Configure apache solr with tomcat

Install tomcat

$ sudo yum install tomcat6

Download and extract apache solr : http://lucene.apache.org/solr/

$ cp apache-solr-3.6.2.war /var/lib/tomcat6/webapps/solr.war
$ cp -r /data/apache-solr-3.6.2/example/solr /var/lib/tomcat6/

$ cat /etc/tomcat6/Catalina/localhost/solr.xml
$ chown -R tomcat: /var/lib/tomcat6/solr/
$ sudo service tomcat6 restart

Access url : http://<server_name/ip>:8080/solr/admin

Create CSR and implement in apache

These steps are used to generate a CSR to get the SSL certificate signed with verisign. The filenames used are just examples.

$ /usr/bin/openssl genrsa -rand /dev/urandom -out <web_root>/domain_name.key 2048
$ /usr/bin/openssl req -new -key <web_root>/domain_name.key -out <web_root>/domain_name.csr

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:<make sure it matches exactly with your domain>
Email Address []:

Create the certificate without passphrase if you dont want passphrase to be prompted for every webserver restart.

Upload the CSR to the Certificate Authority and get the signed certificate and save it as domain_name.crt. If it is from verisign get both intermediate certificates and add it to a file (eg: intermediate.ca.crt)

In virtual host configuration

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA!EXP-RC2-CBC-MD5!EXP-RC4-MD5

SSLCertificateFile <web_root>/domain_name.crt

SSLCertificateKeyFile <web_root>/domain_name.key

SSLCACertificateFile <web_root>/intermediate.ca.crt

Restart webservice and verify the certificate, you may use the verisign cert checker (https://ssl-tools.verisign.com/#certChecker)

Racktable, Apache+LDAP authentication

Login to the Rack tables as admin:

Add the following line under configuration–> permission

allow {$tab_default}

* This is for read only account, assign extra permissions if required

Configure Apache + LDAP

< Directory /var/www/racktables >
Options +Indexes FollowSymLinks MultiViews
DirectoryIndex index.php
AuthName "Rack Tables"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://ldaphost.com/dc=company,dc=com?uid?sub?(objectClass=< depends_on_ldap >)"

# Bind if required
AuthLDAPBindDN "uid=userid,ou=people,dc=company,dc=com"
AuthLDAPBindPassword "xxxxxx"
AuthLDAPGroupAttribute uniqueMember
AuthLDAPGroupAttributeIsDN on
require ldap-group cn=group_name,dc=company,dc=com
require ldap-attribute cn=group-name-allowed
< /Directory >

* Most of LDAP configs based on your setup

Configure Rack Tables:

Edit the inc/secret.php

Set :

$user_auth_src = 'httpd';
$require_local_account = FALSE;

NOTE: to get the logout working properly make sure the Apache AuthName matches with the one configured for Rack tables authentication.

Referene : http://sourceforge.net/apps/mediawiki/racktables/index.php?title=RackTablesAdminGuide

Reference

./arun

Configure Apache over IPv6

Once your network interface is configured with IPv6, it is easy to configure the webserver. No real difference with IPv4 configuration.

Configure Apache to listen the IPv6 address:

Listen ipv6_address:port
NameVirtualHost ipv6_address:port

If the apache virtual host is configured with domain name , eg < VirtualHost arunns.com:80 >, just add AAAA record for arunns.com in dns and the website will work without any extra configurations other than the previous two lines.

Also we can specifically configure it :

< VirtualHost ipv4_address:80 ipv6_address:80 >

It is possible to have different contents for ipv4 and ipv6 sites, just create two different virtual hosts with different document root one for IPv4 and other for IPv6.

< VirtualHost ipv4_address:80 >
DocumentRoot /home/123/
< /VirtualHost >
< VirtualHost ipv6_address:80 >
DocumentRoot /home/456/
< /VirtualHost >

./arun

IPv6 and Linux

It is straight forward to enable IPv6 on any linux system, since the latest kernel support it very well. This document is more relevant for Redhat linux but the idea is same for all.

Make sure the ipv6 support is not disabled in kernel
Comment out the following line in /etc/modprobe.conf if existing.

#alias ipv6 off
#alias net-pf-10 off

Enable IPv6 networking:
edit /etc/sysconfig/network

NETWORKING_IPV6=yes

Configure the IPv6 address:
edit /etc/sysconfig/network-scripts/ifcfg-eth0 (or bond0 for bond interfaces, ipv6 works as expected with bond interface as well)

IPV6INIT=yes
IPV6ADDR=
IPV6ADDR_SECONDARIES=
IPV6_DEFAULTGW=
IPV6_AUTOCONF=yes/no

Just restart network and you will be able to see the IPv6 address.

Incase if the ipv6 module doesnt exist in kernel, just do a modprobe:
# modprobe -a ipv6

Almost all softwares in linux works with IPv6,

For apache add the listen address to ipv6 address and enable name virtual host for ipv6 address if required.

You can test your ipv6 connectivity by:
$ ping6 ipv6.google.com

./arun

Hardening Apache webserver

Tips to harden apache webserver:

Disable weak SSLV2 siphers
edit ssl.conf and add
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP

Restrict apache to giveout minimum informations
Edit httpd.conf and change
ServerTokens ProductOnly

Disable track and trace in every virtual hosts
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Always better to configure apache to Loan minimal/required modules and include only necessary config files.

./arun

[Resolved] mixing * ports and non-* ports with a NameVirtualHost address is not supported

If you happend to see this error in apache logs,

– mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

Check your apache configuration, to make sure that there is no VirtualHost defined without port numbers like : <VirtualHost 127.0.0.1>, if existing fix it with port number.

get rid of apache@localhost in received email headers

There is a good change that the foreign email servers will drop if the sender email headers are not properly formatted.
Anyway if you get apache@localhost in Received header (with postfix/apache/php), you can change the php.ini, sendmail_path program to use sendmail.postfix instead of sendmail binary.

like : sendmail_path = /usr/sbin/sendmail.postfix -t -i -f

./arun