4. Install Web Server

4.1. Apache HTTP Co-Service Configuration

Installation of Apache can be done through any number of means, depending on the software package on hand, and the target OS used. Please consult the Apache documentation for installation information.

All steps require use of a command shell. The example posted below is working as root user, but some OS’s are not enabled for root user access. The root user may have do be enabled on the target machine, otherwise commands must be prepended with "sudo", or whatever method required for editing service files, starting and stopping services, etc.

The httpd.conf file (sometimes alternatively, the apache2.conf file) is the configuration file for Apache. Locate this file on the target machine. For purposes of this illustration, the httpd.conf file name will be used.

leowiz:~ root# locate httpd.conf
/private/etc/apache2/httpd.conf
/private/etc/apache2/original/httpd.conf
leowiz:~ root#

Alternatively "find" will do the same thing;

leowiz:~ root# find / -name httpd.conf
/private/etc/apache2/httpd.conf
/private/etc/apache2/original/httpd.conf
leowiz:~ root#

In this case, the "/private/etc/apache2/httpd.conf" file is the one we are interested in.

For isolation of configuration options for editing purposes, the TACTIC configuration file is a single file which should be referred to by the Apache configuration file. In this case, the default "tactic.conf" file will be used. The file is included at the end of this document. Note this default "tactic.conf" has already be altered during the running of tactic installation install.py so that the path matches the installation directories.

Find out if the httpd.conf file has an "Include" statement that refers to a directory the TACTIC Apache configuration file can be put in.

leowiz:~ root# grep Include /private/etc/apache2/httpd.conf
Include /private/etc/apache2/extra/httpd-mpm.conf
#Include /private/etc/apache2/extra/httpd-default.conf
#Include /private/etc/apache2/extra/httpd-ssl.conf
Include /private/etc/apache2/other/*.conf
leowiz:~ root#

In this case, the line at the bottom is the one that is required;

Include /private/etc/apache2/other/*.conf

If there is no such include, then a line can be added to the httpd.conf file.

In the above example, there is a reference to a directory wild-card configuration inclusion. Essentially then, any files with the suffix ".conf" will be activated. This is where the TACTIC configuration file will be stored. Either the default configuration file can be used with some editing, due to the variations in location of the TACTIC service application.

For purposes of efficiency, Apache will proxy files that are static. In the tactic.conf file, there are 2 major directives that are of concern regarding directory access. There is the directives that enable the TACTIC GUI widgets to work,

<Directory "/home/apache/tactic" >
    Options FollowSymLinks
    AllowOverride None
    Order Allow,Deny
    Allow from All
</Directory>

The second set is:

<Directory "/home/apache/assets" >
    Options FollowSymLinks
    AllowOverride None
    Order Allow,Deny
    Allow from All
</Directory>

In the default example, the TACTIC application is stored at "/home/apache/tactic" while the assets are stored at "/home/apache/assets" The directives here allow Apache access to proxy these file locations for TACTIC.

Since Apache is serving only static files, it can be configured to serve the dynamic content served by TACTIC using a proxy.

To enable the Apache proxy service, the tactic.conf file must contain directives that enable the proxy and rewrite modules to serve the TACTIC service.

ProxyPreserveHost on
RewriteEngine on

# for cherrypy
RewriteRule   ^/tactic/(.+)$ http://localhost:8081/tactic/$1 [P,L]
RewriteRule   ^/tactic http://localhost:8081/tactic/ [P,L]
RewriteRule   ^/projects/(.+)$ http://localhost:8081/tactic/$1 [P,L]
RewriteRule   ^/projects http://localhost:8081/tactic/ [P,L]

In this example, the TACTIC service is located on the same machine, on port 8081. All URL requests that have a "/tactic" or "/projects" in the URL will be redirected to the TACTIC service, which by default is on port 8081.

To effectively use load-balancing on this machine, replace it with the following configuration instead:

# This is for using a random load_balancing scheme
RewriteMap    lb    rnd:/home/apache/sites/load_balance.txt
RewriteRule   ^/tactic/(.+)$ http://${lb:dynamic}/tactic/$1    [P,L]
RewriteRule   ^/projects/(.+)$ http://${lb:dynamic}/tactic/$1  [P,L]
RewriteRule   ^/tactic http://${lb:dynamic}/tactic/            [P,L]
RewriteRule   ^/projects http://${lb:dynamic}/tactic/          [P,L]
load balance

New Method

The use of balancer module is recommended for its reliablity and ease of use.

<Proxy balancer://tactic> BalancerMember http://localhost:8081/tactic BalancerMember http://localhost:8082/tactic BalancerMember http://localhost:8083/tactic </Proxy> ProxyPass /tactic balancer://tactic ProxyPass /tactic_data balancer://tactic

Old Method

The file, /home/apache/sites/load_balance.txt contains

lb  localhost:8081|localhost:8082|localhost:8083

The Apache configuration files have now been modified to proxy and rewrite TACTIC requests.

Apache needs to be restarted for the configuration changes to take effect. Most Apache installations have a "apachectl" command. To restart apache, use;

` apachectl restart`

Once Apache has been restarted, it should be serving TACTIC requests.

At this point Apache should be configured to proxy TACTIC service requests to the TACTIC service, while leaving all other requests to Apache itself.

4.2. IIS 7+ HTTP Co-Service Configuration

Windows HTTP co-service installations are IIS based.

On IIS installations prior to version 7, appropriate 3rd party proxying software (the ISAPI_Rewrite module) is required to be installed with IIS to enable the proper functioning of TACTIC.

TACTIC can be configured to work with the native IIS 7.5 services available on applicable Windows OS’s, such as Windows 7 and Windows Server 2008. Prior versions of IIS have required 3rd party software (the ISAPI_Rewrite module) to be installed alongside the IIS service to facilitate proxy and URL rewriting. With IIS 7.5, and the introduction of the ARR and URL rewrite module, the requirement of a 3rd party software is no longer needed.

image

On Windows 7, and Windows Server 2008, IIS is installed through means and directions published on Microsoft support websites. Please consult installation guides published by Microsoft for the installation procedure of IIS.

Typically, IIS 7.5 does not come with the ARR module, and depending on the IIS installation, URL rewrite. These modules are requirements for a installation alongside TACTIC. Please refer to Microsoft published documentation regarding installation of these modules.

Permissions must be set for IIS to be able to serve assets that TACTIC manages.

TACTIC requires that the IIS user have access to TACTIC assets and all of the virtual directories that contain TACTIC widgets.

Whether the assets directory is stored on the host machine or on a network mount, there should be a assigned user that runs TACTIC.

For non-domain Windows machines, a local user created on the TACTIC host, such as the IUSR_<computer_name> automatically created by an IIS installation will suffice, provided that the network mounted directories are writable by the system user.

For ADS domains, a user can be created on the domain, and assigned via the Services control panel. Assigning a domain user to the TACTIC service will allow domain level security rules to apply.

To assign a user to a service:

  1. Open the Services control panel
  2. Right click on the "TACTIC application server"
  3. Click on the "Log On" tab
  4. Change the "log on as" option to reflect the user created, whether local or domain based.

    image

For a locally hosted asset directory , the anonymous user (typically IUSR_<computer name>) account needs to be granted access to the directories, and all subdirectories under them.

Find the directories above in Windows Explorer, and right click on the directory to bring up “Sharing and Security�? for that directory.

image

IIS must be configured to serve static content, such as TACTIC assets, and TACTIC UI skins.

image

Table 5. Virtual directories required by TACTIC

Directory Description Directory Alias Location

Assets storage

assets

User provided during installation

TACTIC UI widgets

context

Inside TACTIC installation directory

Documentation

doc

Inside TACTIC installation directory

Project storage

projects

User provided during installation


There are four “virtual directories�? that must be created to access the static content provided by TACTIC.

To create the directories;

  1. Right click on “Default web site�? and “Add Virtual Directory�?
  2. Create the virtual directory, using the paths that were created by the installation of TACTIC. The default paths may not apply.

    image 3.

Important

If the directory is located on a network mount, it may have to be connected to as the user running the TACTIC service. To connect as a different user than the IIS user, click on the "Connect As"

+ image

+ Then click on the "Set…" button, and fill in the details of the user that will run the TACTIC service.

+ image

There should now be 4 virtual entries on the IIS service.

image

Application Request Routing (ARR) is the module snap-in that will proxy and load balance requests. ARR is required by IIS to split incoming TACTIC service requests between the dynamic content that drives the API and the TACTIC web UI, and static content. In order to achieve this, IIS must be configured to send certain requests to the TACTIC application server, while static data requests (usually assets) are sent to IIS.

This guide currently supports two methods of attaching the TACTIC service to an IIS co-service.

Proxy/Load balancing

The Load balancing configuration of IIS splits TACTIC service requests into multiple streams, with each stream utilizing its own TACTIC service process.

Proxy Only

The proxy-only configuration routes all TACTIC service requests to a single TACTIC service. This method should only be used in light usage TACTIC installations such as development servers.

A TACTIC installation by default runs 3 seperate TACTIC service listeners, arranged on default ports 8081, 8082 and 8083. To split TACTIC service requests into multiple streams, IIS must be configured to consider TACTIC part of a “server farm�?. Since all of the TACTIC services are running on one single host, IIS currently must be tricked into routing requests to the 3 different TACTIC streams on the localhost.

By default, windows looks in the hosts file, then to DNS for named hosts. To divide localhost into three “different�? machines, the “%SYSTEMROOT%/System32/drivers/etc/host�? file must be edited to be able to address localhost as more than one machine.

Important

If TACTIC is set to run a number of processes other than the default of three, then these instructions must reflect that number. Add or subtract from the list of localhost entries and web farm entries accordingly.

To create a web farm;

  1. As an “Administrator�? user, edit the “127.0.0.1�? line in this file

    image

    The addition of localhost-2 and localhost-3 that reference 127.0.0.1 allow this host machine to access localhost as more than one machine. 2. Now the Server Farm reference must be created.

    Start the IIS snap in, and select the Web server that will be used as a TACTIC co-service in the left side navigation bar. Right click on the “Server Farms�? folder and create a new server farm.

    image

    3 seperate servers must be added to the server farm to correspond to the 3 default TACTIC service processes. Add each server according to the below table.

    Server Address httpPort

    localhost-1

    8081

    localhost-2

    8082

    localhost-3

    8083

    Click on “Add�? when done each entry in the above list. For additional servers, the “server address�? must correspond to the additional localhost entries in the “hosts�? file. The ports must correspond to 8082, 8083, etc. Add the required number of servers according to TACTIC deployment requirements.

    image 3. Click “Finish�? when done. 4. Create the rewrite rule when prompted.

image

URL rewrite must now be configured to only send TACTIC API requests to the server farm.

  1. Click on the server farm icon on the left-hand side of IIS manager and click the “Routing Rules�? icon.

    Selection_009.png 2. In the right pane of the Routing rules section, click the "URL rewrite" link

    image 3. Select the automatically created URL rewrite rule created when the web farm was created, and click on the "Edit" link in the right pane.

    image

    In the “Edit Inbound rule�? pane, edit the pattern to read “tactic*,projects*�? This will instruct IIS to route all TACTIC UI requests to the TACTIC service.

    image 4. Apply the change.

ARR comes with several load balancing algorithms. Click on the newly created server farm, and click on the “Load Balancing�? icon. Select “Weighted round robin�? as the algorithm, and “Even distribution�? as the load distribution.

image

IIS can be configured to run a single rewrite rule to forward requests to a single TACTIC service.

Start the IIS snap in, and select the Web server that will be used as a TACTIC co-service in the left side navigation bar. Choose “Application request routing�? And click on server proxy settings on the right-hand side.

image

In the ARR options under the proxy settings check the “use URL rewrite to inspect incoming requests�?, And in the “reverse proxy�? text area type “localhost:8081�?. This instructs IIS to proxy everything to this address and port.

image

From here URL Rewrite can then be instructed to filter proxy requests. Click on the “URL rewrite�? link on the right-hand side to modify rewrite rules. Typically, if the proxy has been created in ARR, then a rule will be created in URL rewrite.

image

IIS must then be instructed to only proxy TACTIC UI and API requests. To do this, an automatically created rule must be altered to allow TACTIC asset requests to be handled by IIS.

image

To modify the existing rule for TACTIC, the pattern under "Match URL" should be "tactic*". The action “Rewrite URL�? should be "http://localhost:8081/{R:0}"

TACTIC currently has a requirement to insert custom MIME types into the list of allowed types for the IIS service.

MIME type Function Extension

text/plain

Python Script mask

.xx

To add a MIME type in IIS 7

  1. Click on the web server entry in the left-hand pane.
  2. Click on the MIME typesimage:media/Selection_013.png[image] icon in the centre pane.
  3. Click on the "Add…" link on the right-hand pane.
  4. Add all entries required by the table above.

    image

At this point IIS should be configured to proxy TACTIC service requests to the TACTIC service, while leaving all other requests to IIS.

http://learn.iis.net/page.aspx/485/define-and-configure-an-application-request-routing-server-farm/

http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/

http://blogs.msdn.com/nickhodge/default.aspx?p=2