Thursday, May 25, 2017

Alfresco SSL with Apache Proxy Server

In this post we’ll see how to set up a proxy server that will enable Alfresco to be accessed via SSL.

We’ll use an Apache server as the proxy server running on Ubuntu Linux 14.04.

Alfresco 5.2 documentation describes two ways to set up SSL:

The first method requires only changes to the standard Tomcat configuration.  This method is recommended for use in a test environment because, while the method may be simpler than the second, the change can affect performance.

The second method  is to set up SSL is by using a proxy server that handles all incoming traffic. This method is recommended for production environments.  It adds an extra layer of security between the application server and incoming requests.  You should note that Alfresco now requires the server to be configured to use SSL in order to enable Alfresco Office Services (AOS) functionality (for AOS 1.1.3+).

In this article we’ll look in detail at the second of these two methods, enabling SSL by using a proxy server.

Note that no changes are made to the standard Alfresco installation that will be fronted by the Apache proxy server.  The default configuration for Tomcat in Alfresco is to use AJP on port 8009, as defined in the Tomcat configuration file server.xml.

Install Needed Software

Ideally the proxy server should run on separate server hardware or another VM.

First, install the Apache server and mod_jk software:

sudo apt-get update
sudo apt-get install apache2
sudo apt-get install libapache2-mod-jk

Then, enable mod_jk, mod_ssl and mod_rewrite:


sudo a2enmod jk
sudo a2enmod ssl
sudo a2enmod rewrite


Then, restart the Apache service:


sudo /etc/init.d/apache2 restart 

Generate SSL Certificate and Key

For a production system, you would obtain a public key certificate for SSL from a certificate authority.  For initial testing, the proxy server can be set up using self-signed certificates.

Skip this section if you already have a public certificate.

Create a self-signed certificate as follows:


mkdir /tmp/certs
cd /tmp/certs

# Generate a key with a passphrase
openssl genrsa -des3 -out server.key 1024 

# Create a key
openssl rsa –in server.key -check

# Create an insecure key [A copy of the key that doesn’t use a passphrase]
openssl rsa -in server.key -out server.key.nopassphrase

# Rename the key files
mv server.key server.key.passphrase
mv server.key.nopassphrase server.key

# Create the Certificate Signing Request (CSR)
#   Enter requested information
openssl req -new -key server.key -out server.csr

# Test the signing request
openssl req -noout -text -in server.csr

# Create a self-signed certificate
openssl x509 -req -days 9999 -in server.csr -signkey server.key -out server.crt

# Test self-signed certificate:
openssl x509 -in server.crt -noout -text

Installing the Certificate and Key

Ubuntu stores certificates in the /etc/ssl/certs directory.
Keys are stored in the directory /etc/ssl/private.

Move the certificate and key to these directories.
For the self-signed certificates created in the previous section, we would do the following:


cd /tmp/certs
sudo chmod 600 *.key
sudo cp *.crt /etc/ssl/certs
sudo cp *.key /etc/ssl/private

Configure Apache to know about Alfresco

Edit file 000-default.conf

We can configure Apache to intercept https services and redirect them to Alfresco in the 000-default.conf file:


cd /etc/apache2/sites-enabled
sudo vi 000-default.conf

At the top of the 000-default.conf file, edit the section <VirtualHost *:80>:


<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
…
</VirtualHost>

You can copy this code as-is. There is no need to edit the value SERVER_NAME.

At the bottom of the file, add the following new section:

<VirtualHost *:443>
          ServerName {servername}
          SSLEngine On
          SSLCertificateFile /etc/ssl/certs/server.crt
          SSLCertificateKeyFile /etc/ssl/private/server.key 
          <Location />
              SSLRequireSSL On
              SSLVerifyClient optional
              SSLRenegBufferSize 104860000
              SSLVerifyDepth 1
              SSLOptions +StdEnvVars +StrictRequire
          </Location>
          # Send everything for the context / to worker named worker1 via ajp13
          JkMount /* ajp13_worker
</VirtualHost>

Edit the worker file workers.properties

Edit the default workers file.


cd  /etc/libapache2-mod-jk
sudo vi workers.properties 

This file contains an entry for the hostname.  The default is localhost.  Change the value for host to be the hostname of the machine where Alfresco is running.  

worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=your-internal-alfresco-host-name
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.lbfactor=1

Edit the Apache file httpd.conf

cd /etc/apache2
sudo vi httpd.conf

This file may not already exist and need to be created.
Add the following line to the bottom of that file:

ServerName {your-server-name}

Restart Apache 

Then, restart the Apache service:


sudo /etc/init.d/apache2 restart 

Access Alfresco via SSL

SSL should now be configured.

The URL https://{hostname}/share will take you to the Share login page. 

This URL will get you to the general welcome page at the top level of Alfresco: https://{hostname}. 

References