accessing ofbiz only over SSL/TLS using Apache's httpd server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

accessing ofbiz only over SSL/TLS using Apache's httpd server

Ted Byers
I am studying how to install OFBiz and a multi-domain WordPress site
on the same server, and I want a) all access to all content in either
to be over a secure connection (but I have yet to succees to figure
out how to get mod_rewrite to redirect all requests coming in on port
80 using http to be remade using https over port 443 - I always get an
error that the redirection was done in a way that will never
complete), and b) to ensure that whatever I do getting ofbiz to work
with apache's httpd server will not break what I have to do to get a
working multi-site WordPress install (which I will begin with by
experimenting with simulating multiple virtual hosts served by httpd
based on a small number of entries to the hosts file on both the
server and a couple client virtual machines).

I know I found a web page in the past that talked about configuring
Apache's httpd server receive requests for OFBiz and pass them on to
OFBiz, but for the life of me, and despite many Google searchs, I have
not found it again.  Does anyone know what the URL for that page is?

Thanks

Ted
Reply | Threaded
Open this post in threaded view
|

Re: accessing ofbiz only over SSL/TLS using Apache's httpd server

Mike Z
https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD

But you would do something like this:

<Location /ecommerce/>
        proxyPass ajp://127.0.0.1:8009/ecommerce/
 </Location>
 <Location /images/>
       proxyPass ajp://127.0.0.1:8009/images/
 </Location>
 <Location /content/>
        proxyPass ajp://127.0.0.1:8009/content/
 </Location>

You just have to make sure anything ofbiz-specific is short-circuited to
ajp://

This also pretty much disables accessing the backend (/webtools/, etc.) as
well.

On Fri, Mar 8, 2013 at 5:31 PM, Ted Byers <[hidden email]> wrote:

> I am studying how to install OFBiz and a multi-domain WordPress site
> on the same server, and I want a) all access to all content in either
> to be over a secure connection (but I have yet to succees to figure
> out how to get mod_rewrite to redirect all requests coming in on port
> 80 using http to be remade using https over port 443 - I always get an
> error that the redirection was done in a way that will never
> complete), and b) to ensure that whatever I do getting ofbiz to work
> with apache's httpd server will not break what I have to do to get a
> working multi-site WordPress install (which I will begin with by
> experimenting with simulating multiple virtual hosts served by httpd
> based on a small number of entries to the hosts file on both the
> server and a couple client virtual machines).
>
> I know I found a web page in the past that talked about configuring
> Apache's httpd server receive requests for OFBiz and pass them on to
> OFBiz, but for the life of me, and despite many Google searchs, I have
> not found it again.  Does anyone know what the URL for that page is?
>
> Thanks
>
> Ted
>
Reply | Threaded
Open this post in threaded view
|

Re: accessing ofbiz only over SSL/TLS using Apache's httpd server

Ted Byers
Thanks,

But ....

On Fri, Mar 8, 2013 at 10:38 PM, Mike <[hidden email]> wrote:

> https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
>
> But you would do something like this:
>
> <Location /ecommerce/>
>         proxyPass ajp://127.0.0.1:8009/ecommerce/
>  </Location>
>  <Location /images/>
>        proxyPass ajp://127.0.0.1:8009/images/
>  </Location>
>  <Location /content/>
>         proxyPass ajp://127.0.0.1:8009/content/
>  </Location>
>
> You just have to make sure anything ofbiz-specific is short-circuited to
> ajp://
>
> This also pretty much disables accessing the backend (/webtools/, etc.) as
> well.
>

What would I need to do to ensure that the backend remains usable?
For my situation, I need both the ecommerce support and the webtools.

Thanks

Ted
Reply | Threaded
Open this post in threaded view
|

Re: accessing ofbiz only over SSL/TLS using Apache's httpd server

Mike Z
There are a couple of ways to do it, each of which requires you to really
know apache the AJP module:

On a running ofbiz system, there is this "runtime" directory:

ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#

accounting  bizznesstime  droppingcrumbs  example googlecheckout multiflex
ordermgr tempfiles workeffort ap bluelight     ebay exampleext  hhfacility
myportal osafe_theme  tomahawk  ar catalog ebaystore facility humanres
oagis partymgr   assetmaint cmssite ecommerce flatgrey iCalendar
manufacturing  ofbiz projectmgr webpos content images marketing
 ofbizsetup  webslinge birt googlebase  ismgr  minimal  sfa webtools

These are all reserved paths that ofbiz creates when started, so you can
create a bunch of <Location>...</Location> tags for each of the above
--or-- you can also just use: (with out /Location tags).

proxyPass /catalog ajp://127.0.0.1:8009/catalog
proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
proxyPass /content ajp://127.0.0.1:8009/content

However, just looking at the shear amount of mount points that ofbiz
exposes by default it is crazy to expose all of them on the internet.  You
can probably lock down the external facing mounts that you really need
(like /ecommerce) and just access the backend via a direct connection to
port 8080/8443, only from your LAN.

On Sat, Mar 9, 2013 at 4:10 AM, Ted Byers <[hidden email]> wrote:

> Thanks,
>
> But ....
>
> On Fri, Mar 8, 2013 at 10:38 PM, Mike <[hidden email]> wrote:
> >
> https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
> >
> > But you would do something like this:
> >
> > <Location /ecommerce/>
> >         proxyPass ajp://127.0.0.1:8009/ecommerce/
> >  </Location>
> >  <Location /images/>
> >        proxyPass ajp://127.0.0.1:8009/images/
> >  </Location>
> >  <Location /content/>
> >         proxyPass ajp://127.0.0.1:8009/content/
> >  </Location>
> >
> > You just have to make sure anything ofbiz-specific is short-circuited to
> > ajp://
> >
> > This also pretty much disables accessing the backend (/webtools/, etc.)
> as
> > well.
> >
>
> What would I need to do to ensure that the backend remains usable?
> For my situation, I need both the ecommerce support and the webtools.
>
> Thanks
>
> Ted
>
Reply | Threaded
Open this post in threaded view
|

Re: accessing ofbiz only over SSL/TLS using Apache's httpd server

Ted Byers
Thanks Mike,

On Sat, Mar 9, 2013 at 12:38 PM, Mike <[hidden email]> wrote:

> There are a couple of ways to do it, each of which requires you to really
> know apache the AJP module:
>
> On a running ofbiz system, there is this "runtime" directory:
>
> ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
>
> accounting  bizznesstime  droppingcrumbs  example googlecheckout multiflex
> ordermgr tempfiles workeffort ap bluelight     ebay exampleext  hhfacility
> myportal osafe_theme  tomahawk  ar catalog ebaystore facility humanres
> oagis partymgr   assetmaint cmssite ecommerce flatgrey iCalendar
> manufacturing  ofbiz projectmgr webpos content images marketing
>  ofbizsetup  webslinge birt googlebase  ismgr  minimal  sfa webtools
>
> These are all reserved paths that ofbiz creates when started, so you can
> create a bunch of <Location>...</Location> tags for each of the above
> --or-- you can also just use: (with out /Location tags).
>
> proxyPass /catalog ajp://127.0.0.1:8009/catalog
> proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> proxyPass /content ajp://127.0.0.1:8009/content
>
> However, just looking at the shear amount of mount points that ofbiz
> exposes by default it is crazy to expose all of them on the internet.  You
> can probably lock down the external facing mounts that you really need
> (like /ecommerce) and just access the backend via a direct connection to
> port 8080/8443, only from your LAN.
>

Would I not be able to handle the security implications of exposing
some selection of mounts for the back end by requiring client side
certificates for them.  If so, I know how to add support or a
requirement, for client side certificates in Apache's httpd server,
but what about the application server OFBiz lives in?

Thanks,

Ted
Reply | Threaded
Open this post in threaded view
|

Re: accessing ofbiz only over SSL/TLS using Apache's httpd server

Mike Z
This seems to be a good guide: http://www.garex.net/apache/

On Sat, Mar 9, 2013 at 9:49 AM, Ted Byers <[hidden email]> wrote:

> Thanks Mike,
>
> On Sat, Mar 9, 2013 at 12:38 PM, Mike <[hidden email]> wrote:
> > There are a couple of ways to do it, each of which requires you to really
> > know apache the AJP module:
> >
> > On a running ofbiz system, there is this "runtime" directory:
> >
> > ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
> >
> > accounting  bizznesstime  droppingcrumbs  example googlecheckout
> multiflex
> > ordermgr tempfiles workeffort ap bluelight     ebay exampleext
>  hhfacility
> > myportal osafe_theme  tomahawk  ar catalog ebaystore facility humanres
> > oagis partymgr   assetmaint cmssite ecommerce flatgrey iCalendar
> > manufacturing  ofbiz projectmgr webpos content images marketing
> >  ofbizsetup  webslinge birt googlebase  ismgr  minimal  sfa webtools
> >
> > These are all reserved paths that ofbiz creates when started, so you can
> > create a bunch of <Location>...</Location> tags for each of the above
> > --or-- you can also just use: (with out /Location tags).
> >
> > proxyPass /catalog ajp://127.0.0.1:8009/catalog
> > proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> > proxyPass /content ajp://127.0.0.1:8009/content
> >
> > However, just looking at the shear amount of mount points that ofbiz
> > exposes by default it is crazy to expose all of them on the internet.
>  You
> > can probably lock down the external facing mounts that you really need
> > (like /ecommerce) and just access the backend via a direct connection to
> > port 8080/8443, only from your LAN.
> >
>
> Would I not be able to handle the security implications of exposing
> some selection of mounts for the back end by requiring client side
> certificates for them.  If so, I know how to add support or a
> requirement, for client side certificates in Apache's httpd server,
> but what about the application server OFBiz lives in?
>
> Thanks,
>
> Ted
>