http://www.globalsight.com/wiki/index.php?title=Running_GlobalSight_Behind_an_Apache_Reverse_Proxy&feed=atom&action=historyRunning GlobalSight Behind an Apache Reverse Proxy - Revision history2024-03-28T16:26:07ZRevision history for this page on the wikiMediaWiki 1.32.0http://www.globalsight.com/wiki/index.php?title=Running_GlobalSight_Behind_an_Apache_Reverse_Proxy&diff=235&oldid=prevGlobalwiki: 1 revision2014-10-14T09:39:44Z<p>1 revision</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #222; text-align: center;">Revision as of 09:39, 14 October 2014</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Globalwikihttp://www.globalsight.com/wiki/index.php?title=Running_GlobalSight_Behind_an_Apache_Reverse_Proxy&diff=234&oldid=prevTechwriter at 16:59, 27 February 20132013-02-27T16:59:17Z<p></p>
<p><b>New page</b></p><div>{{Docset_side}}<br />
Running GlobalSight behind an Apache reverse proxy lets you manage access to<br />
GlobalSight through the popular and flexible Apache web server. We show how<br />
to set up HTTPS access to GlobalSight (including the Desktop Icon) and host<br />
GlobalSight on the same domain as other web content.<br />
<br />
== Configuring GlobalSight ==<br />
<br />
The first step is to run GlobalSight on a port other than the standard web<br />
port 80. This will free up port 80 for apache. Simply run the GlobalSight<br />
installer and select an alternate port. We will use port 8000 in this<br />
example. Test that you can reach GlobalSight on port 8000. (Your firewall<br />
may block this. That won't be a problem in the final configuration because<br />
access to port 8000 only happen from Apache running on the same server.<br />
<br />
There is one final configuration change. Because the port GlobalSight is<br />
running on is not the real port users will use, you need to tell GlobalSight<br />
its real URL. (This URL is used in email notifications.) To do this, run<br />
the <code>mysql</code> client on your GlobalSight database and run<br />
<br />
<pre><br />
update SYSTEM_PARAMETER<br />
set value='https://www.example.com/globalsight'<br />
where name='cap.login.url';<br />
</pre><br />
<br />
<code>www.example.com</code> should be replaced with your hostname.<br />
<br />
Note: If you run the installer again, it will overwrite this parameter, and<br />
you will have to issue the SQL statement again.<br />
<br />
== Obtaining an SSL Certificate ==<br />
<br />
It is assumed that you have [http://www.openssl.org OpenSSL] installed.<br />
<br />
In order to obtain an SSL certificate, you will need to generate a private<br />
key for your server, and then generate a certificate request containing a<br />
public key.<br />
<br />
First, we generate a key pair. <code>www.example.com</code> should be changed to the external hostname of<br />
the site you are generating the certificate for:<br />
<br />
<code>openssl genrsa -out www.example.com.key 2048</code><br />
<br />
[http://www.openssl.org/docs/apps/genrsa.html Reference for <code>openssl genrsa</code>]<br />
<br />
The <code>.key</code> file that this generates will contain private key<br />
information, so keep it safe! It will also be needed later during Apache<br />
configuration. For now, it is used to generate the certificate request:<br />
<br />
<code>openssl req -new -config www.example.com.conf -key www.example.com.key -out www.example.com.csr</code><br />
<br />
The <code>-config</code> argument here points to a <code>.conf</code> file<br />
which you will want to create. Here is an example:<br />
<br />
<pre><br />
[ req ]<br />
prompt = no<br />
distinguished_name = www.example.com<br />
key = www.example.com.key<br />
out = www.example.com.csr<br />
<br />
[ www.globalsight.com ]<br />
commonName = www.example.com<br />
organizationName = <company><br />
localityName = <city><br />
stateOrProvinceName = <state><br />
countryName = <country><br />
</pre><br />
<br />
Fill in all the parts in brackets. The format for this file is described as<br />
part of the [http://www.openssl.org/docs/apps/req.html reference for <code>openssl req</code>].<br />
<br />
You should now have a <code>.csr</code> file that contains your certificate<br />
request. You will need to provide this file to your certificate authority<br />
when you purchase a certificate from them.<br />
<br />
The certificate authority will provide you with a certificate<br />
(<code>.crt</code>). They may also provide a bundle containing other<br />
certificates. The reason for this is that certificates operate on a chain<br />
model, where you may need to walk up through multiple certificates in order<br />
to get to the actual authority. Information about these "in-between"<br />
certificates is contained in this bundle. We assume it is called<br />
<code>ca_bundle.crt</code><br />
<br />
The <code>.key</code> file you generated, along with your site-specific cert<br />
and any supplimental cert bundle the CA provided you should be installed in<br />
<code>/etc/ssl</code> or somewhere similar. Note that the <code>.key</code><br />
file should be owned and only accessible by root/Administrator.<br />
<br />
[http://www.openssl.org/docs/HOWTO/certificates.txt Further information about keys and certificates.]<br />
<br />
== Configuring Apache ==<br />
<br />
It is assumed that you have [http://www.apache.org Apache] installed and<br />
running. Apache 2 was used to test this configuration. The following<br />
Apache modules must be enabled: <code>mod_ssl</code>,<br />
<code>mod_proxy</code>, and <code>mod_proxy_http</code>. The exact<br />
configuation commands depend upon your Apache build, but if you look in the<br />
default configuration file for LoadModule commands, you will probably find<br />
what you need.<br />
<br />
Here is an example configuration that uses HTTPS and also serves other<br />
content on the same domain.<br />
<br />
<pre><br />
<VirtualHost *:80><br />
Servername www.example.com<br />
DocumentRoot /var/www/<br />
Redirect /globalsight https://www.example.com/globalsight<br />
</VirtualHost><br />
<VirtualHost _default_:443><br />
Servername www.example.com<br />
SSLEngine on<br />
SSLCertificateKeyFile /etc/ssl/private/www.example.com.key<br />
SSLCertificateFile /etc/ssl/certs/www.example.com.crt<br />
SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt<br />
BrowserMatch ".*MSIE.*" \<br />
nokeepalive ssl-unclean-shutdown \<br />
downgrade-1.0 force-response-1.0<br />
DocumentRoot /var/www/<br />
<br />
# retry=0 means no timeout before trying again after failure<br />
ProxyPass /globalsight http://localhost:8000/globalsight retry=0<br />
ProxyPassReverse /globalsight http://localhost:8000/globalsight<br />
<Proxy http://localhost:8000/globalsight><br />
Allow from all<br />
</Proxy><br />
</VirtualHost><br />
</pre><br />
<br />
Basically, there are two entries here. The first<br />
<code><VirtualHost></code> section handles port 80. The<br />
purpose of this block is to redirect access to the GlobalSight application<br />
(<code>/globalsight</code>) to the HTTPS port, while serving static content<br />
in <code>/var/www</code> over regular HTTP. This redirect is essential in order for<br />
Desktop Icon to use HTTPS, since Desktop Icon does not know how to connect<br />
over HTTPS automatically. (The Desktop Icon should still be configured to<br />
use port 80; it will follow the redirect to HTTPS.)<br />
<br />
The second <code><VirtualHost></code> section, which handles requests to<br />
port 443 (HTTPS), is where the interesting stuff lives.<br />
<br />
First, there is the SSL configuration. Be sure to adjust the paths to<br />
where you put these files. The <code>BrowserMatch</code> lines are<br />
recommended for compatibility with Internet Explorer.<br />
<br />
<code>ProxyPass</code> causes Apache to pass requests along to<br />
GlobalSight on port 8000 using<br />
[http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#forwardreverse reverse proxying]. The <code>ProxyPassReverse</code> line rewrites HTTP <code>Location</code><br />
headers that may be produced by GlobalSight with port 8000.<br />
<br />
One thing to note is the use of <code>retry=0</code> in the<br />
<code>ProxyPass</code> line. By default, if the proxy operation fails<br />
(because GlobalSight is down), Apache will put the proxy on an internal<br />
cooldown and won't try to access it again for a little while. In the case<br />
of GlobalSight restarts, this is frustrating, because the service will<br />
appear to be offline for longer than it actually is. <code>retry=0</code><br />
disables this behavior, so GlobalSight will be immediately available.<br />
<br />
The final <code><Proxy></code> section ensures that Apache allows the<br />
request to be proxied.<br />
<br />
After modifying the apache configuration, you will need to restart apache.<br />
<br />
== Security Note about Webservices ==<br />
<br />
If you access GlobalSight Webservices through the proxy, the IP address<br />
whitelist for webservices usage is effectively disabled. To GlobalSight,<br />
all requests look like they're coming from the proxy, which is on<br />
<code>127.0.0.1</code>. So you must either allow all proxied requests to<br />
use Webservices (include <code>127.0.0.1</code> in the Remote IP Filter for<br />
Webservices), or none. This includes the Desktop Icon, which uses<br />
Webservices.<br />
<br />
If you would like to allow only some hosts to use Webservices, they must<br />
access port 8000 directly. Of course then, they will use HTTP, not HTTPS.<br />
<br />
== Configuring client machines for SSL access ==<br />
When you configure GlobalSight for https access as described above, you will need to import the security certificates to each client machine. Otherwise file upload applets will start uploading but will fail immaturely.<br />
<br />
See the solution described at http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/<br />
<br />
[[Category:GlobalSight]]</div>Techwriter