Security Scrapbook
Resin 3.1
Documentation
Examples
Changes
Overview
Installation
Configuration
Quercus
SOA/IoC
JSP
Servlets and Filters
Admin (JMX)
EJB
Amber
Security
Performance
Hessian
XML and XSLT
Third-party
Troubleshooting/FAQ
Authentication
Digest Passwords
Authorization
SSL
Security Manager
Malicious Attacks
FAQ
Scrapbook
FAQ
Security
Performance

A repository of notes and comments that will eventually make their way into the documentation. Please treat the information here with caution, it has often not been verified.

How do I handle port 80 and root issues on Linux?

When using the 2.6 Linux kernel or RedHat 9.0, you can use the standard user-name configuration. On older Linux versions, you'll need to use a bit of trickery.

You can use kernel based port forwarding. This feature is not available for all flavours of Unix, but at least for recent Linux kernels (2.4) it works fine.

Here is a very basic example for iptables in a static environment (static means that the example does not deal with ppp connections properly, you might have to add something similar to your ip-up/down scripts). 

iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -d your hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -d your hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080

ipchains (for Linux 2.2. kernels) should work similar - it might also be possible to map the port directly inside your firewall.

Where can I learn more about SSL?

Converting a JSSE Keystore to OpenSSL

How can I handle SSL for virtual hosts if I have a separate IP for each host?

The basic way to configure ssl for multiple virtual hosts is to bind an https listener to the ip address (interface) for the corresponding virtual host: 

<http host="*" port="80"/>

<http host="199.199.0.10" port="443" virtual-host="gryffindor.com">
  <openssl>
    <certificate-file>keys/gryffindor.crt</certificate-file>
    <certificate-key-file>keys/gryffindor.key</certificate-key-file>
    <password>test123</password>
  </openssl>
</http>

<http host="199.199.0.11" port="443" virtual-host="slytherin.com">
  <openssl>
    <certificate-file>keys/slytherin.crt</certificate-file>
    <certificate-key-file>keys/slytherin.key</certificate-key-file>
    <password>test123</password>
  </openssl>
</http>

...

<host id="gryffindor.com">
  <host-alias>www.gryffindor.com</host-alias>

  ...

</host>

<host id="slytherin.com">
  <host-alias>www.slytherin.com</host-alias>

  ...
</host>

...

If you want to keep one .conf file for different environments, you can use the configuration control statements. 

<resin:choose>

<resin:when test="${'${'}sslmode == 'production'}">
  <resin:log>Production mode https listeners</resin:log>

  <http host="199.199.0.10" port="443">
    <openssl>
      <certificate-file>keys/gryffindor.crt</certificate-file>
      <certificate-key-file>keys/gryffindor.key</certificate-key-file>
      <password>test123</password>
    </openssl>
  </http>

  <http host="199.199.0.11" port="443">
    <openssl>
      <certificate-file>keys/slytherin.crt</certificate-file>
      <certificate-key-file>keys/slytherin.key</certificate-key-file>
      <password>test123</password>
    </openssl>
  </http>
</resin:when>

<resin:when test="${'${'}sslmode == 'staging'}">
  <resin:log>Staging mode https listeners</resin:log>

  <http host="198.168.0.5" port="443">
    <openssl>
      <certificate-file>keys/gryffindor.crt</certificate-file>
      <certificate-key-file>keys/gryffindor.key</certificate-key-file>
      <password>test123</password>
    </openssl>
  </http>

  <http host="198.168.0.6" port="443">
    <openssl>
      <certificate-file>keys/slytherin.crt</certificate-file>
      <certificate-key-file>keys/slytherin.key</certificate-key-file>
      <password>test123</password>
    </openssl>
  </http>
</resin:when>

<resin:otherwise>
  <resin:log>Development mode https listeners</resin:log>

  <http host="*" port="443">
    <openssl>
      <certificate-file>keys/test.crt</certificate-file>
      <certificate-key-file>keys/test.key</certificate-key-file>
      <password>test123</password>
    </openssl>
  </http>
</resin:otherwise>

</resin:choose>

Then start Resin with a -Dsslmode={production|staging|development}. 

unix> bin/httpd.sh -Dsslmode=production ...
win> httpd.exe -Dsslmode=production ...

unix> bin/httpd.sh -Dsslmode=staging ....
win> httpd.exe -Dsslmode=staging ....

unix> bin/httpd.sh -Dsslmode=development ...
win>$ httpd.exe -Dsslmode=development ...
FAQ
Security
Performance
Copyright © 1998-2006 Caucho Technology, Inc. All rights reserved.
Resin ® is a registered trademark, and Quercustm, Ambertm, and Hessiantm are trademarks of Caucho Technology.