Versions Compared

Old Version 3

changes.mady.by.user Bradley McLean

Saved on

compared with

New Version 4

changes.mady.by.user Bradley McLean

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Example: Route HTTP (port 80) to port 8080 and HTTPS (port 443) to port 8443:

Code Block

/sbin/iptables -t nat -I PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
/sbin/iptables -t nat -A OUTPUT -p tcp -d _[server_ip_address|server_ip_address]_ --dport 80 -j  REDIRECT --to-port 8080
/sbin/iptables -t nat -I PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 8443

Then write the current state of the tables to a configuration file so they are automatically restored to this state after the system is booted:

Code Block

/sbin/iptables-save > /etc/sysconfig/iptables

...

Open the standard ports 80 and 443 and the redirect ports 7780 and 7781 in this example inside the *filter block of statements followed by the redirect statements in the *nat block of statements (nat stands for network address translation) ... here is an example of that file (redhat WS3, a 2.4 linux kernel is requried, consult the excellent HOWTOS Documentation at http://www.netfilter.org)

Code Block

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
# trust eth1 for heartbeat
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# dspace ports
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 7780 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 7781 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp --dport 80 -j DNAT --to xxx.xxx.xxx.xxx:7780
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp --dport 443 -j DNAT --to xxx.xxx.xxx.xxx:7781
COMMIT

Restart the network

Code Block

/etc/init.d/iptables restart

Restart Tomcat as non-root user on port 7780/7781 (edit your conf/server.xml file for this)

Code Block

su - dspace -c "/usr/local/jakarta-tomcat-5.0.27/bin/startup.sh"

...

  • create a directory like /usr/local/jakarta-tomcat-5.0.27/conf/ssl.new
  • copy or link your insitution server.key and server.crt files in this directory
  • execute this command to create the keystore file, this will prompt you for a password you must supply "changeit" without the quotes
Code Block

/usr/bin/openssl pkcs12 -export -out keystore.pkcs12 \
-in ./server.crt \
-inkey ./server.key

* Then change the ownership on

...

to the user which runs the tomcat server

Code Block

chown dspace:dspace  keystore.pkcs12

* Next edit your conf/server.xml file and edit the section for the 8443 connector and add these 3 lines (be sure to add them inside the block of statements that starts with <Connector port="7781" ... and ends with ... />, you may have to uncomment that entire block of statements too since by default these connector statements are wrapped inside tags)

Code Block

keystoreFile="/usr/local/jakarta-tomcat-5.0.27/conf/ssl.new/keystore.pkcs12"
keystoreType="PKCS12"
keystorePass="changeit"

* Restart tomcat

Method 2a - Use Apache HTTPD (mod_proxy_ajp) + Tomcat (port 8009)

...

Code Block
cd /usr/local/tomcat/webapps
mv ROOT ROOT_hold
ln -s /dspace/webapps/jspui ROOT
## for the Manakin interface replace jspui with xmlui

* Configure /etc/httpd/conf.d/ssl.conf or proxy_ajp.conf

Code Block
#
# Put in VirtualHost element
#
ProxyPass  /do_not_touch  !
ProxyPass  /  ajp://localhost:8009/
ProxyPassReverse  /  ajp://localhost:8009/

...

1. Ensure the following modules are listed under "# Dynamic Shared Object (DSO) Support", this is a list showing all modules loaded by Apache:

Code Block

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

2. Add the following lines after the <tt><Location></tt> context:
(Note: our dspace url is: http://rose.bris.ac.uk)

Code Block

ProxyPass / [http://rose.bris.ac.uk:8080/]
ProxyPassReverse / [http://rose.bris.ac.uk:8080/]

3. Ensure Server Name is also set:

Code Block

ServerName rose.bris.ac.uk

4. Restart Apache:

Code Block

/usr/sbin/apachectl stop
/usr/sbin/apachectl start

...

1. Create a page called HelloWorld.jsp in the directory below:

Code Block

$CATALINA_HOME/webapps/ROOT/

2. Add the following lines to the HelloWorld.jsp:

Code Block


<% response.sendRedirect("/dspace/"); %>

Next. In the same directory, add the following to index.jsp just after the <body> tag:-

Code Block

<body>
<jsp:forward page="HelloWorld.jsp"/>

3. Edit: ../ROOT/WEB-INF/web.xml, disable the following text as follows:

Code Block

<!-- JSPC servlet mappings start
<servlet>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<servlet-class>org.apache.jsp.index_jsp</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<url-pattern>/index.jsp</url-pattern>
</servlet-mapping>
-->

...

  1. Download and install Tomcat from jakarta.apache.org
  2. Compile jsvc
    • export JAVA_HOME=/usr/java
    • cd $CATALINA_HOME/bin
    • gunzip jsvc.tar.gz && tar -xvf jsvc.tar
    • ./configure
    • gmake
    • cp jsvc ..
    • cd ..
    • chown tomcat:tomcat jsvc
    • rm -rf jsvc-src
  3. Setup your Service Management Facility process
    1. create the following file: /lib/svc/method/dspace
      Code Block
      
#!/bin/sh
. /lib/svc/share/smf_include.sh
JAVA_HOME=/usr/java
JAVA_OPTS="-Xmx512M \-Xms64M \-Dfile.encoding=UTF-8"
CATALINA_HOME=<where tomcat is installed>
DAEMON_HOME=<where tomcat is installed>
TOMCAT_USER=tomcat
TMP_DIR=/var/tmp
PID_FILE=/var/run/txspace.pid
CATALINA_BASE=<where tomcat is installed>
CLASSPATH=\
$JAVA_HOME/lib/tools.jar:\
$CATALINA_HOME/bin/commons-daemon.jar:\
$CATALINA_HOME/bin/bootstrap.jar
start()
{
$DAEMON_HOME/bin/jsvc \
\-user $TOMCAT_USER \
\-home $JAVA_HOME \
\-Dcatalina.home=$CATALINA_HOME \
\-Dcatalina.base=$CATALINA_BASE \
\-Djava.io.tmpdir=$TMP_DIR \
\-wait 10 \
\-pidfile $PID_FILE \
\-outfile $CATALINA_BASE/logs/catalina.out \
\-errfile '&1' \
\-Xms256m \
\-Xms1024m \
\-cp $CLASSPATH \
org.apache.catalina.startup.Bootstrap
\}
stop()
\{
$DAEMON_HOME/bin/jsvc \
\-stop \
\-pidfile $PID_FILE \
org.apache.catalina.startup.Bootstrap
\}
case "$1" in
'start')
echo "Starting Tomcat"
start
;;
'stop')
echo "Stopping Tomcat"
stop
;;
'refresh')
echo "Restarting Tomcat"
stop
start
;;
\*)
echo "Usage tomcat.sh start/stop/refresh"
exit 1;;
esac
exit $SMF_EXIT_OK
    2. Create the profile: /var/svc/manifest/application/dspace.xml
      Code Block
      
<?xml version="1.0"?>
<\!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='dspace'>
<service name='application/dspace' type='service' version='1'>

<create_default_instance enabled='true'/>
<single_instance/>

<dependency name='loopback' grouping='require_all'
restart_on='error' type='service'>
<service_fmri value='svc:/network/loopback:default'/>
</dependency>
<dependency name='physical' grouping='require_all'
restart_on='error' type='service'>
<service_fmri value='svc:/network/physical:default'/>
</dependency>
<exec_method type='method' name='start'
exec='/lib/svc/method/txspace start'
timeout_seconds='60' />
<exec_method type='method' name='stop'
exec='/lib/svc/method/txspace stop'
timeout_seconds='5' />
<exec_method type='method' name='refresh'
exec='/lib/svc/method/txspace refresh'
timeout_seconds='5' />
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>DSpace</loctext>
</common_name>
<documentation>
<manpage title='dspace' manpath='/opt/apps/man' section='8' />
<doc_link name='tomcat.apache.org'
uri='http://tomcat.apache.org' />
</documentation>
</template>
</service>
</service_bundle>
</code>
      3. Now import the profile
      Code Block
      
/usr/sbin/svccfg import /var/svc/manifest/application/dspace.xml

4. Modify Tomcat's Connector in server.xml

Code Block

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="80" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="60000"
address="192.168.0.1"/>

5. Enable Tomcat

Code Block

/usr/sbin/svcadm enable dspace