Provide Secure Backend for PPT (Linux)
Provide Secure Backend for PPT (Linux)
Due to browser limitations regarding HTTPS Connections one of two procedures is recommended:
Run HTTPS only.
If you want to have the frontend reachable via HTTP, run the following setup, with 2 separate domains.
Note
Our example uses vocabulary.domain.com
for HTTP and for HTTPS vocabulary.example.org
.
Any combination of URLs would suffice though.
Example: vocabulary.domain.com/admin.domain.com
Note
If you change your server to use https you have to change the respective configuration in the The poolparty.properties File file too.
Setup Keystore & Certificate
To use https, you need a certificate. To add that certificate to your connector e.g. you replace <mycert.crt>, <mykey.key> with appropriate values.
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out keystore.p12 -name tomcat -CAfile myCA.crt -caname root -chain
Adapt the poolparty.properties File
You have to adapt the ppt.url
property in the The poolparty.properties File file.
Change 'http' to 'https'.
Make sure the server name corresponds to the server name in the SSL certificate.
Configure Tomcat
For this setup, a second Connector has to be configured in the Tomcat server configuration:
/opt/poolparty/tomcat/conf/server.xml
The secure and scheme attributes have to be set to indicate to the PoolParty application that the connection is secured. The following configuration example uses a thirdparty webserver for handling the ssl termination. The attributes proxyName and proxyPort are set to the real address connected to by client browsers. All other attributes are copied from the normal HTTP Connector.
<Connector URIEncoding="UTF-8" executor="tomcatThreadPool" acceptCount="400" port="8443" protocol="HTTP/1.1" enableLookups="false" connectionTimeout="3000" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/css,application/javascript" secure="true" scheme="https" SSLEnabled="true" keystoreFile="/opt/poolparty/tomcat/conf/keystore.p12" keystorePass="<changeit>" keystoreType="PKCS12" proxyName="vocabulary.example.org" proxyPort="443" />
If You Run a Proxy Server
Since the Tomcat connector's port is 8443, the configuration for nginx would look as in this example:
upstream vocabulary-443 { server 10.0.0.12:8443; keepalive 4; } server { server_name vocabulary.domain.com; listen 80; location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto http; proxy_set_header Host $http_host; proxy_pass http://vocabulary; } #redirect all secured Backend URLs to https location /PoolParty { return 301 https://vocabulary.example.org$request_uri; } location /extractor { return 301 https://vocabulary.example.org$request_uri; } location /solr { return 301 https://vocabulary.example.org$request_uri; } } upstream vocabulary-443 { server 10.0.0.12:443; keepalive 4; } server { server_name vocabulary.example.org; listen 443 ssl; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/pki/tls/dhparams.pem; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; ssl_certificate /etc/ssl/certs/vocabulary.example.org.pem; ssl_certificate_key /etc/ssl/certs/vocabulary.example.org.key; location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; #change this if you do not want to have https between proxy and application proxy_set_header Front-End-Https "On"; #terminate HTTPS on Proxy,to have secure cipher lists without further tomcat configuration proxy_set_header Host $http_host; proxy_pass https://vocabulary-443; #change this if you do not want to have https between proxy and application } }
Note
This setup uses TLS encrypted communication between user and proxy and between proxy and application.
Find more information in these topics: