mod_rewrite to bypass security

Many Apache webserver installations use uriworkermap to configure requests are forwarded to Tomcat/JBoss and which are not.   This provides a certain level of security.  For example:

## APACHE RESOURCES (static files):
!/*.gif=myapp
!/*.html=myapp

## DISALLOW  (security-related filter):
!/*.jsp=myapp
!/*.xml=myapp

## TOMCAT RESOURCES:
/*.do=myapp

However if you dynamically generate your sitemap.xml or any other XML files using a servlet then this security will be a problem since the XML request will not make it to Tomcat/JBoss.  This is when mod_rewrite comes to the rescue.

You can set up mod_rewrite to rewrite the sitemap.xml request to be a sitemap.do request.

RewriteRule ^/sitemap\.xml$ /sitemap.do [PT,L]

Then you can set up Struts to forward this request to sitemap.xml.

<action path="/sitemap" forward="/sitemap.xml"/>

Turning off JSP access

To turn off JSP access in your JBoss or other favorite application server add this to your web.xml.

<!-- Restrict direct access to jsps -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>you_cant_touch_this</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

To prevent Apache from sending JSP requests to JBoss add the following to your configuration.

## DISALLOW FROM REACHING JBOSS (security-related filter):
!/*.jsp=name_of_your_app
!/*.xml=name_of_your_app

Stats on Dreamhost with WordPress

Analog: WWW logfile analysisOn my WordPress blogs hosted by Dreamhost to get stats I needed to add this to the .htaccess file.

# BEGIN Stats
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html).*$ [NC]
RewriteRule . - [L]
</IfModule>
# END Stats

This is further explained in the Dreamhost Wiki page Making stats accessible with htaccess.

Dreamhost uses Analog to generate web statistics. Other recommended AWStats which seems more powerful. Maybe I’ll switch if I feel the need.

Apache not starting because of Skype

When I started Apache I saw these errors.

$ (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted.  : make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs

This was puzzling to me since Apache was starting fine before. Fortunately on this forum thread, Failure Message starting Apache, one of the respondents had diagnosed the problem.

I’ve had the same problem. I noticed that when I reboot my computer (running XP pro), sometimes Apache worked. Then, I change the port to 3128 and it worked. But, then I was illuminated by God, and do a netstat -ao (-o displays the PID) and discover that Skype was listening in port 80 instead of apache -that is, I have both set up to run at startup, thus, if apache started first, it will have port 80 available, and Skype not, and vice-versa-. So my solution was to remove Skype from startup -I don’t use it too often- and make apache (and myself) happy by making port 80 available.

All I had to do was stop Skype and everything was fine. Too bad TcpView was not able to tell me that Skype was using port 80.

Installing Apache 2.2 with mod_rewrite and mod_proxy_balancer

As mentioned in my post, Configuring Apache to work with a Mongrel Cluster, you need an Apache installation with mod_rewrite and mod_proxy_balancer. Unfortunately on the Red Hat installation I was using the default installation is Apache 2.0 which does not have mod_proxy_balancer. When I tried to upgrade it using up2date I got some errors that seemed to indicate this install was not properly registered. I then tried using the Apache 2.2 install done by the tech guy but this install did not have the modules I needed.

Therefore it was time for me to do the install by myself. Fortunately it was not hard with the help of this article, Building Apache 2.2 plus the manual.

Here is what I did.

$ wget http://apache.mirror99.com/httpd/httpd-2.2.8.tar.gz
$ tar xvfz httpd-2.2.8.tar.gz
$ cd httpd-2.2.8
$ ./configure --enable-rewrite=shared --enable-proxy=shared \
    --enable-proxy_balancer=shared --enable-proxy_http=shared
$ make
$ sudo make install
$ sudo /usr/local/apache2/bin/apachectl start

Configuring Apache to work with a Mongrel Cluster

Previously I wrote about Configuring Capistrano and Mongrel. Now we are going to configure Apache to work with the Mongrel cluster.

For this article I used the chapter Setting Up A Development Environment in Agile Web Development with Rails, version 2.0, plus this article.

Capistrano working together with Mongrel allows you to deploy and restart Mongrel clusters quite nicely.

Configure Apache proxy balancer

Apache has a mod_proxy_balancer module which must be enabled. Once this is done you can add the following to the end of conf/httpd.conf or if you are on Red Hat Linux you can put the proxy balancing section in /etc/httpd/conf.d/myapp.proxy_cluster.conf and the virtual host section in /etc/httpd/conf.d/myapp.conf.

<Proxy balancer://mongrel_cluster>
  BalancerMember http://127.0.0.1:8000
  BalancerMember http://127.0.0.1:8001
  BalancerMember http://127.0.0.1:8002
</Proxy>

<VirtualHost *:80>
  Include conf/myapp.common (or Include conf.d/myapp.common)
  ErrorLog logs/myapp_errors_log
  CustomLog logs/myapp_log combined
</VirtualHost>

Configure Apache Virtual Host

Next you configure the virtual host that represents the Ruby on Rails application in the custom file conf/myapp.common or if you are on Red Hat Linux in /etc/httpd/conf.d/myapp.common.

ServerName myapp.com
DocumentRoot /usr/local/rails/myapp/current/public

<Directory "/usr/local/rails/myapp/current/public">
  Options FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>

RewriteEngine On

# Uncomment for rewrite debugging
#RewriteLog logs/myapp_rewrite_log
#RewriteLogLevel 9 

# Check for maintenance file and redirect all requests
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]

# Rewrite index to check for static
RewriteRule ^/$ /index.html [QSA] 

# Rewrite to check for Rails cached page
RewriteRule ^([^.]+)$ $1.html [QSA]

# Redirect all non-static requests to cluster
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L]

Restart Apache

$ sudo /usr/local/apache2/bin/httpd -k restart

or

$ sudo /etc/init.d/httpd restart