Infrastructure at your Service

Morgan Patou

Alfresco – Protect your installation with Apache httpd

In this blog, I will talk about the setup of an Apache httpd server with/without SSL configuration on top of your Alfresco installation. This way of configuring Apache httpd in front of your Web Application can be reused very easily for all other applications like your intranet, competency center, resource planning, aso… It is NOT specific to Alfresco and this is what makes this blog very useful!

When you install Alfresco using the installer provided, you will get a tomcat setup on port 8080 (by default) which is also listening on port 8443 with an SSL Certificate generated by Alfresco for the communications between the Alfresco repository and the Solr engine. You can use this SSL Certificate to secure your Alfresco installation but there are two restrictions:

  • The password used for this SSL Certificate is well known since it is always the same… You just have to download the installer, run it and you will be able to find the password => Not really secure!
  • The SSL Certificate is self-signed by Alfresco, which means that it will not be trusted in your company => SSL Warnings/Errors

 

Based on these information, you have several choices:

  • Generate your own Self-Signed SSL Certificate with a new password that nobody knows and replace the SSL Certificate used by Alfresco by default => Secure but still a Self-Signed SSL Certificate! In addition, there are some documentation about how to do that but that’s not so easy and trivial…
  • Generate your own SSL Certificate using a trusted Certificate Authority and replace the SSL Certificate used by Alfresco by default => Secure but the setup is still not so easy and trivial…
  • Generate your own Self-Signed SSL Certificate and setup something in front of Alfresco to handle the SSL communications => Secure, easier but still a Self-Signed SSL Certificate!
  • Generate your own SSL Certificate using a trusted Certificate Authority and setup something in front of Alfresco to handle the SSL communications => Secure, easier, trusted!

 

So yes, you already understood it I guess, I will show you in this blog how to setup the last option with/without the SSL part. With this choice, you will have something really easy to setup because you don’t need to change anything on Alfresco side! You can let your Tomcat running on port 8080, 8443 and you just don’t care about the internal communications between the Alfresco repository and the Solr engine.

For this blog, I used a RedHat Enterprise Linux 6.4. If you are using a different version or a different distribution, just adapt the few steps that will not work for you (basically the “su -” or “yum” commands). In addition to that, I will define the following:

  • OS: RHEL 6.4
  • Hostname: vmdevalfresco01
  • Domain: your-domain.com
  • SSL Certificate: *.your-domain.com    (wildcard certificate => You can use something else of course!)
  • Alfresco running on Apache Tomcat 7.0.68 (the version doesn’t really matter!)

 

So let’s start this setup by switching to root for the entire installation:

[alfresco@vmdevalfresco01 ~]$ su -
Password:

Now we can install the Apache httpd server and setup some prerequisites:

[root@vmdevalfresco01 ~]$ yum install httpd*
[root@vmdevalfresco01 ~]$ yum install gcc httpd-devel mod_ssl

Once Apache httpd server is installed, you have to verify that the “mod_so.c” is present in your machine. To do that, just execute the following command and ensute that it is present in the list:

[root@vmdevalfresco01 ~]$ apachectl -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c

Ok so now Apache httpd is installed (not configured) so we can download the Tomcat Connector. This little module will basically take care of all communications between the Apache httpd server and your Apache Tomcat on which Alfresco is running:

[root@vmdevalfresco01 ~]$ cd /tmp
[root@vmdevalfresco01 tmp]$ wget http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.40-src.tar.gz
[root@vmdevalfresco01 tmp]$ tar -xvf tomcat-connectors-1.2.40-src.tar.gz
[root@vmdevalfresco01 tmp]$ cd tomcat-connectors-1.2.40-src/native

At the moment, the source of the Tomcat Connector is on your file system but you still need to build the Apache httpd module! But before that, you will need to check where your apxs is installed (apxs = APache eXtenSion tool). You can use the which command or find it yourself:

[root@vmdevalfresco01 native]$ which apxs
/usr/sbin/apxs
[root@vmdevalfresco01 native]$ find / -name apxs
/usr/sbin/apxs

Normally apxs is installed when you install the Apache httpd server but if it is not the case, then you need to install it manually. Once everything is ready, you can actually build the Tomcat Connector (of course change the path to the apxs if it differs):

[root@vmdevalfresco01 native]$ ./configure --with-apxs=/usr/sbin/apxs
[root@vmdevalfresco01 native]$ make

The next step is to check where your Apache httpd modules are installed (by default it is under /usr/lib64/httpd/modules but you can also use the Symlink /etc/httpd/modules directly). Then copy the new Tomcat Connector module (mod_jk.so) in this Apache httpd module folder:

[root@vmdevalfresco01 native]$ ls -l /etc/httpd/
[root@vmdevalfresco01 native]$ cp apache-2.0/mod_jk.so /usr/lib64/httpd/modules/

Ok so the Tomcat Connector module is now in the right location but there are two remaining things to do. The first one is to configure a worker and this is done by creating a file workers.properties with the following content:

[root@vmdevalfresco01 native]$ cd /etc/httpd/
[root@vmdevalfresco01 httpd]$ cat /etc/httpd/conf.d/workers.properties
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.lbfactor=1

Of course for the worker to work properly, the AJP13 Connector in Tomcat must be enabled and configured to use the port 8009 (default one). The second and last thing to do for the Tomcat Connector is to actually load the module that we built into the Apache httpd server and let Apache know where the worker is defined:

[root@vmdevalfresco01 httpd]$ cat /etc/httpd/conf.d/mod_jk.conf
LoadModule      jk_module modules/mod_jk.so

JkWorkersFile   conf.d/workers.properties
JkLogFile       logs/mod_jk_log
JkLogLevel      info
JkMount         /* worker1

At this point, we are almost done! The next step is to actually configure your Apache httpd server as you want/need. On the file /etc/httpd/conf/httpd.conf, you can change what you want but you will probably want to update the following values:

  • ServerTokens Prod
  • KeepAlive On
  • Listen 80
  • Include conf.d/*.conf
  • User apache
  • Group apache
  • ServerAdmin firstname.lastname@your-domain.com
  • ServerName vmdevalfresco01.your-domain.com:80
  • ServerSignature Off
  • aso…

 

I. First solution – Apache httpd server in HTTP

Now comes the time to configure your Apache httpd server to work in combination of Alfresco. If you want to use Apache in HTTP (I really recommend you to set it up in HTTPS…), you just have to add the following lines at the end of the file /etc/httpd/conf/httpd.conf (or create a conf file in the conf.d folder):

[root@vmdevalfresco01 httpd]$ tail -10 /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
    ServerName vmdevalfresco01.your-domain.com
    ServerAlias vmdevalfresco01 vmdevalfresco01.your-domain.com
    RewriteLog /var/log/httpd/vmdevalfresco01.log
    RewriteLogLevel 5
    RewriteEngine On
    RewriteRule ^/$ http://vmdevalfresco01.your-domain.com/share [R,L]
    JkMount /* worker1
</VirtualHost>

These few lines will basically redirect all requests for “http://vmdevalfresco01.your-domain.com” to “http://vmdevalfresco01.your-domain.com/share”. It is a simple redirection but then Alfresco will be able to catch it because by default Alfresco isn’t using the context “/” but is using “/share” (or “/alfresco”). In addition to that, there is also the definition of a Worker for our mod_jk and this is what will actually do the communications between the Apache httpd server and your Apache Tomcat. With this configuration, you can now start your Apache httpd server:

[root@vmdevalfresco01 httpd]$ service httpd start

 

You can now access “http://vmdevalfresco01.your-domain.com” and it will in the background use your Apache Tomcat defined in the port 8080 (or any other ports) without showing it to the end users.

 

II. Second solution – Apache httpd server in HTTPS

If you want to use Apache httpd server in HTTPS which is the recommended way to go, it will requires a little bit more configuration. The first thing to do is to redirect all HTTP communications to HTTPS. For that purpose, add the following lines at the end of the file /etc/httpd/conf/httpd.conf (or create a conf file in the conf.d folder) as done for the HTTP part but the RewriteRules are different:

[root@vmdevalfresco01 httpd]$ tail -11 /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
    ServerName vmdevalfresco01.your-domain.com
    ServerAlias vmdevalfresco01 vmdevalfresco01.your-domain.com
    RewriteLog /var/log/httpd/vmdevalfresco01.log
    RewriteLogLevel 5
    RewriteEngine On
    RewriteRule ^/$ https://vmdevalfresco01.your-domain.com/share [R,L]
    RewriteRule ^/?(.*) https://vmdevalfresco01.your-domain.com/$1 [R,L]
    JkMount /* worker1
</VirtualHost>

As you can see above, the main difference with the configuration done for the HTTP setup is that there are two rewrite rules now and both are redirecting to the HTTPS URL. In addition to that, you will also have to edit the file /etc/httpd/conf.d/ssl.conf which has been created with a default content when installing the module mod_ssl. You can setup the following content:

[root@vmdevalfresco01 httpd]$ cat /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost *:443>
    ServerName vmdevalfresco01.your-domain.com
    ServerAlias vmdevalfresco01 vmdevalfresco01.your-domain.com
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn

    RewriteLog /var/log/httpd/vmdevalfresco01-ssl.log
    RewriteLogLevel 5
    RewriteEngine On
    RewriteRule ^/$ https://vmdevalfresco01.your-domain.com/share [R,L]
    JkMount /* worker1

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+RSA
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/pki/tls/certs/wildcard_your-domain_com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/wildcard_your-domain_com.key
    SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

 

Some notes about the configuration setup in the file ssl.conf:

  • SSLProtocol = All weak SSL Protocols (SSLv2 and SSLv3) have been deactivated.
  • SSLCipherSuite = Only a specific list of Ciphers has been setup and therefore only communications with these Ciphers will be enabled. That way, we are sure that a hacker will not be able to use weak encryption mechanisms.
  • SSLCertificateFile = This is the SSL Certificate that Apache httpd will use.
  • SSLCertificateKeyFile = This is the Private Key used to generate the SSL Certificate.
  • SSLCertificateChainFile = This is the SSL Certificate Trusted Chain. In case you have a Root CA and a Gold CA, then this file should contain the complete chain that will ensure the SSL Certificate to be trusted. This is usually provided by your Certificate Authority.

 

With this configuration, all HTTP and HTTPS communications will be redirected to HTTPS only (“http://vmdevalfresco01.your-domain.com/share”). In addition to that, everything said for the HTTP also apply for the HTTPS setup. Once this is done and everything is in place, you can now start your Apache httpd server:

[root@vmdevalfresco01 httpd]# service httpd start

 

You can now access “http://vmdevalfresco01.your-domain.com” or “https://vmdevalfresco01.your-domain.com” or “https://vmdevalfresco01.your-domain.com/share” and the Apache httpd server will redirect everything to HTTPS and use in the background use your Apache Tomcat defined in the port 8080 (or any other ports) without showing it to the end users.

And that’s it!

 

Leave a Reply


− three = 1

Morgan Patou
Morgan Patou

Senior Consultant