| Author: |
Marc-Aurèle Darche |
|---|
| Revision: |
howto-virtual_hosts.txt 45734 2006-05-19 08:48:56Z madarche |
|---|
This document explains how to setup CPS behind the Apache httpd server through
the reverse proxy technique.
This kind of configuration is the preferred way to deploy CPS web sites because:
- Apache httpd is very fast and can handle cache.
- Apache httpd supports the ability to have parts of CPS web sites
protected through HTTPS.
- Apache httpd supports the ability to combine many web sites and
many technologies together (CPS, Zope, PHP, CGI, Perl, Java,
etc.) together behind a single domain name.
The Apache httpd server comes in different series (the 1.3.x and the 2.x series,
etc.) and also in different versions (the standard httpd version and the
Apache-SSL flavor).
In this document we will only explain the use of the following
versions:
- Apache httpd 2.x (usually called Apache2)
- Apache-ssl
Using Apache 2 is the preferred option because it is the more
up-to-date version and the version on which development is done.
Apache-ssl was only handy before Apache 2. But now that Apache 2
ships with mod_ssl by default, there isn't' any reason to stay
with Apache-SSL anymore.
This howto presents configurations for Debian 3.1 "Sarge"
systems and should work on any Debian based systems (Ubuntu, etc.).
Port 9673 is the Zope default port on Debian. You might have to
change it to 8080 depending on your configuration.
In the following examples machine.localdomain can be replaced by
localhost if your Zope server runs on the same machine as your Apache httpd
server.
Finally note that while this howto focuses on CPS, the most complete Open Source
solution available for building Enterprise Content Management (ECM)
applications, it could advantageously be followed for other Zope-based
applications such as Plone.
Here are some configuration examples using Apache2 httpd
VirtualHost directives.
What you need:
$ apt-get install apache2
Enable the following modules: proxy, rewrite, ssl
On a Debian system it is done by calling the commands:
$ a2enmod proxy
$ a2enmod rewrite
$ a2enmod ssl
Open the needed ports in /etc/apache2/ports.conf:
Listen 80
Listen 443
Listen 453
Authorize proxy requests in /etc/apache2/mods-enabled/proxy.conf
otherwise you could end up with an unreachable CPS web site and
messages like
client denied by server configuration: proxy:http://localhost
in your log files:
<Proxy *>
Order deny,allow
Deny from all
</Proxy>
<Proxy http://localhost:9673>
Order deny,allow
Deny from all
Allow from all
</Proxy>
If you want to use HTTPS for your web server you should either:
- generate a single self-signed certificate (this is the easy way to go if
you just want HTTPS for one portal and don't care about flexibility,
evolution, multiple service or domain names on the same machine, etc.)
- generate a private key and certificate file (this is the more serious and
flexible way to go)
We will only document the single self-signed certificate generation procedure
that can easily be use on Debian systems. This documentation is not about
teaching you how to manipulate certificates or installing/using a PKI.
On Debian-based systems there is a small utility that can generate the
self-signed certificate for you: apache2-ssl-certificate:
$ /usr/sbin/apache2-ssl-certificate
Just answer the few questions (Country Name, server name, Email Address,
etc.) about your service name or portal name and machine
and it will generate the certificate for you in
/etc/apache2/ssl/apache.pem.
If you are not satisfied with the questions asked by the utility (for example
to get rid of the stupid State or Province Name information and the
localityName information) edit the OpenSSL configuration file used by Apache
before running the utility:
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
# You can change the default values
#countryName_default = GB
countryName_default = FR
countryName_min = 2
countryName_max = 2
# Just comment out the option you don't want to have to be set
#stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Some-State
# Just comment out the option you don't want to have to be set
#localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company; recommended)
organizationName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_max = 64
commonName = server name (eg. ssl.domain.tld; required!!!)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
Then you can check the information that ended in the certificate:
$ openssl x509 -in /etc/apache2/ssl/apache.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a0:35:f0:c7:d1:68:5a:27
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FR, O=MySite, CN=www.mysite.net/emailAddress=webmaster@mysite.net
Validity
Not Before: May 18 13:15:45 2006 GMT
Not After : Jun 17 13:15:45 2006 GMT
Subject: C=FR, O=MySite, CN=www.mysite.net/emailAddress=webmaster@mysite.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cb:4c:6e:69:91:b4:70:d2:55:80:15:fe:34:e9:
85:df:74:56:6a:6c:de:15:f6:b3:ba:78:b8:06:74:
b4:d3:c6:35:cf:6c:8d:21:7b:53:0e:b1:c9:24:51:
bc:23:9f:bd:c5:b1:07:5a:30:34:5a:97:e8:4c:d5:
5f:83:24:7e:3b:d9:9d:07:bd:d3:ca:4d:a4:f7:4b:
d2:49:c2:63:6d:4e:3e:82:58:91:b6:45:2f:80:61:
c2:a1:6e:10:e8:1d:21:b7:f9:e2:0e:b6:95:24:dd:
ae:82:9c:6c:3e:38:ac:ca:cb:e2:74:fc:65:97:85:
40:39:3d:ee:81:16:db:57:8f
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
5a:6e:6e:b0:82:aa:b6:71:42:24:b8:d5:31:6a:78:13:81:a2:
dc:c3:91:91:e5:20:46:b5:91:81:11:f6:bc:86:4e:e2:a5:bd:
d9:b8:c1:ca:16:a1:46:de:4e:69:bf:7a:dd:5e:24:dd:d6:53:
12:12:23:75:bd:e2:45:ad:81:7f:8f:82:35:20:ce:68:69:71:
50:ea:45:8f:4b:fe:f4:be:84:53:4d:2b:7d:85:5b:bd:0d:8f:
6b:66:2a:87:9e:41:94:ee:44:01:ae:76:45:ad:e9:a1:71:fd:
6f:1d:96:d3:53:66:d1:a7:96:97:54:ac:43:b1:78:77:90:a1:
ac:aa
-----BEGIN CERTIFICATE-----
GhxeGTCCAaYCCQCgNfDH0WhaJzANBgkqhkiG9w0BAQQFADBjMQswCQYDVQQGEwJG
UjEOMAwGA1UEChMFTW9udW0xHjAcBgNVBAMTFXd3dy5pbnRyYW5ldC5tb251bS5m
cjEkMCIGCSqGSIb3DQEJARYVY29tLmludHJhbmV0QG1vbnVtLmZyMB4XDTA2MDUx
ODEzMTU0NVoXDTA2MDYxNzEzMTU0NVowYzELMAkGA1UEBhMCRlIxDjAMBgNVBAoT
BU1vbnVtMR4wHAYDVQQDExV3d3ergeg,melrGERGRG9udW0uZnIxJDAiBgkqhkiG
9w0BCQEWFWNvbS5pbnRyYW5ldEBtb251bS5mcjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAy0xuaZG0cNJVgBX+NOmF33RWamzeFfazuni4BnS008Y1z2yNIXtT
DrHJJFG8I5+9xbEHWjA0WpfoTNVfgyR+O9mdB73Tyk2k90vSScJjbU4+gliRtkUv
gGHCoW4Q6B0ht/niDraVJN2ugpxsPjisysvidPxll4VAOT3ugRbbV48CAwEAATAN
BgkqhkiG9w0BAQQFAAOBgQBabm6wgqq2cUIkuNUxangTgaLcw5GR5SBGtZGBEfa8
hk7ipb3ZuMHKFqFG3k5pv3rdXiTd1lMSEiN1veJFrYF/j4I1IM5oaXFQ6kWPS/70
voRTTSt9hVu9DY9rZiqHnkGU7kQBrnZFremhcf1vHZbTU2bRp5aXVKxDsXgrA3Gs
qg==
-----END CERTIFICATE-----
This configuration is what most people would need. This is not a secure
configuration, but it is easy to setup and understand.
Example:
<VirtualHost 192.168.2.20:80>
ServerName www.mysite.net
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/http/%{HTTP_HOST}:80/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache2/www.mysite.net.log combined
ErrorLog /var/log/apache2/www.mysite.net-error.log
</VirtualHost>
<VirtualHost 192.168.2.20:443>
ServerName www.mysite.net
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Alternatively use those lines for private key and certificate configurations
#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert
#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:443/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache2/www.mysite.net.log combined
ErrorLog /var/log/apache2/www.mysite.net-error.log
</VirtualHost>
This is a secure configuration because:
- It forces the use of HTTPS for administering Zope in the ZMI.
- It forces the use of HTTPS for authenticated users (because for
logged users cookies containing vulnerable login/password
information is sent with each request).
- It forces the use of HTTPS for users who wish to join the portal
(because login information is provided in the join form).
Example:
# Main HTTP access to http://www.mysite.net/ for anonymous users
<VirtualHost 192.168.2.20:80>
ServerName www.mysite.net
RewriteEngine on
# Using OR instead of the implicit AND between conditions
RewriteCond %{REQUEST_URI} ^(.*)/manage(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/login(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/account_(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/join_form$
RewriteRule ^/(.*) https://www.mysite.net/$1 [R=permanent,L]
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/http/%{HTTP_HOST}:80/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache2/www.mysite.net.log combined
ErrorLog /var/log/apache2/www.mysite.net-error.log
</VirtualHost>
# Main HTTPS access to https://www.mysite.net/ for authenticated users
<VirtualHost 192.168.2.20:443>
ServerName www.mysite.net
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Alternatively use those lines for private key and certificate configurations
#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert
#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:443/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache2/www.mysite.net.log combined
ErrorLog /var/log/apache2/www.mysite.net-error.log
</VirtualHost>
# HTTPS access to https://www.mysite.net:453/ for administrators.
# This is the access to use to administer Zope through the ZMI.
<VirtualHost 192.168.2.20:453>
ServerName www.mysite.net
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Alternatively use those lines for private key and certificate configurations
#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert
#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/$1 [P,L]
# Note that the line below with "%{HTTP_HOST}:453" will not work. The working
# rule above has been crafted through the reading of the Z2.log file.
#RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:453/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache2/www.mysite.net.log combined
ErrorLog /var/log/apache2/www.mysite.net-error.log
</VirtualHost>
Here are some configuration examples using Apache-SSL VirtualHost
directives.
Note that those configuration instructions are "apache-ssl"
specific. It is of course possible to use the "apache" and
"libapache-mod-ssl" packages, instead of using the "apache-ssl"
package, but the configuration might be slightly different.
What you need:
$ apt-get install apache-ssl
Be sure to have the following line in your
/etc/apache-ssl/modules.conf:
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
You should have the SSLDisable option at the server
configuration level because we will be using virtual hosts.
You should generate a private key and certificate files for your
web server.
This configuration is what most people would need. This is not a
secure configuration but it is easy to setup and understand.
Example:
<VirtualHost 192.168.2.20:80>
ServerName www.mysite.net
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/http/%{HTTP_HOST}:80/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache-ssl/www.mysite.net.log combined
ErrorLog /var/log/apache-ssl/www.mysite.net-error.log
</VirtualHost>
<VirtualHost 192.168.2.20:443>
ServerName www.mysite.net
SSLEnable
SSLCertificateFile /etc/apache-ssl/ssl.crt/apache.pem
# Alternatively use those lines for private key and certificate configurations
SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.cert
SSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:443/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache-ssl/www.mysite.net.log combined
ErrorLog /var/log/apache-ssl/www.mysite.net-error.log
</VirtualHost>
This is a secure configuration because:
- It forces the use of HTTPS for administering Zope in the ZMI.
- It forces the use of HTTPS for authenticated users (because for
logged users cookies containing vulnerable login/password
information is sent with each request).
- It forces the use of HTTPS for users who wish to join the portal
(because login information is provided in the join form).
Example:
# Main HTTP access to http://www.mysite.net/ for anonymous users
<VirtualHost 192.168.2.20:80>
ServerName www.mysite.net
RewriteEngine on
# Using OR instead of the implicit AND between conditions
RewriteCond %{REQUEST_URI} ^(.*)/manage(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/login(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/account_(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/join_form$
RewriteRule ^/(.*) https://www.mysite.net/$1 [R=permanent,L]
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/http/%{HTTP_HOST}:80/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache-ssl/www.mysite.net.log combined
ErrorLog /var/log/apache-ssl/www.mysite.net-error.log
</VirtualHost>
# Main HTTPS access to https://www.mysite.net/ for authenticated users
<VirtualHost 192.168.2.20:443>
ServerName www.mysite.net
SSLEnable
SSLCertificateFile /etc/apache-ssl/ssl.crt/apache.pem
# Alternatively use those lines for private key and certificate configurations
SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.cert
SSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:443/cps/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache-ssl/www.mysite.net.log combined
ErrorLog /var/log/apache-ssl/www.mysite.net-error.log
</VirtualHost>
# HTTPS access to https://www.mysite.net:453/ for administrators.
# This is the access to use to administer Zope through the ZMI.
<VirtualHost 192.168.2.20:453>
ServerName www.mysite.net
SSLEnable
SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.cert
SSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/$1 [P,L]
# Note that the line below with "%{HTTP_HOST}:453" will not work. The working
# rule above has been crafted through the reading of the Z2.log file.
#RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:453/VirtualHostRoot/$1 [P,L]
CustomLog /var/log/apache-ssl/www.mysite.net.log combined
ErrorLog /var/log/apache-ssl/www.mysite.net-error.log
</VirtualHost>
- Information about how to handle paths/urls in products using
CPS, to make them work properly with virtual hosting:
|
About CPS
CPS Wallpapers
