Provide Secure Backend for PPT (Linux)

Due to browser limitations regarding HTTPS Connections one of two procedures is recommended:

  • Run HTTPS only.

  • If you want to have the frontend reachable via HTTP, run the following setup, with 2 separate domains.

Note

Our example uses vocabulary.domain.com for HTTP and for HTTPS vocabulary.example.org.

Any combination of URLs would suffice though.

Example: vocabulary.domain.com/admin.domain.com

Note

If you change your server to use https you have to change the respective configuration in the poolparty.properties file too.

Setup Keystore & Certificate

To use https, you need a certificate. To add that certificate to your connector e.g. you replace <mycert.crt>, <mykey.key> with appropriate values.

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
                        -out keystore.p12 -name tomcat -CAfile myCA.crt
                        -caname root -chain

Adapt the poolparty.properties File

You have to adapt the ppt.url property in the poolparty.properties file.

  1. Change 'http' to 'https'.

  2. Make sure the server name corresponds to the server name in the SSL certificate.

Configure Tomcat

For this setup, a second Connector has to be configured in the Tomcat server configuration:

  • /opt/poolparty/tomcat/conf/server.xml

The secure and scheme attributes have to be set to indicate to the PoolParty application that the connection is secured. The following configuration example uses a thirdparty webserver for handling the ssl termination. The attributes proxyName and proxyPort are set to the real address connected to by client browsers. All other attributes are copied from the normal HTTP Connector.

    <Connector
        URIEncoding="UTF-8"
        executor="tomcatThreadPool"
        acceptCount="400"
        port="8443" 
        protocol="HTTP/1.1" 
        enableLookups="false"
        connectionTimeout="3000" 
        compression="on"
        compressionMinSize="2048"
        noCompressionUserAgents="gozilla, traviata"
        compressableMimeType="text/html,text/css,application/javascript"
        secure="true" scheme="https"
                SSLEnabled="true"
                keystoreFile="/opt/poolparty/tomcat/conf/keystore.p12"
                keystorePass="<changeit>"
                keystoreType="PKCS12"
                proxyName="vocabulary.example.org" 
        proxyPort="443" />

If You Run a Proxy Server

Since the Tomcat connector's port is 8443, the configuration for nginx would look as in this example:

upstream vocabulary-443 {
  server 10.0.0.12:8443;
  keepalive 4;
}
server {
  server_name  vocabulary.domain.com;

  listen 80;
  
  location / {
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto http;
    proxy_set_header Host $http_host;
    proxy_pass http://vocabulary;
  }
#redirect all secured Backend URLs to https
  location /PoolParty {
    return 301 https://vocabulary.example.org$request_uri;
  }
  location /extractor {
    return 301 https://vocabulary.example.org$request_uri;
  }
  location /solr {
    return 301 https://vocabulary.example.org$request_uri;
  }
}
upstream vocabulary-443 {
        server 10.0.0.12:443;
        keepalive 4;
}
server {
        server_name vocabulary.example.org;
        listen 443 ssl;
        ssl_session_timeout         10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_prefer_server_ciphers on;
            ssl_dhparam /etc/pki/tls/dhparams.pem;
        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;
        ssl_certificate /etc/ssl/certs/vocabulary.example.org.pem;
        ssl_certificate_key /etc/ssl/certs/vocabulary.example.org.key;

  location / {
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https; #change this if you do not want to have https between proxy and application
    proxy_set_header Front-End-Https "On"; #terminate HTTPS on Proxy,to have secure cipher lists without further tomcat configuration
    proxy_set_header Host $http_host;
    proxy_pass https://vocabulary-443; #change this if you do not want to have https between proxy and application
  }
}

Note

This setup uses TLS encrypted communicaton between user and proxy and between proxy and application.

Find more information in these topics: