howto to setup cps with apache httpd virtual host directives

8/8/2019 HOWTO to Setup CPS With Apache Httpd Virtual Host Directives

1/8

HOWTO to setup CPS with Apache httpd VirtualHost directives http://www.cps-project.org/static/doc/howto-virtual_hosts.html

1 sur 8 09/11/2006 14:38

HOWTO to setup CPS with Apache httpd VirtualHostdirectives

Author: Marc-Aurle DarcheRevision: howto-virtual_hosts.txt 45734 2006-05-19 08:48:56Z madarche

Contents

1 Introduction1.1 Apache httpd different flavors1.2 Adapting the examples to your needs

2 Using Apache 22.1 Prerequisites2.2 Simple virtual host HTTP + HTTPS configuration2.3 Secure virtual host HTTP + HTTPS configuration

3 Using Apache (apache-ssl package)3.1 Prerequisites

3.2 Simple virtual host HTTP + HTTPS configuration3.3 Secure virtual host HTTP + HTTPS configuration

4 Developer information

1 Introduction

1.1 Apache httpd different flavors

This document explains how to setup CPS behind the Apache httpd server through the

reverse proxy technique.

This kind of configuration is the preferred way to deploy CPS web sites because:

Apache httpd is very fast and can handle cache.Apache httpd supports the ability to have parts of CPS web sites protected throughHTTPS.Apache httpd supports the ability to combine many web sites and many technologiestogether (CPS, Zope, PHP, CGI, Perl, Java, etc.) together behind a single domainname.

The Apache httpd server comes in different series (the 1.3.x and the 2.x series, etc.) and

also in different versions (the standard httpd version and the Apache-SSL flavor).

In this document we will only explain the use of the following versions:

Apache httpd 2.x (usually called Apache2)Apache-ssl

Using Apache 2 is the preferred option because it is the more up-to-date version and the

version on which development is done. Apache-ssl was only handy before Apache 2. But

now that Apache 2 ships with mod_ssl by default, there isn't' any reason to stay with

Apache-SSL anymore.

1.2 Adapting the examples to your needs

This howto presents configurations for Debian 3.1 "Sarge" systems and should work on

any Debian based systems (Ubuntu, etc.).

Port 9673 is the Zope default port on Debian. You might have to change it to 8080
http://www.cps-project.org/static/doc/howto-virtual_hosts.htmlhttp://www.cps-project.org/static/doc/howto-virtual_hosts.html


2/8


2 sur 8 09/11/2006 14:38

depending on your configuration.

In the following examples machine.localdomain can be replaced by localhost if your Zope

server runs on the same machine as your Apache httpd server.

Finally note that while this howto focuses on CPS, the most complete Open Source

solution available for building Enterprise Content Management (ECM) applications, it could

advantageously be followed for other Zope-based applications such as Plone.

2 Using Apache 2

Here are some configuration examples using Apache2 httpd VirtualHost directives.

2.1 Prerequisites

What you need:

1.

Enable the following modules: proxy, rewrite, ssl

On a Debian system it is done by calling the commands:

2.

Open the needed ports in /etc/apache2/ports.conf:3.

Authorize proxy requests in /etc/apache2/mods-enabled/proxy.conf otherwise you could

end up with an unreachable CPS web site and messages like client denied by server

configuration: proxy:http://localhost in your log files:

4.

If you want to use HTTPS for your web server you should either:

generate a single self-signed certificate (this is the easy way to go if you justwant HTTPS for one portal and don't care about flexibility, evolution, multipleservice or domain names on the same machine, etc.)generate a private key and certificate file (this is the more serious and flexibleway to go)

We will only document the single self-signed certificate generation procedure that

can easily be use on Debian systems. This documentation is not about teaching you

how to manipulate certificates or installing/using a PKI.

5.

$ apt-get install apache2

$ a2enmod proxy$ a2enmod rewrite$ a2enmod ssl

Listen 80Listen 443

Listen 453

Order deny,allow

Deny from all

Order deny,allow

Deny from allAllow from all


3/8


3 sur 8 09/11/2006 14:38

On Debian-based systems there is a small utility that can generate the self-signed

certificate for you: apache2-ssl-certificate:

Just answer the few questions (Country Name, server name, Email Address, etc.)

about your service name or portal name and machine and it will generate the

certificate for you in /etc/apache2/ssl/apache.pem.

If you are not satisfied with the questions asked by the utility (for example to get rid

of the stupid State or Province Name information and the localityName information)

edit the OpenSSL configuration file used by Apache before running the utility:

Then you can check the information that ended in the certificate:

$ /usr/sbin/apache2-ssl-certificate

[ req_distinguished_name ]countryName = Country Name (2 letter code)# You can change the default values#countryName_default = GBcountryName_default = FRcountryName_min = 2countryName_max = 2

# Just comment out the option you don't want to have to be set#stateOrProvinceName = State or Province Name (full name)#stateOrProvinceName_default = Some-State

# Just comment out the option you don't want to have to be set#localityName = Locality Name (eg, city)

organizationName = Organization Name (eg, company; recorganizationName_max = 64

organizationalUnitName = Organizational Unit Name (eg, sectiorganizationalUnitName_max = 64

commonName = server name (eg. ssl.domain.tld; recommonName_max = 64

emailAddress = Email AddressemailAddress_max = 40


4/8


4 sur 8 09/11/2006 14:38

2.2 Simple virtual host HTTP + HTTPS configuration

This configuration is what most people would need. This is not a secure configuration, butit is easy to setup and understand.

Example:

$ openssl x509 -in /etc/apache2/ssl/apache.pem -text

Certificate:

Data:Version: 1 (0x0)Serial Number:

a0:35:f0:c7:d1:68:5a:27Signature Algorithm: md5WithRSAEncryptionIssuer: C=FR, O=MySite, CN=www.mysite.net/emailAddress=webmas

ValidityNot Before: May 18 13:15:45 2006 GMTNot After : Jun 17 13:15:45 2006 GMT

Subject: C=FR, O=MySite, CN=www.mysite.net/emailAddress=webmaSubject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)Modulus (1024 bit):

00:cb:4c:6e:69:91:b4:70:d2:55:80:15:fe:34:e9:85:df:74:56:6a:6c:de:15:f6:b3:ba:78:b8:06:74:b4:d3:c6:35:cf:6c:8d:21:7b:53:0e:b1:c9:24:51:bc:23:9f:bd:c5:b1:07:5a:30:34:5a:97:e8:4c:d5:

5f:83:24:7e:3b:d9:9d:07:bd:d3:ca:4d:a4:f7:4b:d2:49:c2:63:6d:4e:3e:82:58:91:b6:45:2f:80:61:c2:a1:6e:10:e8:1d:21:b7:f9:e2:0e:b6:95:24:dd:ae:82:9c:6c:3e:38:ac:ca:cb:e2:74:fc:65:97:85:

40:39:3d:ee:81:16:db:57:8fExponent: 65537 (0x10001)

Signature Algorithm: md5WithRSAEncryption5a:6e:6e:b0:82:aa:b6:71:42:24:b8:d5:31:6a:78:13:81:a2:dc:c3:91:91:e5:20:46:b5:91:81:11:f6:bc:86:4e:e2:a5:bd:d9:b8:c1:ca:16:a1:46:de:4e:69:bf:7a:dd:5e:24:dd:d6:53:12:12:23:75:bd:e2:45:ad:81:7f:8f:82:35:20:ce:68:69:71:50:ea:45:8f:4b:fe:f4:be:84:53:4d:2b:7d:85:5b:bd:0d:8f:

6b:66:2a:87:9e:41:94:ee:44:01:ae:76:45:ad:e9:a1:71:fd:6f:1d:96:d3:53:66:d1:a7:96:97:54:ac:43:b1:78:77:90:a1:ac:aa

-----BEGIN CERTIFICATE-----GhxeGTCCAaYCCQCgNfDH0WhaJzANBgkqhkiG9w0BAQQFADBjMQswCQYDVQQGEwJGUjEOMAwGA1UEChMFTW9udW0xHjAcBgNVBAMTFXd3dy5pbnRyYW5ldC5tb251bS5m

cjEkMCIGCSqGSIb3DQEJARYVY29tLmludHJhbmV0QG1vbnVtLmZyMB4XDTA2MDUxODEzMTU0NVoXDTA2MDYxNzEzMTU0NVowYzELMAkGA1UEBhMCRlIxDjAMBgNVBAoTBU1vbnVtMR4wHAYDVQQDExV3d3ergeg,melrGERGRG9udW0uZnIxJDAiBgkqhkiG9w0BCQEWFWNvbS5pbnRyYW5ldEBtb251bS5mcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy0xuaZG0cNJVgBX+NOmF33RWamzeFfazuni4BnS008Y1z2yNIXtTDrHJJFG8I5+9xbEHWjA0WpfoTNVfgyR+O9mdB73Tyk2k90vSScJjbU4+gliRtkUv

gGHCoW4Q6B0ht/niDraVJN2ugpxsPjisysvidPxll4VAOT3ugRbbV48CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBabm6wgqq2cUIkuNUxangTgaLcw5GR5SBGtZGBEfa8hk7ipb3ZuMHKFqFG3k5pv3rdXiTd1lMSEiN1veJFrYF/j4I1IM5oaXFQ6kWPS/70voRTTSt9hVu9DY9rZiqHnkGU7kQBrnZFremhcf1vHZbTU2bRp5aXVKxDsXgrA3Gsqg==-----END CERTIFICATE-----


5/8


5 sur 8 09/11/2006 14:38

2.3 Secure virtual host HTTP + HTTPS configuration

This is a secure configuration because:

It forces the use of HTTPS for administering Zope in the ZMI.It forces the use of HTTPS for authenticated users (because for logged users cookiescontaining vulnerable login/password information is sent with each request).It forces the use of HTTPS for users who wish to join the portal (because login

information is provided in the join form).

Example:

ServerName www.mysite.net

RewriteEngine on

RewriteCond %{HTTP:Authorization} ^(.*)RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/http/%{

CustomLog /var/log/apache2/www.mysite.net.log combined

ErrorLog /var/log/apache2/www.mysite.net-error.log


SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.pem# Alternatively use those lines for private key and certificate configurat#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key

RewriteEngine on

RewriteCond %{HTTP:Authorization} ^(.*)RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/

CustomLog /var/log/apache2/www.mysite.net.log combined

ErrorLog /var/log/apache2/www.mysite.net-error.log


6/8


7/8


7 sur 8 09/11/2006 14:38

3.1 Prerequisites

What you need:

1.

Be sure to have the following line in your /etc/apache-ssl/modules.conf:2.

You should have the SSLDisable option at the server configuration level because we

will be using virtual hosts.

3.

You should generate a private key and certificate files for your web server.4.

3.2 Simple virtual host HTTP + HTTPS configuration

This configuration is what most people would need. This is not a secure configuration but

it is easy to setup and understand.

Example:

3.3 Secure virtual host HTTP + HTTPS configuration

This is a secure configuration because:

It forces the use of HTTPS for administering Zope in the ZMI.It forces the use of HTTPS for authenticated users (because for logged users cookiescontaining vulnerable login/password information is sent with each request).It forces the use of HTTPS for users who wish to join the portal (because logininformation is provided in the join form).

Example:

$ apt-get install apache-ssl

LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so


RewriteEngine on


CustomLog /var/log/apache-ssl/www.mysite.net.log combinedErrorLog /var/log/apache-ssl/www.mysite.net-error.log


SSLEnableSSLCertificateFile /etc/apache-ssl/ssl.crt/apache.pem

# Alternatively use those lines for private key and certificate configuratSSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.certSSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key

RewriteEngine on

RewriteCond %{HTTP:Authorization} ^(.*)RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/

CustomLog /var/log/apache-ssl/www.mysite.net.log combined

ErrorLog /var/log/apache-ssl/www.mysite.net-error.log


8/8


8 sur 8 09/11/2006 14:38

4 Developer information

Information about how to handle paths/urls in products using CPS, to make themwork properly with virtual hosting:

http://www.cps-project.org/sections/documentation/developers/virtual_hosting_in_cpshttp://svn.nuxeo.org/trac/pub/file/CPSCore/trunk/doc/virtual-hosting.txt

Generated on: 2006-05-19 08:50 UTC.

# Main HTTP access to http://www.mysite.net/ for anonymous usersServerName www.mysite.net

RewriteEngine on

# Using OR instead of the implicit AND between conditionsRewriteCond %{REQUEST_URI} ^(.*)/manage(.*) [OR]RewriteCond %{REQUEST_URI} ^(.*)/login(.*) [OR]

RewriteCond %{REQUEST_URI} ^(.*)/account_(.*) [OR]RewriteCond %{REQUEST_URI} ^(.*)/join_form$RewriteRule ^/(.*) https://www.mysite.net/$1 [R=permanent,L]



# Main HTTPS access to https://www.mysite.net/ for authenticated users


SSLEnable

SSLCertificateFile /etc/apache-ssl/ssl.crt/apache.pem# Alternatively use those lines for private key and certificate configurat

SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.certSSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key

RewriteEngine on

RewriteCond %{HTTP:Authorization} ^(.*)

RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/


# HTTPS access to https://www.mysite.net:453/ for administrators.# This is the access to use to administer Zope through the ZMI.ServerName www.mysite.net

SSLEnableSSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.certSSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key

RewriteEngine on

RewriteCond %{HTTP:Authorization} ^(.*)RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/# Note that the line below with "%{HTTP_HOST}:453" will not work. The work# rule above has been crafted through the reading of the Z2.log file.#RewriteRule ^/(.*) http://machine.localdomain:9673/VirtualHostBase/https/

http://www.cps-project.org/static/doc/howto-virtual_hosts.htmlhttp://www.cps-project.org/sections/documentation/developers/virtual_hosting_in_cpshttp://svn.nuxeo.org/trac/pub/file/CPSCore/trunk/doc/virtual-hosting.txthttp://svn.nuxeo.org/trac/pub/file/CPSCore/trunk/doc/virtual-hosting.txthttp://www.cps-project.org/sections/documentation/developers/virtual_hosting_in_cpshttp://www.cps-project.org/static/doc/howto-virtual_hosts.html

howto to setup cps with apache httpd virtual host directives

Documents