Running DSpace on Standard Ports (80 for http:// and 443 for https://)
Since it is not trivial to get a Java servlet container, such as Apache Tomcat to listen on the "standard" TCP ports for a web server, this page explains alternative ways to accomplish it.
...
Warning |
---|
When using Apache 2.4.2 (and lower) in front of a DSpace webapp deployed in Tomcat, mod_proxy_ajp and possibly mod_proxy_http breaks the connection to the back end (Tomcat) prematurely leading to response mixups. This is reported as bug CVE-2012-3502 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3502) of Apache and fixed in Apache 2.4.3 (see http://www.apache.org/dist/httpd/CHANGES_2.4). The 2.2.x branch hasn't shown this problem only the 2.4.x branch has. |
See Also
- SecuringDspace – appropriate security for a DSpace server.
Method 1 - redirecting with IP tables
This is known to work on Red Hat Enterprise Linux 3 and other similar versions of GNU/Linux. Use the iptables utility to redirect requests on the default ports to the higher-numbered ports where the DSpace servlet container is actually listening.
...
Configure your Java Servlet container to listen to ports 8080 and 8443 for HTTP and HTTPS connections, respectively.
Method 1b - Write your own iptables config file
Here is an expanded example:
edit the /etc/sysconfig/iptables file (make a backup of this file first!)
...
Code Block |
---|
keystoreFile="/usr/local/jakarta-tomcat-5.0.27/conf/ssl.new/keystore.pkcs12" keystoreType="PKCS12" keystorePass="changeit" |
* Restart tomcat
Method 2a - Use Apache HTTPD (mod_proxy_ajp) + Tomcat (port 8009)
This assumes you have the following working:
...
- You'll need to reload or restart the httpd service
- The "!" <bang> sets Apache web-server to NOT REDIRECT everything under /do_not_touch
Method 2b - use Apache HTTPD / Tomcat connector (mod_jk)
Run Apache HTTPD as a front-end for Tomcat, see
the mod_jk wiki page
This is tricky to set up, but secure.
Method 3 - use Apache to redirect requests to Tomcat on port 8080
For RedHat LINUX server:
In /etc/httpd/conf/httpd.conf:
...
Code Block |
---|
<!-- JSPC servlet mappings start <servlet> <servlet-name>org.apache.jsp.index_jsp</servlet-name> <servlet-class>org.apache.jsp.index_jsp</servlet-class> </servlet> <servlet-mapping> <servlet-name>org.apache.jsp.index_jsp</servlet-name> <url-pattern>/index.jsp</url-pattern> </servlet-mapping> --> |
4. Re-start tomcat
Method 4 - Use Tomcat's jsvc daemon
Note: Only works for Unix like platforms.
This documentation is based on Solaris 10 using the Solaris Service Management Facility.
See http://jakarta.apache.org/commons/daemon/jsvc.html
for more details
...
Code Block |
---|
/usr/sbin/svcadm enable dspace |
Method 5 - Tomcat on low ports natively with authbind
See: