Third-party software integration: Apache SSL and more

From OpenKM Documentation
Revision as of 20:33, 29 September 2014 by Pavila (talk | contribs) (More info)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Advanced configuration

If you don't want to show the /OpenKM context, try this as your VirtualHost configuration:

<VirtualHost *>
  ServerName openkm.your-domain.com
  ProxyPass / ajp://localhost:8009/OpenKM/
  ProxyPassReverse / http://openkm.your-domain.com/OpenKM/
  ErrorLog /var/log/apache2/your-domain.com-error.log
  CustomLog /var/log/apache2/your-domain.com-access.log combined

  RewriteEngine on
  RewriteCond %{REQUEST_URI} /OpenKM*
  RewriteRule ^(/.*)$ http://localhost:8080$1 [P]

  RequestHeader edit X-GWT-Module-Base ^(http://openkm.your-domain)/frontend/(.*)$ $1/OpenKM/frontend/$2
</VirtualHost>

You need also set the configuration parameter system.apache.request.header.fix to on (true). Note than in OpenKM 5.1 the configuration is stored in database and the OpenKM.cfg configuration only make sense in the database (Hibernate) configuration parameters.


Nota clasica.png If you see an error like:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

you need to enable this Apache module:

$ sudo a2enmod rewrite
$ sudo a2enmod proxy_http
$ sudo a2enmod headers

You have to enable explicitly the proxy access editing the Apache configuration file /etc/apache2/mods-available/proxy.conf:

<IfModule mod_proxy.c>
  #turning ProxyRequests on and allowing proxying from all may allow
  #spammers to use your proxy to send email.

  ProxyRequests Off

  <Proxy *>
    AddDefaultCharset off
    Order deny,allow
    Allow from all
    Deny from all
    #Allow from .example.com
  </Proxy>

  # Enable/disable the handling of HTTP/1.1 "Via:" headers.
  # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
  # Set to one of: Off | On | Full | Block

  ProxyVia On
</IfModule>

Finally restart Apache:

$ sudo /etc/init.d/apache2 restart

Now you can access your OpenKM installation from http://openkm.your-domain.com/. Another advantage of using Apache is that you can log OpenKM access and generate web statistics.

SSL in Debian / Ubuntu

$ sudo mkdir /etc/apache2/ssl
$ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
$ sudo a2enmod ssl

Nota clasica.png If you need to converting .pem file to crt use: openssl x509 -in cacert.pem -out cacert.crt

Ensure ports 443 is listen in /etc/apache2/ports.conf

Do the same task related to port 80 but changing the configuration file /etc/apache2/sites-available/openkm.conf with this content:

<VirtualHost *:443>
    ServerName openkm.your-domain.com
    RedirectMatch ^/$ /OpenKM
    <Location /OpenKM>
        ProxyPass ajp://127.0.0.1:8009/OpenKM
        ProxyPassReverse https://openkm.your-domain.com/OpenKM
    </Location>
    ErrorLog /var/log/apache2/openkm.your-domain.com-error.log
    CustomLog /var/log/apache2/openkm.your-domain.com-access.log combined

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

Nota clasica.png if you see some error like "[error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results" add NameVirtualHost *:443 before <VirtualHost *:443>

If you want redirect HTTP connections to HTTPS, add this VirtualHost configuration:

<VirtualHost *:80>
  ServerName openkm.your-domain.com
  Redirect permanent / https://openkm.your-domain.com/
</VirtualHost>

SSL in Red Hat / CentOS

$ sudo yum install mod_ssl openssl crypto-utils

Generate private keys ( for more information visit Apache HTTP Secure Server Configuration)

$ genkey your-domain.com

Nota clasica.png Normally you want to generate self-certificate and not sending to Certify Authority. Is good practice put some password on private key, but in this case each time you restart apache service it'll be demanded.

During the process will be generated two files at

SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert 
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key

Must modify the /etc/httpd/conf.d/openkm.conf file

<VirtualHost *:443>
  ServerName your-domain.com
  ProxyPass / ajp://localhost:8009/OpenKM/
  ProxyPassReverse / http://your-domain.com/OpenKM/
  ErrorLog /var/log/your-domain.com-error.log
  CustomLog /var/log/your-domain.com-access.log combined

  RewriteEngine on
  RewriteCond %{REQUEST_URI} /OpenKM*
  RewriteRule ^(/.*)$ http://localhost:8080$1 [P]
  ProxyPassReverse / http://localhost:8080/

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
  SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
</VirtualHost>

Finally must modify SSLCertificateFile and SSLCertificateKeyFile values in file /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key

Now you can access your OpenKM installation from http://openkm.your-domain.com/. Another advantage of using Apache is that you can log OpenKM access and generate web statistics.

More info

For more info, visit: