This guide will show you how to configure an Apache as a front door with SSL protection for Abiquo. The communication between Apache and Tomcat is done with AJP Connector to improve performace.
Install Apache with mod_ssl
# yum install -y httpd mod_ssl openssl
Generate keys
Generate private key:
# openssl genrsa -out ca.key 1024
Generate CSR:
# openssl req -new -key ca.key -out ca.csr
Generate self signed key:
# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Move files to the correct location:
# mv ca.crt /etc/pki/tls/certs # mv ca.key /etc/pki/tls/private/ca.key # mv ca.csr /etc/pki/tls/private/ca.csr
Configure Apache
Move default configurations
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bck # mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bck
Configure SSL
Edit a new /etc/httpd/conf.d/ssl.conf with the following parameters:
LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
Configure AJP Proxy
You can use mod_rewrite to define a different location URI for the client. I.E. <Location /management>
Edit /etc/httpd/conf.d/proxy_ajp.conf and add these lines:
<VirtualHost *:80>
RewriteEngine On
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost *:443>
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On
<Directory "/opt/abiquo/tomcat/webapps/client-premium/">
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
RewriteRule ^/client-premium$ /client-premium/ [R]
<Location /client-premium>
ProxyPass ajp://localhost:8010/client-premium/
ProxyPassReverse ajp://localhost:8010/client-premium/
</Location>
<Location /api>
ProxyPass ajp://localhost:8010/api/
ProxyPassReverse ajp://localhost:8010/api/
</Location>
<Location /legal/>
ProxyPass ajp://localhost:8010/legal/
ProxyPassReverse ajp://localhost:8010/legal/
</Location>
<Location /m/>
ProxyPass ajp://localhost:8010/m/
ProxyPassReverse ajp://localhost:8010/m/
</Location>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
</VirtualHost>
Configure Tomcat
Put this connector configuration in /opt/abiquo/tomcat/conf/server.xml under <Service name="Catalina"> section, deleting all other Connector section:
<Service name="Catalina">
<Connector port="8009" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443"
secure="true"
/>
<Connector port="8010" protocol="AJP/1.3"
enableLookups="false"
tomcatAuthentication="false"
connectionTimeout="20000" secure="true"
/>
Enable HTTPS in the client
Edit /opt/abiquo/tomcat/webapps/client-premium/config/client-config.xml.jsp and change USE_SECURE_CHANNEL_LOGIN value to 1:
...
<name>USE_SECURE_CHANNEL_LOGIN</name>
<value><%= System.getProperty("client.USE_SECURE_CHANNEL_LOGIN", "0") %></value>
...
Notice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connect to SSL enabled URIs
Change API properties
Edit /opt/abiquo/config/abiquo.properties and add this line (or modify the value if it already exists):
... abiquo.server.api.location = http://localhost:8009/api
Restart Services
service abiquo-tomcat restart service httpd restart
Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.
Monolithic Installation
In a monolithic install, when configuring the datacenter, use 8009 port instead of standard HTTP 80 port for remote services. For example, to configure the Appliance Manager you should use the URL:
http://<public_ip>:8009/am