Apache Frontend

Abiquo Apache Frontend

This guide will show you how to configure an Apache as a front door with SSL protection for Abiquo. The communication between Apache and Tomcat is done with the AJP Connector to improve performance.

Install Apache with mod_ssl

# yum install -y httpd mod_ssl openssl

Generate keys

Generate private key:

# openssl genrsa -out ca.key 1024

Generate CSR:

# openssl req -new -key ca.key -out ca.csr

Generate self signed key:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Move files to the correct location:

# mv ca.crt /etc/pki/tls/certs
# mv ca.key /etc/pki/tls/private/ca.key
# mv ca.csr /etc/pki/tls/private/ca.csr

Configure Apache

Move default configurations

# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bck
# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bck

Configure SSL

Edit a new /etc/httpd/conf.d/ssl.conf with the following parameters:

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

Configure AJP Proxy

You can use mod_rewrite to define a different location URI for the client. For example, <Location /management>

Edit /etc/httpd/conf.d/proxy_ajp.conf and add these lines:

<VirtualHost *:80>
    RewriteEngine On
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    RewriteEngine On
    ProxyRequests Off
    ProxyPreserveHost On

    <Directory "/opt/abiquo/tomcat/webapps/client-premium/">
        Options MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    RewriteRule ^/client-premium$ /client-premium/ [R]

   <Location /client-premium>
        ProxyPass ajp://localhost:8010/client-premium/
        ProxyPassReverse ajp://localhost:8010/client-premium/
    </Location>

    <Location /api>
        ProxyPass ajp://localhost:8010/api/
        ProxyPassReverse ajp://localhost:8010/api/
    </Location>

    <Location /legal/>
        ProxyPass ajp://localhost:8010/legal/
        ProxyPassReverse ajp://localhost:8010/legal/
    </Location>

	<Location /m/>
        ProxyPass ajp://localhost:8010/m/
        ProxyPassReverse ajp://localhost:8010/m/
    </Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

</VirtualHost>

Configure Tomcat

Delete all existing Connector sections.

Put this connector configuration in /opt/abiquo/tomcat/conf/server.xml under <Service name="Catalina"> section:

<Service name="Catalina">

    <Connector port="8009" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443"
               secure="true"
               />

    <Connector port="8010" protocol="AJP/1.3"
               enableLookups="false"
               tomcatAuthentication="false"
               connectionTimeout="20000" secure="true"
               />

Enable HTTPS in the client

Edit /opt/abiquo/tomcat/webapps/client-premium/config/client-config.xml.jsp and change USE_SECURE_CHANNEL_LOGIN value to 1:

...
<name>USE_SECURE_CHANNEL_LOGIN</name>
<value><%= System.getProperty("client.USE_SECURE_CHANNEL_LOGIN", "0") %></value>
 ...

Notice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connects to SSL enabled URIs

Change API properties

Edit /opt/abiquo/config/abiquo.properties and add this line (or modify the value if it already exists):

...
abiquo.server.api.location = http://localhost:8009/api

Restart Services

service abiquo-tomcat restart
service httpd restart

Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.

Monolithic Installation

In a monolithic install, when configuring the datacenter, use 8009 port instead of standard HTTP 80 port for remote services. For example, to configure the Appliance Manager you should use the URL:

http://<public_ip>:8009/am

Adding SSL to AM

On the machine where the Appliance Manager (AM) is running, repeat the above steps (Install Apache with mod_ssl, Generate keys, Configure Apache and Configure Tomcat).

Declare the hostname of the Server + API machine (10.60.11.24), the AM machine (10.60.11.25) and the host which will connect to the client (your own localhost) as well.

For example, on the API+Server machine:

vim /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 server263 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.60.11.24 server263
10.60.11.25 rs263

The same file must be properly configured on the AM machine. You can check everything works fine by executing "hostname" and checking the name selected is displayed. If not, try running the following command:

/etc/init.d/network restart

Next add the hostname into /etc/httpd/conf/httpd.conf on the API+Server machine and AM machine:

ServerName server263

Now on the API+Server machine, we configure the /etc/httpd/conf.d/proxy_ajp.conf file and add the configuration of the AM machine, so the file will be something like this:

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
<VirtualHost *:80>
RewriteEngine On
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost *:443>
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On
<Directory /opt/abiquo/tomcat/webapps/client-premium/>
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
RewriteRule ^/client-premium$ /client-premium/ [R]
<Location /client-premium>
ProxyPass ajp://server263:8010/client-premium/
ProxyPassReverse ajp://server263:8010/client-premium/
</Location>
<Location /api>
ProxyPass ajp://server263:8010/api/
ProxyPassReverse ajp://server263:8010/api/
</Location>
<Location /m>
ProxyPass ajp://server263:8010/m/
ProxyPassReverse ajp://server263:8010/m/
</Location>
<Location /legal/>
ProxyPass ajp://server263:8010/legal/
ProxyPassReverse ajp://server263:8010/legal/
</Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /opt/abiquo/tomcat/webapps/am/>
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Location /am>
ProxyPass ajp://rs263:8010/am
ProxyPassReverse ajp://rs263:8010/am
</VirtualHost>

The next step is to import the keys from the AM machine into the API+Server machine. So from the API+Server machine we execute:

/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias hostname -file PATH_TO_AM_crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit

"Hostname" refers to the AM machine and PATH_TO_AM_crt is where the AM certificate was created, for example:

/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias rs263 -file /etc/pki/tls/certs/ca.crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit

To finish the setup, we should:

Stop Apache on the AM (/etc/init.d/httpd stop)
In the database the URI of the Appliance Manager in remote services now points directly to the API, which means the URI should be something like "https://server263:443/am"
Restart the abiquo-tomcat service on both machines. Remember to restart Apache on the API+Server machine as well.