In this post
we’ll see how to set up a proxy server that will enable Alfresco to be accessed
via SSL.
We’ll use an Apache server as the proxy server running on Ubuntu Linux 14.04.
Alfresco 5.2
documentation describes two ways to set up SSL:
The first method requires only changes to the
standard Tomcat configuration. This
method is recommended for use in a test environment because, while the method
may be simpler than the second, the change can affect performance.
The second method is to set up SSL is by using a proxy server
that handles all incoming traffic. This method is recommended for production environments. It adds an extra layer of security between the application server and incoming requests. You should note that Alfresco now requires the server to be configured to use SSL in order to enable Alfresco Office Services (AOS) functionality (for AOS 1.1.3+).
In this article we’ll look in detail at the second of these two methods, enabling SSL by using a proxy server.
Note that no changes are made to the standard Alfresco installation that will be fronted by the Apache proxy server. The default configuration for Tomcat in Alfresco is to use AJP on port 8009, as defined in the Tomcat configuration file server.xml.
Note that no changes are made to the standard Alfresco installation that will be fronted by the Apache proxy server. The default configuration for Tomcat in Alfresco is to use AJP on port 8009, as defined in the Tomcat configuration file server.xml.
Install Needed Software
Ideally the
proxy server should run on separate server hardware or another VM.
First, install the Apache server and mod_jk software:
sudo apt-get update sudo apt-get install apache2 sudo apt-get install libapache2-mod-jk
Then, enable mod_jk, mod_ssl and mod_rewrite:
Then, restart the Apache service:
sudo a2enmod jk sudo a2enmod ssl sudo a2enmod rewrite
Then, restart the Apache service:
sudo /etc/init.d/apache2 restart
Generate SSL Certificate and Key
For a production system, you would obtain a public key certificate for SSL from a certificate authority. For initial testing, the proxy server can be set up using self-signed certificates.
Skip this section if you already have a public certificate.
Create a self-signed certificate as follows:
mkdir /tmp/certs cd /tmp/certs # Generate a key with a passphrase openssl genrsa -des3 -out server.key 1024 # Create a key openssl rsa –in server.key -check # Create an insecure key [A copy of the key that doesn’t use a passphrase] openssl rsa -in server.key -out server.key.nopassphrase # Rename the key files mv server.key server.key.passphrase mv server.key.nopassphrase server.key # Create the Certificate Signing Request (CSR) # Enter requested information openssl req -new -key server.key -out server.csr # Test the signing request openssl req -noout -text -in server.csr # Create a self-signed certificate openssl x509 -req -days 9999 -in server.csr -signkey server.key -out server.crt # Test self-signed certificate: openssl x509 -in server.crt -noout -text
Installing the Certificate and Key
Ubuntu stores certificates in the /etc/ssl/certs directory.
Keys are stored in the directory /etc/ssl/private.
Move the certificate and key to these directories.
For the self-signed certificates created in the previous section, we would do the following:
cd /tmp/certs sudo chmod 600 *.key sudo cp *.crt /etc/ssl/certs sudo cp *.key /etc/ssl/private
Configure Apache to know about Alfresco
Edit file 000-default.conf
We can configure Apache to intercept https services and redirect them to Alfresco in the 000-default.conf file:
cd /etc/apache2/sites-enabled sudo vi 000-default.conf
At the top of the 000-default.conf file, edit the section <VirtualHost *:80>:
<VirtualHost *:80> RewriteEngine On RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] … </VirtualHost>
At the bottom of the file, add the following new section:
<VirtualHost *:443> ServerName {servername} SSLEngine On SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key <Location /> SSLRequireSSL On SSLVerifyClient optional SSLRenegBufferSize 104860000 SSLVerifyDepth 1 SSLOptions +StdEnvVars +StrictRequire </Location> # Send everything for the context / to worker named worker1 via ajp13 JkMount /* ajp13_worker </VirtualHost>
Edit the worker file workers.properties
Edit the default workers file.
cd /etc/libapache2-mod-jk
sudo vi workers.properties
This file contains an entry for the hostname. The default is localhost. Change the value for host to be the hostname of the machine where Alfresco is running.
worker.list=ajp13_worker worker.ajp13_worker.port=8009 worker.ajp13_worker.host=your-internal-alfresco-host-name
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.lbfactor=1
Edit the Apache file httpd.conf
cd /etc/apache2
sudo vi httpd.conf
This file may not already exist and need to be created.
Add the following line to the bottom of that file:
ServerName {your-server-name}
Restart Apache
Then, restart the Apache service:
sudo /etc/init.d/apache2 restart
Access Alfresco via SSL
SSL should now be configured.
The URL https://{hostname}/share will take you to the Share login page.
This URL will get you to the general welcome page at the top level of Alfresco: https://{hostname}.
References