Return-Path: 
 <user-return-42526-apmail-ofbiz-user-archive=ofbiz.apache.org@ofbiz.apache.org>
X-Original-To: apmail-ofbiz-user-archive@www.apache.org
Delivered-To: apmail-ofbiz-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 597C9DBAB
	for <apmail-ofbiz-user-archive@www.apache.org>;
 Sat,  9 Mar 2013 17:49:49 +0000 (UTC)
Received: (qmail 77691 invoked by uid 500); 9 Mar 2013 17:49:48 -0000
Delivered-To: apmail-ofbiz-user-archive@ofbiz.apache.org
Received: (qmail 77671 invoked by uid 500); 9 Mar 2013 17:49:48 -0000
Mailing-List: contact user-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:user@ofbiz.apache.org>
List-Id: <user.ofbiz.apache.org>
Reply-To: user@ofbiz.apache.org
Delivered-To: mailing list user@ofbiz.apache.org
Received: (qmail 77661 invoked by uid 99); 9 Mar 2013 17:49:48 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Mar 2013 17:49:48 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of r.ted.byers@gmail.com
 designates 209.85.212.172 as permitted sender)
Received: from [209.85.212.172] (HELO mail-wi0-f172.google.com)
 (209.85.212.172)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Mar 2013 17:49:42 +0000
Received: by mail-wi0-f172.google.com with SMTP id ez12so262297wid.17
        for <user@ofbiz.apache.org>; Sat, 09 Mar 2013 09:49:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=Vqj0659cNnuSum6NBaWZ+cgbc8LNT16O+OY2wUZiyCM=;
        b=c2AlMeP4CsXVCZI2S1n4Qh+8N0PSxwJVXkcHGGlKiPd7SnOR19uGWjoAhjz70u9DmO
         Erfv5UbKgmHp5l+bjqtvtxY3pN3lMi4+DgxIO76d/RMY7Sq1munLgO1rZCt/XsN1o5TI
         /b+BFypb9CQvpJM3g5359HW/HMogPSIGJiSvivfrf8mHhp5NmRncDepPcKpuVw2PH67O
         jceFlcq5Lg+hME7zNcvDXZ/bcW0BKSQsu8eTVAZt9BGwG6+pdMYeYNI6LbPPFoUu4sDQ
         kerAmM3e3JNZRzRh5ktOtJBzzmueDzupTQ3A9yqRXHi4FlW8huSg4/rfawqZcM6mtn1c
         D/gQ==
MIME-Version: 1.0
X-Received: by 10.181.13.175 with SMTP id ez15mr4511347wid.8.1362851361764;
 Sat, 09 Mar 2013 09:49:21 -0800 (PST)
Received: by 10.194.25.225 with HTTP; Sat, 9 Mar 2013 09:49:21 -0800 (PST)
In-Reply-To: 
 <CANEMTSL0M=3z23ygXkDN2QjGqAdiFDDQQYCxs16vpR2Ch9BS5A@mail.gmail.com>
References: 
 <CAOTG1hW4VckVYRevacfnbusLXE9gt9hca2pYdBkfBujVHDtg9w@mail.gmail.com>
	<CANEMTS+UChf-3cR7HyHTZSCp4NN+_WQJK02jFfgHa6ZU8b-MDQ@mail.gmail.com>
	<CAOTG1hWgRTrWHHfMhKv7nnV=4pWa7CZzAxMhKCL5aNkqtKL36w@mail.gmail.com>
	<CANEMTSL0M=3z23ygXkDN2QjGqAdiFDDQQYCxs16vpR2Ch9BS5A@mail.gmail.com>
Date: Sat, 9 Mar 2013 12:49:21 -0500
Message-ID: 
 <CAOTG1hWLMdfq4kY4b9TkhXMM4WzrfkfjNom=2OON2zfYtjq-GQ@mail.gmail.com>
Subject: Re: accessing ofbiz only over SSL/TLS using Apache's httpd server
From: Ted Byers <r.ted.byers@gmail.com>
To: user@ofbiz.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org

Thanks Mike,

On Sat, Mar 9, 2013 at 12:38 PM, Mike <mz4wheeler@gmail.com> wrote:
> There are a couple of ways to do it, each of which requires you to really
> know apache the AJP module:
>
> On a running ofbiz system, there is this "runtime" directory:
>
> ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
>
> accounting  bizznesstime  droppingcrumbs  example googlecheckout multiflex
> ordermgr tempfiles workeffort ap bluelight     ebay exampleext  hhfacility
> myportal osafe_theme  tomahawk  ar catalog ebaystore facility humanres
> oagis partymgr   assetmaint cmssite ecommerce flatgrey iCalendar
> manufacturing  ofbiz projectmgr webpos content images marketing
>  ofbizsetup  webslinge birt googlebase  ismgr  minimal  sfa webtools
>
> These are all reserved paths that ofbiz creates when started, so you can
> create a bunch of <Location>...</Location> tags for each of the above
> --or-- you can also just use: (with out /Location tags).
>
> proxyPass /catalog ajp://127.0.0.1:8009/catalog
> proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> proxyPass /content ajp://127.0.0.1:8009/content
>
> However, just looking at the shear amount of mount points that ofbiz
> exposes by default it is crazy to expose all of them on the internet.  You
> can probably lock down the external facing mounts that you really need
> (like /ecommerce) and just access the backend via a direct connection to
> port 8080/8443, only from your LAN.
>

Would I not be able to handle the security implications of exposing
some selection of mounts for the back end by requiring client side
certificates for them.  If so, I know how to add support or a
requirement, for client side certificates in Apache's httpd server,
but what about the application server OFBiz lives in?

Thanks,

Ted