Page Comparison

Table of Contents

Div

class	abiheader

Abiquo Apache Frontend

This guide will show you how to configure an Apache as a front door with SSL protection for Abiquo. The communication between Apache and Tomcat is done with the AJP Connector to improve performance.

...

Install Apache with mod_ssl

...

Code Block
# yum install -y httpd mod_ssl openssl

Generate keys

Generate private key:

...

class	verysmallcode

...

Generate CSR:

...

Code Block
# openssl req -new -key ca.key -out ca.csr

Generate self signed key:

Div

class	verysmallcode

Code Block

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Move files to the correct location:

div

class	verysmallcode

Code Block

# mv ca.crt /etc/pki/tls/certs
# mv ca.key /etc/pki/tls/private/ca.key
# mv ca.csr /etc/pki/tls/private/ca.csr

Configure Apache

Move default configurations

#

Div

class	verysmallcode

Code Block

# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bck
# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bck

Configure SSL

Edit a new /etc/httpd/conf.d/ssl.conf with the following parameters:

...

Code Block

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

Configure AJP Proxy

Info
You can use mod_rewrite to define a different location URI for the client. For example, <Location /management>

Edit /etc/httpd/conf.d/proxy_ajp.conf and add these lines:

...

Code Block

<VirtualHost *:80>
    RewriteEngine On
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    RewriteEngine On
    ProxyRequests Off
    ProxyPreserveHost On

    <Directory "/opt/abiquo/tomcat/webapps/client-premium/">
        Options MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    RewriteRule ^/client-premium$ /client-premium/ [R]

   <Location /client-premium>
        ProxyPass ajp://localhost:8010/client-premium/
        ProxyPassReverse ajp://localhost:8010/client-premium/
    </Location>

    <Location /api>
        ProxyPass ajp://localhost:8010/api/
        ProxyPassReverse ajp://localhost:8010/api/
    </Location>

    <Location /legal/>
        ProxyPass ajp://localhost:8010/legal/
        ProxyPassReverse ajp://localhost:8010/legal/
    </Location>

	<Location /m/>
        ProxyPass ajp://localhost:8010/m/
        ProxyPassReverse ajp://localhost:8010/m/
    </Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

</VirtualHost>

Configure Tomcat

Delete all existing Connector sections.

Put this connector configuration in /opt/abiquo/tomcat/conf/server.xml under <Service name="Catalina"> section:

...

verysmallcode

Code Block

<Service name="Catalina">

    <Connector port="8009" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443"
               secure="true"
               />

    <Connector port="8010" protocol="AJP/1.3"
               enableLookups="false"
               tomcatAuthentication="false"
               connectionTimeout="20000" secure="true"
               />

Enable HTTPS in the client

Edit /opt/abiquo/tomcat/webapps/client-premium/config/client-config.xml.jsp and change USE_SECURE_CHANNEL_LOGIN value to 1:

Div

class	verysmallcode

Code Block
... <name>USE_SECURE_CHANNEL_LOGIN</name> <value><%= System.getProperty("client.USE_SECURE_CHANNEL_LOGIN", "0") %></value> ...

Notice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connects to SSL enabled URIs

...

Edit /opt/abiquo/config/abiquo.properties and add this line (or modify the value if it already exists):

Div

class	verysmallcode

Code Block

...
abiquo.server.api.location = http://localhost:8009/api

Restart Services

...

Code Block
service abiquo-tomcat restart service httpd restart

Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.

...

Versions Compared

Old Version 14

New Version 15

Key

Install Apache with mod_ssl

Code Block
# yum install -y httpd mod_ssl openssl

Generate keys

Generate private key:

Generate CSR:

Code Block
# openssl req -new -key ca.key -out ca.csr

Generate self signed key:

Configure Apache

Move default configurations

Configure SSL

Configure AJP Proxy

Configure Tomcat

Enable HTTPS in the client

Restart Services

Code Block
service abiquo-tomcat restart service httpd restart
Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.
...

Page Comparison

Versions Compared

Old Version 14

New Version 15

Key

Install Apache with mod_ssl

Code Block# yum install -y httpd mod_ssl openssl

Generate keys

Generate private key:

Generate CSR:

Code Block# openssl req -new -key ca.key -out ca.csr

Generate self signed key:

Configure Apache

Move default configurations

Configure SSL

Configure AJP Proxy

Configure Tomcat

Enable HTTPS in the client

Restart Services

Code Blockservice abiquo-tomcat restart service httpd restart Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009....

Code Block
# yum install -y httpd mod_ssl openssl

Code Block
# openssl req -new -key ca.key -out ca.csr

Code Block
service abiquo-tomcat restart service httpd restart
Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.
...