Configuring Apache HTTPS Reverse-Proxy
Exposing OpenKM directly from Tomcat can be dangerous if you need the application to be accessed from Internet (for example https://issues.jboss.org/browse/JBAS-3861). As result you can be infected by PerlBot. Also this 8080 may be blocked by a firewall. For these reasons, it is a good practice to expose your OpenKM installation through the standard web port 80. In the following steps we explain how to configure Apache to handle these request and forward to Tomcat application server using the AJP13 protocol.
From the Apache documentation: The AJP13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for performance reasons. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles.
Internal IP vs external IP
Your OpenKM can be accessed from two different zones: Internet and LAN. This means that to access this server you need to use two IPs: external IP (Internet) and internal IP (LAN).
The internal IP address (also known as "local IP address") is the address that is assigned by your local network router that often begins with 192.168.x.x. These IP addresses can only be seen by other computers in your local network (LAN) and not by any computer connected in an external network such the Internet.
To reach the Internet or a computer in another network your computer is often assigned an external IP address, which can then be used to refer to the computer in your local network.
In the above picture, there are three computers in the local network that have each been assigned their own internal IP address by the router. The ISP is connected to the router and gives the router an external IP address that allows it to communicate with the Internet. On the Internet everyone sees your external IP address, but any information coming from the router is "converted" from the external IP address to the internal IP address.
So if you want your OpenKM installation to be accessible from both LAN and Internet, the trick here is to configure the client computers to resolve your internal IP (192.168.0.50) if they are inside the LAN or the external IP if they are on Internet. To resolve the Internet IP (67.166.214.148) your computer uses the public DNS. So, you need to configure a sort of DNS server inside the LAN or modify every client host file to resolve to the internal IP.
Debian and Ubuntu
The first thing in to install the required Apache software. From Debian / Ubuntu you can install Apache with a single command:
$ sudo apt-get install apache2
Edit the file named /etc/apache2/apache2.conf and configure a ServerName to prevent warnings in the Apache startup process:
$ vim /etc/apache2/apache2.conf
ServerRoot "/etc/apache2"
ServerName "your-domain.com"
Edit apache2.conf is optional.
Enable the proxy module:
$ sudo a2enmod proxy_ajp
Create the Certificates
$ sudo mkdir /etc/apache2/ssl
$ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
$ sudo a2enmod ssl
If you need to convert .pem file to crt use the command:
$ openssl x509 -in cacert.pem -out cacert.crt
Also you could be interested on Configuring OpenSSL.
Ensure ports 443 is listen in /etc/apache2/ports.conf:
$ cat /etc/apache2/ports.conf | grep Listen
Create the configuration file /etc/apache2/sites-available/openkm.conf with this content:
$ vim /etc/apache2/sites-available/openkm.conf
<VirtualHost *:443>
ServerName openkm.your-domain.com
RedirectMatch ^/$ /OpenKM
ProxyPass /OpenKM ajp://127.0.0.1:8009/OpenKM
ProxyPassReverse /OpenKM https://openkm.your-domain.com/OpenKM
ErrorLog /var/log/apache2/openkm.your-domain.com-error.log
CustomLog /var/log/apache2/openkm.your-domain.com-access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
Change openkm.your-domain.com with your server IP or your domain value.
The VirtualHost ServerName must be other than ServerName in the main Apache configuration. Enable this site configuration:
$ cd /etc/apache2/sites-available/
$ sudo a2ensite openkm.conf
Redirect all HTTP connections to HTTPS
This step is optional.
Edit the configuration file /etc/apache2/sites-available/openkm.conf and add these content
$ vim /etc/apache2/sites-available/openkm.conf
<VirtualHost *:80>
ServerName openkm.your-domain.com
Redirect permanent / https://openkm.your-domain.com/
</VirtualHost>
Check the configuration
Restart Apache:
$ sudo /etc/init.d/apache2 restart
Check the access your OpenKM installation from https://openkm.your-domain.com/.
Another advantage of using Apache is that you can log OpenKM access and generate web statistics.
To check the configuration files can execute the command:
$ /usr/sbin/apache2 -t
Red Hat and CentOS
Use the yum application manager to install Apache:
$ sudo yum install httpd
Enable it at boot:
$ sudo chkconfig httpd --level 2345 on
Create the Certificate
$ sudo yum install mod_ssl openssl crypto-utils
Generate private keys ( for more information visit Apache HTTP Secure Server Configuration)
$ genkey your-domain.com
Usually you want to generate self-certificate and not sending it to Certify Authority. Is good practice to set a password on private key, but in this case each time you restart Apache service it'll be demanded.
Also you could be interested on Configuring OpenSSL.
During the process will be generated two files at:
ReplaceSSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
Now create the file /etc/httpd/conf.d/openkm.conf with this content:
$ vim /etc/httpd/conf.d/openkm.conf
<VirtualHost *:443>
ServerName openkm.your-domain.com
ProxyPass / ajp://localhost:8009/OpenKM/
ProxyPassReverse / http://your-domain.com/OpenKM/
ErrorLog /var/log/your-domain.com-error.log
CustomLog /var/log/your-domain.com-access.log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
</VirtualHost>
Change openkm.your-domain.com with your server ip or your domain value.
Finally must modify SSLCertificateFile and SSLCertificateKeyFile values in file /etc/httpd/conf.d/ssl.conf:
$ vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
Check the configuration
Restart Apache:
$ sudo /etc/init.d/httpd restart
Check the access your OpenKM installation from https://openkm.your-domain.com/.
Another advantage of using Apache is that you can log OpenKM access and generate web statistics.
Error Permission denied: proxy: AJP: attempt to connect
If in the log appears an error like Permission denied: proxy: AJP: attempt to connect to solve executing the next command:
$ /usr/sbin/setsebool httpd_can_network_connect 1
If it works then set the configuration permanent to persist across reboots:
$ /usr/sbin/setsebool -P httpd_can_network_connect 1
Troubleshooting
If you see an error like:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
You need to enable this Apache module:
$ sudo a2enmod rewrite
$ sudo a2enmod proxy_http
$ sudo a2enmod headers