New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache configs #161

Closed
s3cur3n3t opened this Issue Aug 3, 2016 · 4 comments

Comments

Projects
None yet
3 participants
@s3cur3n3t

s3cur3n3t commented Aug 3, 2016

Hi,

Do you have a guide to configure httpd on CentOS 7.0?

Because I don't need to access on localhost, need it to use across the organization.

Thanks in advance.

@skavanagh

This comment has been minimized.

Show comment
Hide comment
@skavanagh

skavanagh Aug 4, 2016

Owner

on startup it listens on 0.0.0.0:8443 - so all ip addresses on the local machine.
Documentation for jetty can be found here: http://www.eclipse.org/jetty/documentation/current/

Owner

skavanagh commented Aug 4, 2016

on startup it listens on 0.0.0.0:8443 - so all ip addresses on the local machine.
Documentation for jetty can be found here: http://www.eclipse.org/jetty/documentation/current/

@s3cur3n3t

This comment has been minimized.

Show comment
Hide comment
@s3cur3n3t

s3cur3n3t Aug 4, 2016

Ok. But I can't access it from a remote machine. That's why my question... I have to configure Apache so it can work right? If so, do you have any specific configuration for it?

Thanks

s3cur3n3t commented Aug 4, 2016

Ok. But I can't access it from a remote machine. That's why my question... I have to configure Apache so it can work right? If so, do you have any specific configuration for it?

Thanks

@skavanagh

This comment has been minimized.

Show comment
Hide comment
@skavanagh

skavanagh Aug 5, 2016

Owner

No you don't have to install apache (unless you have a need to). Users can access from a remote machine with the jetty server as is.

Owner

skavanagh commented Aug 5, 2016

No you don't have to install apache (unless you have a need to). Users can access from a remote machine with the jetty server as is.

@skavanagh skavanagh closed this Aug 18, 2016

@colandre

This comment has been minimized.

Show comment
Hide comment
@colandre

colandre Sep 1, 2016

Just a note I have found during the Apache configuration with Keybox in HTTPS.
I run Keybox on CentOS 7.1 and the default httpd version coming within the OS is 2.4.6. (yum install procedure)

There is an Apache bug up to version 2.4.10 that force websockets running in http and not https:
Ref.
http://stackoverflow.com/questions/11468154/tunneling-secure-websocket-connections-with-apache
https://bz.apache.org/bugzilla/show_bug.cgi?id=55320

Due to this bug I have manually installed Apache version 2.4.10 in order to allow websockets working with HTTPS configuration.

Regarding the apache configuration I can paste here an example of what I am using:

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:!RC4:!RC2:!DES:+HIGH:+MEDIUM
ServerSignature Off
ServerTokens Prod
Header always append X-Frame-Options DENY

<VirtualHost *:443>
  ServerName yourserver.yourdomain.com

  ## Logging
  ErrorLog "/var/log/httpd24/yourserver.yourdomain.com_error_ssl.log"
  CustomLog "/var/log/httpd24/yourserver.yourdomain.com_access_ssl.log" combined

  ## SSL directives
  SSLEngine on
  SSLProxyEngine On
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyVerify none
  SSLProxyCheckPeerExpire off
  SSLCertificateFile      "/etc/ssl/yourcertificate.crt"
  SSLCertificateKeyFile   "/etc/ssl/yourkey.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"

  ## Proxy rules
  ProxyRequests off
  ProxyPreserveHost On
  ProxyPass / https://localhost:8443/
  ProxyPassReverse / https://localhost:8443/

  RequestHeader set X-Forwarded-Proto "https" env=HTTPS

  <LocationMatch "/admin/(terms.*)">
        ProxyPass wss://127.0.0.1:8443/admin/$1
        ProxyPassReverse wss://127.0.0.1:8443/admin/$1
  </LocationMatch>
</VirtualHost>


# Disallow access using IP
<VirtualHost *:443>
  ServerName 1.1.1.1 # your server IP
  Redirect 403 /
  #ErrorDocument 403 "Sorry, direct IP access not allowed."
  ErrorDocument 403 " "
  DocumentRoot /var/www
  UseCanonicalName Off
  UserDir disabled
</VirtualHost>

colandre commented Sep 1, 2016

Just a note I have found during the Apache configuration with Keybox in HTTPS.
I run Keybox on CentOS 7.1 and the default httpd version coming within the OS is 2.4.6. (yum install procedure)

There is an Apache bug up to version 2.4.10 that force websockets running in http and not https:
Ref.
http://stackoverflow.com/questions/11468154/tunneling-secure-websocket-connections-with-apache
https://bz.apache.org/bugzilla/show_bug.cgi?id=55320

Due to this bug I have manually installed Apache version 2.4.10 in order to allow websockets working with HTTPS configuration.

Regarding the apache configuration I can paste here an example of what I am using:

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:!RC4:!RC2:!DES:+HIGH:+MEDIUM
ServerSignature Off
ServerTokens Prod
Header always append X-Frame-Options DENY

<VirtualHost *:443>
  ServerName yourserver.yourdomain.com

  ## Logging
  ErrorLog "/var/log/httpd24/yourserver.yourdomain.com_error_ssl.log"
  CustomLog "/var/log/httpd24/yourserver.yourdomain.com_access_ssl.log" combined

  ## SSL directives
  SSLEngine on
  SSLProxyEngine On
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyVerify none
  SSLProxyCheckPeerExpire off
  SSLCertificateFile      "/etc/ssl/yourcertificate.crt"
  SSLCertificateKeyFile   "/etc/ssl/yourkey.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"

  ## Proxy rules
  ProxyRequests off
  ProxyPreserveHost On
  ProxyPass / https://localhost:8443/
  ProxyPassReverse / https://localhost:8443/

  RequestHeader set X-Forwarded-Proto "https" env=HTTPS

  <LocationMatch "/admin/(terms.*)">
        ProxyPass wss://127.0.0.1:8443/admin/$1
        ProxyPassReverse wss://127.0.0.1:8443/admin/$1
  </LocationMatch>
</VirtualHost>


# Disallow access using IP
<VirtualHost *:443>
  ServerName 1.1.1.1 # your server IP
  Redirect 403 /
  #ErrorDocument 403 "Sorry, direct IP access not allowed."
  ErrorDocument 403 " "
  DocumentRoot /var/www
  UseCanonicalName Off
  UserDir disabled
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment