From: Michael B. <mbe...@mb...> - 2006-02-06 08:30:04
|
[David Birnbaum] > I have been running an Apache httpd server on port 80 on my system and > jetty with eXist on port 8080, and I have been wondering whether it > might be possible to run everything together under port 80. [Dannes Wessels] > Yes this is possible -more or less-. It is possible to *access* eXist > (or any other jetty/tomcat container) via the '80' port of apache > httpd. For this you will need to install the modules mod_proxy and/or > mod_jk (Do *not* use mod_jk2!!!!!). To add to this: what you want is termed reverse proxying. I have not used mod-jk, though it is said to be more efficient in some circumstances, but we do use mod_proxy in reverse proxing mode not only to run eXist, but also Anastasia (which requires an Apache 1 host) behind a single user-facing Apache 2 server on ports 80 and (443.) A couple of caveats, though. 1) Because the same module does both forward and reverse proxying, it is EXTREMELY easy accidentally to enable forward proxying when setting up the reverse proxy you actually want. You then find your legitimate users are happily reverse proxying into your local services, while spammers, porn merchants and pirate distributors are quietly forward proxying through your site. I have to say that I do not think any of the documentation I have seen sufficiently warns inexperienced users of this danger, or the (far from intuitive, though very simple) configuration steps needed to guard against it. 2) Many modern Linux distros have a highly modular Apache configuration system, with one particular file controlling proxy access. If proxying is turned off in this file, no amount of enabling it in the main httpd.conf files will work. So it is necessary to track down that file in order to configure reverse proxying successfully. > Note that the tomcat/jetty/exist server itself will always be > accessible onport 8080. But you can, and I believe should, limit that accessibility, either using a machine firewall that prevents connections on that port from other machines or, better still, by configuring the eXist server to listen only on the localhost interface and reverse proxing to that i/f (last time I looked this required simple source-code modifications for the REST server, I don't know about the more elaborate Cocoon-based setup) I think this probably ought to be made contollable from a config setting if it isn't already). I would strongly advise anyone running a server that contains sensitive data (whether in eXist or not), or which is on a trusted host within an institutional or corporate firewall, NOT to expose eXist directly to users. Michael Beddow |