Posts Tagged ‘authentication’

Preserve Session IDs of Tomcat cluster behind Apache reverse proxy / Sticky sessions with mod_proxy and Tomcat

Wednesday, February 26th, 2014

apache_and_tomcat_merged_logo_prevent_sticky_sessions
Having a combination of Apache webservice Reverse Proxy to redirect invisibly traffic to a number of Tomcat server positioned in a DMZ is a classic task in big companies Corporate world.
Hence if you work for company like IBM or HP sooner or later you will need to configure Apache Webserver cluster with few running Jakarta Tomcat Application servers behind. Scenario with necessity to access a java based application via Tomcat which requires logging (authentication) relaying on establishing and keeping a session ID is probably one of the most common ones and if you do it for first time you will probably end up with Session ID issues.  Session ID issues are hard to capture at first as on first glimpse application will seem to be working but users will have to re-login all the time even though the programmers might have coded for a session to expiry in 30 minutes or so.

… I mean not having configured Session ID prevention to Tomcats will cause random authentication session expiries and users using the Tomcat app will be unable to normally access below application with authenticated credentials. The solution to these is known under term "Sticky sessions"
To configure Sticky sessions you need to already have configured Apache/s with following minimum configuration:

  • enabled mod_proxy, proxy_balancer_module, proxy_http_module and or mod_proxy_ajp (in Apache config)

  LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_http_module modules/mod_proxy_http.so

  • And configured and tested Tomcats running an Application reachable via AJP protocol

Below example assumes there is Reverse Proxy Load Balancer Apache which has to forward all traffic to 2 tomcats. The config can easily be extended for as many as necessary by adding more BalancerMembers.

In Apache webserver (apache2.conf / httpd.conf) you need to have JSESSIONID configured. These JSESSIONID is going to be appended to each client request from Reverse Proxy to each of Tomcat servers with value opened once on authentication to first Tomcat node to each of the other ones.

<Proxy balancer://mycluster>
BalancerMember ajp://10.16.166.53:11010/ route=delivery1
BalancerMember ajp://10.16.166.66:11010/ route=delivery2
</Proxy>

ProxyRequests Off
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID
ProxyPassReverse / balancer://mycluster/

The two variables route=delivery1 and route=delivery2 are routed to hosts identificators that also has to be present in Tomcat server configurations
In Tomcat App server First Node (server.xml)

<Engine name="Catalina" defaultHost="localhost" jvmRoute="delivery1">

In Tomcat App server Second Node (server.xml)

<Engine name="Catalina" defaultHost="localhost" jvmRoute="delivery2">

Once Sticky Sessions are configured it is useful to be able to track they work fine this is possible through logging each of established JESSSIONIDs, to do so add in httpd.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"\"%{JSESSIONID}C\"" combined

After modifications restart Apache and Tomcat to load new configs. In Apache access.log the proof should be the proof that sessions are preserved via JSESSIONID, there should be logs like:
 

127.0.0.1 - - [18/Sep/2013:10:02:02 +0800] "POST /examples/servlets/servlet/RequestParamExample HTTP/1.1" 200 662 "http://localhost/examples/servlets/servlet/RequestParamExample" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130807 Firefox/17.0""B80557A1D9B48EC1D73CF8C7482B7D46.server2"

127.0.0.1 - - [18/Sep/2013:10:02:06 +0800] "GET /examples/servlets/servlet/RequestInfoExample HTTP/1.1" 200 693 "http://localhost/examples/servlets/" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130807 Firefox/17.0""B80557A1D9B48EC1D73CF8C7482B7D46.server2"

That should solve problems with mysterious session expiries 🙂

phpMyAdmin No activity within 1440 seconds; please log in again Fix

Friday, July 5th, 2013

phpmyadmin no activity within 1440 seconds please log in again screenshot Debian Gnu Linux
I had some complains from Web Developers who constantly was working on a Testing Web Development server. That their opened PhpMyadmin in browser is often closing opened session (auto logging out) with an error:
 

No activity within 1440 seconds; please log in again

This message was driving crazy people, as often they code something in PHP and design a new table or something and refreshing in browser blocked their work flow process with this annoying error …

Thanksfully there is an easy fix to that, just raise the time limit via /etc/phpmyadmin/config.inc.php

First its necessary to enable cookies authentication (by default it is commented):

Line:

//$cfg['Servers'][$i]['auth_type'] = 'cookie';

should be:

$cfg['Servers'][$i]['auth_type'] = 'cookie';

PHPMyAdmin 1140 seconds (24 minutes) timeout behavior behavior is controlled through variable: cfg['LoginCookieValidity']
Also it is necessary to increase timeout from server php.ini  (in Debian and Ubuntu via /etc/php5/apache2/php.ini or in CentOS / RHEL / Fedora Linux by editting /etc/php.ini and changing 1h session expiry setting:

session.gc_maxlifetime = 3600

to

(60*60*8  = 28800 – 8 hrs)

session.gc_maxlifetime = 28800

By default cfg['LoginCookieValidity'] is omitted from config.inc.php so you have to insert it at end of file.

A reasonable timeout value is 8 hours. To change PhPMyadmin Login TimeOut to 8 hours:

$cfg['LoginCookieValidity'] = 60 * 60 * 8; // in seconds (8 hours)

If you want to make Timeout Expire almost never (and you don't care about security) set it to some extra high timeout like 1 year  🙂

$cfg['LoginCookieValidity'] = 3600 * 24 * 365; // 1 year
 

Make daily Linux MySQL database backups with shell script

Thursday, May 23rd, 2013

Creating database backup with MySQL with mysqlbackupper and mysqlback shell scripts easy create mysql backups

Some time ago, I've written a tiny shell script which does dumps of Complete (SQL Script) MySQL databases. There are plenty of ways to backup MySQL database and plenty of scripts on the net but I like doing it my own way. I have few backup scripts. I prefer script database over keeping binary logs, or using some un-traditional backup methods like backing all binary data in /var/lib/mysql.

One was intended to backup with mysqldump whole database and later upload to a central server running tsh (shell). Using tsh maybe not the best method to upload, but the script can easily be modified to use ssh passwordless authentication as a method to upload.

I'm not a pro shell scripter, but MySQLBackupper script can be used as useful for learning some simple bash  shell scripting.

To use the script as intended you will have to build tsh from source. Tsh is in very early development stage (ver 0.2) but as far as I tested it before some years it does great what it is intended for. You can  MySQLBackupper.sh script from here.
Earlier, I used MysqlBackupper.sh to upload all SQL dumps to /backups directory on central backup storage server, thus I had written secondary script to classify uploaded backups based on backup archive name. Script used is mysqldumps-classify.sh and can be viewed here. Though this way of making backups, needs a bit of custom work for managing backups up to 10 / 20 servers it worked well.

I have written also another mysqlbackup script which is much more simplistic and only dumps with mysqldump and stores copies on hard disk in tar.gz archive. You can download my other simple mysqkbackup.sh here.

Only inconvenient thing about above scripts is they dump all SQL databases. Hence whether necessary to get content for single database from (complete) All database SQL (script backup), I use SED (stream editor) one liner script.

It is interesting to hear how others prepare their MySQL db backups.

Using rsync to copy / synchronize files or backups between Linux / BSD / Unix servers

Monday, November 21st, 2011

Rsync and Rsync over ssh logo picture

Many of us have already taken advantage of the powerful Rsync proggie, however I'm quite sure there are still people who never used rsync to transfer files between servers.. That's why I came with this small post to possibly introduce rsync to my blog readers.
Why Rsync and not Scp or SFTP? Well Rsync is designed from the start for large files transfer and optimized to do the file copying job really efficient. Some tests with scp against rsync will clearly show rsync's superiority.
Rsync is also handy to contiue copying of half copied files or backups and thus in many cases saves bandwidth and machine hdd i/o operations.

The most simple way to use rsync is:

server:~# rsync -avz -e ssh remoteuser@remotehost:/remote/directory /local/directory/

Where remoteuser@remotehost — is the the username and hostname of remote server to copy files to.
/remote/directory — is the directory where the rsync copied files should be stored
/local/directory — is the local directory from which files will be copied to remote directory

If not a preliminary passwordless ssh key (RSA / DSA) authentication is configured on remote server, the above command will prompt for a password otherwise the rsync will start doing the transfer.

If one needs to have a RSA or DSA (public / private key) passwordless SSH key authentication , a RSA key first should be generated and copied over to the remote server, like so:

server:~# ssh-keygen -t dsa
...
server:~# ssh-copy-id -i ~/.ssh/id_dsa.pub root@remotehost
...

That's all folks, enjoy rsyncing 😉

How to fix wicd 1.7.0+ds1-5 Connection Failed: Bad Password on Ubuntu 10.10 (Maverick Merkaaat)

Tuesday, May 3rd, 2011

I’ve been struggling with fixing a nasty error with wicd network manager for about 2 hours.
The exact error message I faced was:

Connection Failed: Bad Password

The issue occured after some suggested updates from the Ubuntu graphical update tool.
The wireless network to which it was connected was a WPA-PSK (WPA2) Passphrase authentication.
The network key was properly typed in and was working well on another system so the error Connection Failed: Bad Password made no sense.

There was nothing unusual in /var/log/wicd/wicd.log , that made me even more curious about what might be causing the error.After a lot of try outs and a lot of readings and tests I finally got the cause of the weird Bad Password errors produced by wicd

Weirdly enought, somehow the Ubuntu package update tool has installed the default gnome network-manager package.
The installed network-manager package has mismatched somehow the way wicd connects to wireless networks and as a cause the wpa_supplicant binary was not properly invoked.

As a consequence of the network-manager being present on the system the wpa_supplicant process which made the exact connection to the wireless network was not launching in, the exact wpa_supplicant invocation missing was:

wpa_supplicant -B -i wlan0 -c /var/lib/wicd/configurations/0022b0aa424a -D wext

Luckily the solution to the notebook wireless device unable to connect to the Wireless network was simple.

All I had to do is completely remove all occurance of network-manager packages installed on the Ubuntu system, by issuing the commands:

ubuntu:~# apt-get remove --yes network-manager
ubuntu:~# dpkg --purge network-manager-pptp-gnome network-manager-pptp network-manager

The reason for issuing the a dpkg –purge command was my desire to completely get rid of all kind of network-manager related configurations.

Now after re-connecting with wicd wireless manager, it worked fine 😉