Page Comparison

...

This guide will show you how to configure an Apache as a front door with SSL protection for Abiquo. The communication between Apache and Tomcat is done with the AJP Connector to improve performace.

...

Edit /etc/httpd/conf.d/proxy_ajp.conf and add these lines:

<VirtualHost *:80>
    RewriteEngine On
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    RewriteEngine On
    ProxyRequests Off
    ProxyPreserveHost On

    <Directory "/opt/abiquo/tomcat/webapps/client-premium/">
        Options MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    RewriteRule ^/client-premium$ /client-premium/ [R]

   <Location /client-premium>
        ProxyPass ajp://localhost:8010/client-premium/
        ProxyPassReverse ajp://localhost:8010/client-premium/
    </Location>

    <Location /api>
        ProxyPass ajp://localhost:8010/api/
        ProxyPassReverse ajp://localhost:8010/api/
    </Location>

    <Location /legal/>
        ProxyPass ajp://localhost:8010/legal/
        ProxyPassReverse ajp://localhost:8010/legal/
    </Location>

	<Location /m/>
        ProxyPass ajp://localhost:8010/m/
        ProxyPassReverse ajp://localhost:8010/m/
    </Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

</VirtualHost>

Configure Tomcat

Delete all existing Connector sections.

Put this connector configuration in /opt/abiquo/tomcat/conf/server.xml under <Service name="Catalina"> section, deleting all other Connector section:

<Service name="Catalina">

    <Connector port="8009" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443"
               secure="true"
               />

    <Connector port="8010" protocol="AJP/1.3"
               enableLookups="false"
               tomcatAuthentication="false"
               connectionTimeout="20000" secure="true"
               />

...

Notice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connect connects to SSL enabled URIs

Change API properties

...

http://<public_ip>:8009/am

Adding SSL to AM

In On the machine where the Appliance Manager (AM) is running, we repeat the steps previously mentioned (Install Apache with mod_ssl, Generate keys, Configure Apache and Configure Tomcat).

We have to declare Declare the hostname of the Server + API machine (10.60.11.24), the AM (10.60.11.25) machine and the host which will connect to the client (your own localhost) as well.

For example, in the API+Server machine:

vim /etc/hosts

...

# Do not remove the following line, or various programs

...

# that require network functionality will fail.

...

127.0.0.1 server263 localhost.localdomain localhost

...

::1 localhost6.localdomain6 localhost6

...

10.60.11.24 server263

...

10.60.11.25 rs263

The same must file must be properly configured in on the AM machine. You can check everything works fine if after executing "hostname" the name selected is displayed. If not, maybe you need to execute "try running the following command

/etc/init.d/network restart

...

Next step, add the hostname into /etc/httpd/conf/httpd.conf in API+Server machine and AM machine:

ServerName server263

...

Now into the API+Server machine, we configure the /etc/httpd/conf.d/proxy_ajp.conf file and add it the configuration of the AM machine, leaving the file somethig something like this:

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

...

<VirtualHost *:80>

...

RewriteEngine On

...

RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

...

</VirtualHost>

...

<VirtualHost *:443>

...

RewriteEngine On

...

ProxyRequests Off

...

ProxyPreserveHost On

...

<Directory /opt/abiquo/tomcat/webapps/client-premium/>

...

Options MultiViews

...

AllowOverride None

...

Order allow,deny

...

Allow from all

...

</Directory>

...

RewriteRule ^/client-premium$ /client-premium/ [R]

...

<Location /client-premium>

...

ProxyPass ajp://server263:8010/client-premium/

...

ProxyPassReverse ajp://server263:8010/client-premium/

...

</Location>

...

<Location /api>

...

ProxyPass ajp://server263:8010/api/

...

ProxyPassReverse ajp://server263:8010/api/

...

</Location>

...

<Location /m>

...

ProxyPass ajp://server263:8010/m/

...

ProxyPassReverse ajp://server263:8010/m/

...

</Location>

...

<Location /legal/>

...

ProxyPass ajp://server263:8010/legal/

...

ProxyPassReverse ajp://server263:8010/legal/

...

</Location>

...

SSLEngine on

...

SSLProtocol all -SSLv2

...

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

...

SSLCertificateFile /etc/pki/tls/certs/ca.crt

...

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

...

<Directory /opt/abiquo/tomcat/webapps/am/>

...

Options MultiViews

...

AllowOverride None

...

Order allow,deny

...

Allow from all

...

</Directory>

...

<Location /am>

...

ProxyPass ajp://rs263:8010/am

...

ProxyPassReverse ajp://rs263:8010/am

...

</VirtualHost>

The next step is to import the keys from the AM machine into the API+Server machine. So from the API+Server machine we execute:

/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias hostname -file PATH_TO_AM_crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit

"Hostname" refers to the AM machine and PATH_TO_AM_crt is where the AM certificate was created, for example:

/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias rs263 -file /etc/pki/tls/certs/ca.crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit

...

To finish the setup, we should:

...