...
Example: Route HTTP (port 80) to port 8080 and HTTPS (port 443) to port 8443:
Code Block |
---|
/sbin/iptables -t nat -I PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
/sbin/iptables -t nat -A OUTPUT -p tcp -d _[server_ip_address|server_ip_address]_ --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -I PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 8443
|
Then write the current state of the tables to a configuration file so they are automatically restored to this state after the system is booted:
Code Block |
---|
/sbin/iptables-save > /etc/sysconfig/iptables
|
...
Open the standard ports 80 and 443 and the redirect ports 7780 and 7781 in this example inside the *filter block of statements followed by the redirect statements in the *nat block of statements (nat stands for network address translation) ... here is an example of that file (redhat WS3, a 2.4 linux kernel is requried, consult the excellent HOWTOS Documentation at http://www.netfilter.org)
Code Block |
---|
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
# trust eth1 for heartbeat
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# dspace ports
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 7780 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -d xxx.xxx.xxx.xxx -m tcp -p tcp --dport 7781 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp --dport 80 -j DNAT --to xxx.xxx.xxx.xxx:7780
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp --dport 443 -j DNAT --to xxx.xxx.xxx.xxx:7781
COMMIT
|
Restart the network
Code Block |
---|
/etc/init.d/iptables restart
|
Restart Tomcat as non-root user on port 7780/7781 (edit your conf/server.xml file for this)
Code Block |
---|
su - dspace -c "/usr/local/jakarta-tomcat-5.0.27/bin/startup.sh"
|
...
- create a directory like /usr/local/jakarta-tomcat-5.0.27/conf/ssl.new
- copy or link your insitution server.key and server.crt files in this directory
- execute this command to create the keystore file, this will prompt you for a password you must supply "changeit" without the quotes
Code Block |
---|
/usr/bin/openssl pkcs12 -export -out keystore.pkcs12 \ -in ./server.crt \ -inkey ./server.key |
* Then change the ownership on
...
to the user which runs the tomcat server
Code Block |
---|
chown dspace:dspace keystore.pkcs12
|
* Next edit your conf/server.xml file and edit the section for the 8443 connector and add these 3 lines (be sure to add them inside the block of statements that starts with <Connector port="7781" ... and ends with ... />, you may have to uncomment that entire block of statements too since by default these connector statements are wrapped inside tags)
Code Block |
---|
keystoreFile="/usr/local/jakarta-tomcat-5.0.27/conf/ssl.new/keystore.pkcs12"
keystoreType="PKCS12"
keystorePass="changeit"
|
* Restart tomcat
Method 2a - Use Apache HTTPD (mod_proxy_ajp) + Tomcat (port 8009)
...
Code Block |
---|
cd /usr/local/tomcat/webapps mv ROOT ROOT_hold ln -s /dspace/webapps/jspui ROOT ## for the Manakin interface replace jspui with xmlui |
* Configure /etc/httpd/conf.d/ssl.conf or proxy_ajp.conf
Code Block |
---|
# # Put in VirtualHost element # ProxyPass /do_not_touch ! ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ |
...
1. Ensure the following modules are listed under "# Dynamic Shared Object (DSO) Support", this is a list showing all modules loaded by Apache:
Code Block |
---|
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
|
2. Add the following lines after the <tt><Location></tt> context:
(Note: our dspace url is: http://rose.bris.ac.uk)
Code Block |
---|
ProxyPass / [http://rose.bris.ac.uk:8080/]
ProxyPassReverse / [http://rose.bris.ac.uk:8080/]
|
3. Ensure Server Name is also set:
Code Block |
---|
ServerName rose.bris.ac.uk
|
4. Restart Apache:
Code Block |
---|
/usr/sbin/apachectl stop
/usr/sbin/apachectl start
|
...
1. Create a page called HelloWorld.jsp in the directory below:
Code Block |
---|
$CATALINA_HOME/webapps/ROOT/
|
2. Add the following lines to the HelloWorld.jsp:
Code Block |
---|
<% response.sendRedirect("/dspace/"); %>
|
Next. In the same directory, add the following to index.jsp just after the <body> tag:-
Code Block |
---|
<body>
<jsp:forward page="HelloWorld.jsp"/>
|
3. Edit: ../ROOT/WEB-INF/web.xml, disable the following text as follows:
Code Block |
---|
<!-- JSPC servlet mappings start
<servlet>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<servlet-class>org.apache.jsp.index_jsp</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<url-pattern>/index.jsp</url-pattern>
</servlet-mapping>
-->
|
...
- Download and install Tomcat from jakarta.apache.org
- Compile jsvc
- export JAVA_HOME=/usr/java
- cd $CATALINA_HOME/bin
- gunzip jsvc.tar.gz && tar -xvf jsvc.tar
- ./configure
- gmake
- cp jsvc ..
- cd ..
- chown tomcat:tomcat jsvc
- rm -rf jsvc-src
- Setup your Service Management Facility process
- create the following file: /lib/svc/method/dspace
Code Block #!/bin/sh . /lib/svc/share/smf_include.sh JAVA_HOME=/usr/java JAVA_OPTS="-Xmx512M \-Xms64M \-Dfile.encoding=UTF-8" CATALINA_HOME=<where tomcat is installed> DAEMON_HOME=<where tomcat is installed> TOMCAT_USER=tomcat TMP_DIR=/var/tmp PID_FILE=/var/run/txspace.pid CATALINA_BASE=<where tomcat is installed> CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar start() { $DAEMON_HOME/bin/jsvc \ \-user $TOMCAT_USER \ \-home $JAVA_HOME \ \-Dcatalina.home=$CATALINA_HOME \ \-Dcatalina.base=$CATALINA_BASE \ \-Djava.io.tmpdir=$TMP_DIR \ \-wait 10 \ \-pidfile $PID_FILE \ \-outfile $CATALINA_BASE/logs/catalina.out \ \-errfile '&1' \ \-Xms256m \ \-Xms1024m \ \-cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap \} stop() \{ $DAEMON_HOME/bin/jsvc \ \-stop \ \-pidfile $PID_FILE \ org.apache.catalina.startup.Bootstrap \} case "$1" in 'start') echo "Starting Tomcat" start ;; 'stop') echo "Stopping Tomcat" stop ;; 'refresh') echo "Restarting Tomcat" stop start ;; \*) echo "Usage tomcat.sh start/stop/refresh" exit 1;; esac exit $SMF_EXIT_OK
- Create the profile: /var/svc/manifest/application/dspace.xml
3. Now import the profileCode Block <?xml version="1.0"?> <\!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <service_bundle type='manifest' name='dspace'> <service name='application/dspace' type='service' version='1'> <create_default_instance enabled='true'/> <single_instance/> <dependency name='loopback' grouping='require_all' restart_on='error' type='service'> <service_fmri value='svc:/network/loopback:default'/> </dependency> <dependency name='physical' grouping='require_all' restart_on='error' type='service'> <service_fmri value='svc:/network/physical:default'/> </dependency> <exec_method type='method' name='start' exec='/lib/svc/method/txspace start' timeout_seconds='60' /> <exec_method type='method' name='stop' exec='/lib/svc/method/txspace stop' timeout_seconds='5' /> <exec_method type='method' name='refresh' exec='/lib/svc/method/txspace refresh' timeout_seconds='5' /> <stability value='Unstable' /> <template> <common_name> <loctext xml:lang='C'>DSpace</loctext> </common_name> <documentation> <manpage title='dspace' manpath='/opt/apps/man' section='8' /> <doc_link name='tomcat.apache.org' uri='http://tomcat.apache.org' /> </documentation> </template> </service> </service_bundle> </code>
Code Block /usr/sbin/svccfg import /var/svc/manifest/application/dspace.xml
- create the following file: /lib/svc/method/dspace
4. Modify Tomcat's Connector in server.xml
Code Block |
---|
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="80" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="60000"
address="192.168.0.1"/>
|
5. Enable Tomcat
Code Block |
---|
/usr/sbin/svcadm enable dspace
|