Entity view (Content)

Running Alfresco Under HTTPS (via Apache 2.x)

By jmacinnes
Aug. 24, 2011

Alfresco is a powerful open source content management and document repository system that is Enterprise ready and able to support just about any organization. However, the out of the box install of Alfresco does not provide a very URL friendly (that :8080 port number) nor very secure (no HTTPS) system. This blog will outline a mechanism for using Apache in conjunction with Alfresco to provide both friendlier and more secure URLs.

These instructions primarily assumes a CentOS/RedHat flavor of Linux with some pointers throughout to Debian type systems. This also assume an Apache 2 installation. Step 1. mod_jk mod_jk is an Apache module that can be used to link an Apache web server with a Tomcat application server. Since Alfresco runs on top of Tomcat (unless you decided to use a different container) mod_jk suits our purposes well. There are a number of interesting services that mod_jk can provide (like load balancing an Alfresco install) which I will cover in a future blog, but for now I will just cover the use of mod_jk for https urls.mod_jk is maintained by the Apache foundation and the main website is located here:

You can download source versions of mod_jk from this website or you can download a 64 bit RPM for CentOS/RedHat systems from here:

http://greenmice.info/en/comment/reply/152?quote=1

On Debian/Ubuntu systems you can install mod_jk like this:

 

sudo apt-get install libapache2-mod-jk

 

Step 2. SSL Certs and Keys You will need to create an SSL certificate and key (if you don't already have them). You should put these keys within your apache root directory, on CentOS/RedHat that is usually in the '/etc/httpd' directory. This is for a sample domain name of “http://www.securehost.com/">www.securehost.com” and uses openssl to create the cert/key combo.

cd /etc/httpd

 

mkdir cert

 

mkdir key

 

openssl req -new -x509 -days 365 -keyout key/vhost1.key -out cert/vhost1.crt -nodes -subj '/O=Appnovation Technology/OU=Alfresco Department/CN=www.securehost.com'

 

Step 3.Create a workers.properties file The worksers.properties file is the mod_jk config file. It is in here that you tell mod_jk about the location of your Alfresco install. Create a file called '/etc/httpd/conf/workers.properties' And add the following to it:

 

# Define 1 real worker using ajp13

 

worker.list=worker1

 

# Set properties for worker1 (ajp13)

 

worker.worker1.type=ajp13

 

worker.worker1.host=localhost

 

worker.worker1.port=8009

 

This informs mod_jk that you have an Alfresco instance running on “localhost” that you wish to connect to using ajp13 on the port number 8009. Ajp13 is a transfer mechanism (similar to http) that is used to communicate between mod_jk and the backend Tomcat server. Ajp13 displays better performance than using http as your proxy protocol. By default, your Alfresco install should already be listening for ajp13 requests on port 8009.

Step 4. Configure Apache You will now need to add some directives to your Apache httpd.conf file to get this all to work. Add the following to the end of your config file (usually located at /etc/httpd/conf/httpd.conf on CentOS/RedHat).

# Load mod_jk module # Update this path to match your modules location LoadModule jk_module modules/mod_jk.so # Where to find workers.properties JkWorkersFile conf/workers.properties # Where to put jk shared memory # Update this path to match your local state directory or logs directory JkShmFile logs/mod_jk.shm # Where to put jk logs # Update this path to match your logs directory location (put mod_jk.log next to access_log) JkLogFile logs/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel info

This enables mod_jk, you will now need to create your virtual host. Add the following to the end of the Apache config file:

# May be needed on Debian/Ubuntu systems. #Listen 443 NameVirtualHost *:443 # Create a Virtual Host for doing HTTPS (NOTE: make sure that mod_ssl is already loaded by your config file).     ServerName www.securehost.com     # Turn on SSL     SSLEngine On     SSLCertificateFile cert/vhost1.crt     SSLCertificateKeyFile key/vhost1.key            SSLRequireSSL On        SSLVerifyClient optional        SSLVerifyDepth 1        SSLOptions +StdEnvVars +StrictRequire         # Send everything for context / to worker named worker1 via ajp13     JkMount /* worker1 This is a standard Apache virtual host configuration, however there is the line: jkMount /* worker1

This informs apache to proxy all requests for this HTTPS virtual host to the Tomcat instance “worker1” described in our workers.properties file from step 3 above.

Step 5.Restart Apache You should now restart apache: sudo /etc/init.d/httpd restart

 

You will now be able to connect to your Alfresco server with a standard https url, for example: https://www.securehost.com/share or https://www.securehost.com/alfresco

Post Tags: