5-imagick php5-imap php5-mcrypt php5-mysql php5-pspell php5-sqlite php5-suhosin php5-xmlrpc php5-xsl php5-fpm nginx

  5. First of all i did some modifications (gzip compression and tcp tweaks) to the nginx.conf located in /etc/nginx/nginx.conf


    6. #/etc/nginx/nginx.conf
    worker_processes 2;
    tcp_nopush on;
    tcp_nodelay on;
    # Gzip Settings
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 1;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  6. Thanks to the new try_files directive in nginx the vhost configuration (found in /etc/nginx/sites-available) for wordpress is fairly straight forward. (In addition Igor often mentioned that using the if directive in nginx equal to apache usage is evil.). Example vhost configuration code for my blog:

    #/etc/nginx/nginx.conf
    server {
    listen :80;
    server_name andreas-lehr.com;
    server_tokens off;
    root /var/www/virtual/andreas-lehr.com/htdocs;
    index index.php index.html index.htm;
    access_log /var/log/nginx/andreas-lehr.com/access_log;
    error_log /var/log/nginx/andreas-lehr.com/error_log;

    location / {
    index blog/index.php ;
    }

    location /blog/ {
    try_files $uri $uri/ /blog/index.php?q=$uri;
    }

    location ~ \.php$ {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    #fastcgi_pass 127.0.0.1:9000;
    fastcgi_pass unix:/dev/shm/php-fastcgi.socket;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
    gzip on;
    }
    }

    please be aware that the blog in the example is running from the sublocation /blog.

  7. php-fpm configuration is located in /etc/php5/fpm. The file php-fpm.conf is the main configuration file which includes everything in the subdirectory pool.d, where i made some modifications to the default www.conf pool file:


    8. #/etc/php5/fpm/pool.d/www.conf
    ;listen = 127.0.0.1:9000
    listen = /dev/shm/php-fastcgi.socket
    php_flag[display_errors] = off
    php_admin_value[error_log] = /var/log/fpm-php.www.log
    php_admin_flag[log_errors] = on
    php_admin_value[error_reporting] = 0
    php_admin_value[memory_limit] = 128M
    php_admin_value[date.timezone] = Europe/Berlin

    As you see i configured only one pool which is running through the unix socket in /dev/shm/php-fastcgi.socket, which should be a bit faster than via local TCP socket. In addition i didn’t change any other performance values in first place (Blog is running with pm = dynamic, pm.max_children = 50, pm.start_servers = 20, pm.min_spare_servers = 5, pm.max_spare_servers = 35, pm.max_requests = 0 which is a lot more than ever needed).
    Finally i changed some php_admin_flags and values accordingly.

  8. Start php-fpm


    9. /etc/init.d/php5-fpm start

  9. Start nginx


    10. /etc/init.d/nginx start

Conclusion:
Now thats really a easy and fast way to install nginx with php-fpm on debian squeeze. This configuration is now running for several weeks on this domain and the pingdom monitoring shows an average response time improvement of about 300ms. In addition the machine now has a lot more reserves considering RAM and CPU.
Coming up next:
Adapting this changes to the piwik and gallery3 installations running here, integration of varnish-cache in this setup.

Related Posts:

Howto: nginx, php-fpm and serendipity weblog (s9y) with apache style rewriting

1 Reply

Nginx is (spoken: engine x) is a HTTP and reverse proxy server written by the russian developer Igor Sysoev. Nginx is also able to proxy mail server requests coming in via pop3 and imap.
Popular sites like FastMail.FM and WordPress.com are usually using nginx as reverse proxy or HTTP Server.
According to Netcrafts Web Server Survey from December 2009 nginx gained 5,2% market share since December 2008 and will exceed the 7% barrier in january 2010. In addition to that 12,9 million websites started using nginx as webserver or loadbalancer as first contact instance in the year 2010. Nginx now clearly exceeds the former lightwight webserver king lighttpd (market share round 0.36% in December 2009).

In a first example we use nginx is together with the FastCGI Process Manager php-fpm in order to run a serendipity weblog.
PHP-fpm will be included in future versions of PHP 5.3 but isn’t shipped with stable PHP 5.2 and therefore we have to built php and php-fpm the traditional way.

Continue reading

Related Posts:

DokuWiki mit Active Directory verbinden

6 Replies


Seit geraumer Zeit ist bei uns das freie Wikisystem DokuWiki im Einsatz.
Um die Ergonomie und Verwaltung zu erleichtern, haben wir das wiki an unser ActiveDirectory angebunden.
Die Authentifizierung aus verschiedenen Netzen macht mod_ldap:

Apache Vhost config:
# LDAP Authentication & Authorization is final; do not check other databases
AuthzLDAPAuthoritative off

# Do basic password authentication in the clear
AuthType Basic

# The name of the protected area or “realm”
AuthName “Use AD Account for authentification”

AuthBasicProvider ldap

# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN “CN=USERNAME,OU=P-R,OU=P,OU=Organization,DC=intranet,DC=dmz”

# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword “PASSWORD

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
# AuthLDAPURL “ldap://DOMAINCONTROLLER IP/HOST:389 OU=Organization,DC=intranet,DC=dmz?sAMAccountName?sub?(objectClass=*)”
AuthLDAPURL “ldaps://DOMAINCONTROLLER IP/HOST:636/OU=Organization,DC=intranet,DC=dmz?sAMAccountName?sub?(objectClass=*)”
AuthUserFile /dev/null

# Require authentication for this Location
Require valid-user

Mod_LDAP gibt die Credentials dann an Dokuwiki weiter, welches uns über das Plugin Auth:AD authentifiziert:

local.php
// configure your Active Directory data here
$conf['auth']['ad']['account_suffix'] = ‘@intranet.dmz’;
$conf['auth']['ad']['base_dn'] = ‘DC=intranetDC=dmz’;
$conf['auth']['ad']['domain_controllers'] = ‘DOMAINCONTROLLER IP/HOST‘; //multiple can be given
$conf['auth']['ad']['sso'] = 1;
$conf['auth']['ad']['ad_username'] = ‘USERNAME‘;
$conf['auth']['ad']['ad_password'] = ‘password‘;
$conf['auth']['ad']['real_primarygroup'] = 1;
$conf['auth']['ad']['use_ssl'] = 1;
$conf['auth']['ad']['debug'] = 0;

Die Superuser Gruppe enthält alle User, die im Wiki Admin Rechte bekommen sollen:

$conf['superuser'] = ‘@gr_lok_wiki_admin’;

Zugriffe kann man dann ganz normal über das ACL plugin verteilen und in der acl.auth.php von DokuWiki konfiguriert werden. Aufpassen muss man allerdings bei Benutzergruppen die Sonderzeichen enthalten:

acl.auth.php
* @gr%5flok%5falle 8

Die Gruppe “gr_lok_allle” enthält uneingeschränkten Zugriff auf alle Wiki Seiten. Das Sonderzeichen “_” muss mit “%5f” escaped werden.

acl.auth.php
production:* @ALL 0
production:* @gr%5flok%5fbetrieb 8

Der Namespace “production” darf von niemandem gelesen werden, die Gruppe “gr_lok_betrieb” hat uneingeschränkten Zugriff.

Related Posts:

PHP absichern mit suhosin

5 Replies

Über Lücken und Schwachstellen in PHP liest man ja ständig. Die Entwickler sind beim fixen der Fehler leider auch nicht die schnellsten. Somit sollte man sich Gedanken über zusätzliche Absicherungen machen. Außerdem hat mich Martin unfreiwillig davon überzeugt, dass hier Handlungsbedarf besteht ;)
Eine meiner Meinung nach gute Möglichkeit zur Absicherung stellt die Suhosin Erweiterung des Hardened PHP Projects dar.

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Suhosin kommt in 2 Teilen – ein Teil ist ein Patch direkt für den PHP Core, der andere ist eine normale PHP Extension. Für optimalen Schutz sollte man beide einsetzen – muss aber nicht. Denn nicht jede Software ist 100% kompatibel zu den Einschränkungen, die Suhosin am PHP vornimmt.

Die Installation des Patches ist kinderleicht:
– Passende Version im Downloadbereich wählen.
– Patch das PHP Build verzeichnis entpacken
– in meinem Fall ein patch -p 1 -i suhosin-patch-5.2.3-0.9.6.2.patch ausführen
– PHP neu kompilieren und installieren
– nach einem Neustart sollte unter phpinfo nun ein “This server is protected with the Suhosin Patch 0.9.6.2″ stehen.

Die Extension einzubauen ist ebenfalls kein Hexenwerk:
– Download der aktuellen Version vom Downloadbereich
– Entpacken und wechsel ins Source Verzeichnis
– phpize, configure & make
– Einbau in die PHP.ini mittels “extension=”suhosin.so”"
– nach dem Apache reload sollte sich die Zend Engine dann mit ” with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project” melden.

Danach solltet ihr noch eure Software testen, vor allem Fremdprodukte.
Natürlich hat das ganze auch den Nachteil, dass eure Applikationen ein wenig langsamer lauffen…wer aber eh Performance übrig hat, wird davon nicht viel merken. Nichtsdestotrotz gibts hier eine Benchmark Seite mit Vorher/Nachher Vergleichen. Außerdem gibts das Benchmark Skript auch zum Download

Bei uns funktioniert alles reibungslos, ob nun die Blogsoftware serendipity, das Webframework Symfony oder den PHP Accelerator eaccelerator, alles läuft bisher tadellos!

Viel Spaß beim ausprobieren.

Related Posts: