Documente Academic
Documente Profesional
Documente Cultură
html
Contents
1 Introduction
1.1 Apache httpd different flavors
1.2 Adapting the examples to your needs
2 Using Apache 2
2.1 Prerequisites
2.2 Simple virtual host HTTP + HTTPS configuration
2.3 Secure virtual host HTTP + HTTPS configuration
3 Using Apache (apache-ssl package)
3.1 Prerequisites
3.2 Simple virtual host HTTP + HTTPS configuration
3.3 Secure virtual host HTTP + HTTPS configuration
4 Developer information
1 Introduction
This kind of configuration is the preferred way to deploy CPS web sites because:
The Apache httpd server comes in different series (the 1.3.x and the 2.x series, etc.) and
also in different versions (the standard httpd version and the Apache-SSL flavor).
In this document we will only explain the use of the following versions:
Using Apache 2 is the preferred option because it is the more up-to-date version and the
version on which development is done. Apache-ssl was only handy before Apache 2. But
now that Apache 2 ships with mod_ssl by default, there isn't' any reason to stay with
Apache-SSL anymore.
Port 9673 is the Zope default port on Debian. You might have to change it to 8080
Finally note that while this howto focuses on CPS, the most complete Open Source
solution available for building Enterprise Content Management (ECM) applications, it could
advantageously be followed for other Zope-based applications such as Plone.
2 Using Apache 2
Here are some configuration examples using Apache2 httpd VirtualHost directives.
2.1 Prerequisites
What you need:
$ a2enmod proxy
$ a2enmod rewrite
$ a2enmod ssl
Listen 80
Listen 443
Listen 453
<Proxy *>
Order deny,allow
Deny from all
</Proxy>
<Proxy http://localhost:9673>
Order deny,allow
Deny from all
Allow from all
</Proxy>
5. If you want to use HTTPS for your web server you should either:
generate a single self-signed certificate (this is the easy way to go if you just
want HTTPS for one portal and don't care about flexibility, evolution, multiple
service or domain names on the same machine, etc.)
generate a private key and certificate file (this is the more serious and flexible
way to go)
We will only document the single self-signed certificate generation procedure that
can easily be use on Debian systems. This documentation is not about teaching you
how to manipulate certificates or installing/using a PKI.
On Debian-based systems there is a small utility that can generate the self-signed
certificate for you: apache2-ssl-certificate:
$ /usr/sbin/apache2-ssl-certificate
Just answer the few questions (Country Name, server name, Email Address, etc.)
about your service name or portal name and machine and it will generate the
certificate for you in /etc/apache2/ssl/apache.pem.
If you are not satisfied with the questions asked by the utility (for example to get rid
of the stupid State or Province Name information and the localityName information)
edit the OpenSSL configuration file used by Apache before running the utility:
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
# You can change the default values
#countryName_default = GB
countryName_default = FR
countryName_min = 2
countryName_max = 2
# Just comment out the option you don't want to have to be set
#stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Some-State
# Just comment out the option you don't want to have to be set
#localityName = Locality Name (eg, city)
Then you can check the information that ended in the certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a0:35:f0:c7:d1:68:5a:27
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FR, O=MySite, CN=www.mysite.net/emailAddress=webmaster@mysite.net
Validity
Not Before: May 18 13:15:45 2006 GMT
Not After : Jun 17 13:15:45 2006 GMT
Subject: C=FR, O=MySite, CN=www.mysite.net/emailAddress=webmaster@mysite.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cb:4c:6e:69:91:b4:70:d2:55:80:15:fe:34:e9:
85:df:74:56:6a:6c:de:15:f6:b3:ba:78:b8:06:74:
b4:d3:c6:35:cf:6c:8d:21:7b:53:0e:b1:c9:24:51:
bc:23:9f:bd:c5:b1:07:5a:30:34:5a:97:e8:4c:d5:
5f:83:24:7e:3b:d9:9d:07:bd:d3:ca:4d:a4:f7:4b:
d2:49:c2:63:6d:4e:3e:82:58:91:b6:45:2f:80:61:
c2:a1:6e:10:e8:1d:21:b7:f9:e2:0e:b6:95:24:dd:
ae:82:9c:6c:3e:38:ac:ca:cb:e2:74:fc:65:97:85:
40:39:3d:ee:81:16:db:57:8f
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
5a:6e:6e:b0:82:aa:b6:71:42:24:b8:d5:31:6a:78:13:81:a2:
dc:c3:91:91:e5:20:46:b5:91:81:11:f6:bc:86:4e:e2:a5:bd:
d9:b8:c1:ca:16:a1:46:de:4e:69:bf:7a:dd:5e:24:dd:d6:53:
12:12:23:75:bd:e2:45:ad:81:7f:8f:82:35:20:ce:68:69:71:
50:ea:45:8f:4b:fe:f4:be:84:53:4d:2b:7d:85:5b:bd:0d:8f:
6b:66:2a:87:9e:41:94:ee:44:01:ae:76:45:ad:e9:a1:71:fd:
6f:1d:96:d3:53:66:d1:a7:96:97:54:ac:43:b1:78:77:90:a1:
ac:aa
-----BEGIN CERTIFICATE-----
GhxeGTCCAaYCCQCgNfDH0WhaJzANBgkqhkiG9w0BAQQFADBjMQswCQYDVQQGEwJG
UjEOMAwGA1UEChMFTW9udW0xHjAcBgNVBAMTFXd3dy5pbnRyYW5ldC5tb251bS5m
cjEkMCIGCSqGSIb3DQEJARYVY29tLmludHJhbmV0QG1vbnVtLmZyMB4XDTA2MDUx
ODEzMTU0NVoXDTA2MDYxNzEzMTU0NVowYzELMAkGA1UEBhMCRlIxDjAMBgNVBAoT
BU1vbnVtMR4wHAYDVQQDExV3d3ergeg,melrGERGRG9udW0uZnIxJDAiBgkqhkiG
9w0BCQEWFWNvbS5pbnRyYW5ldEBtb251bS5mcjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAy0xuaZG0cNJVgBX+NOmF33RWamzeFfazuni4BnS008Y1z2yNIXtT
DrHJJFG8I5+9xbEHWjA0WpfoTNVfgyR+O9mdB73Tyk2k90vSScJjbU4+gliRtkUv
gGHCoW4Q6B0ht/niDraVJN2ugpxsPjisysvidPxll4VAOT3ugRbbV48CAwEAATAN
BgkqhkiG9w0BAQQFAAOBgQBabm6wgqq2cUIkuNUxangTgaLcw5GR5SBGtZGBEfa8
hk7ipb3ZuMHKFqFG3k5pv3rdXiTd1lMSEiN1veJFrYF/j4I1IM5oaXFQ6kWPS/70
voRTTSt9hVu9DY9rZiqHnkGU7kQBrnZFremhcf1vHZbTU2bRp5aXVKxDsXgrA3Gs
qg==
-----END CERTIFICATE-----
Example:
<VirtualHost 192.168.2.20:80>
ServerName www.mysite.net
RewriteEngine on
<VirtualHost 192.168.2.20:443>
ServerName www.mysite.net
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Alternatively use those lines for private key and certificate configurations
#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert
#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key
RewriteEngine on
Example:
RewriteEngine on
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Alternatively use those lines for private key and certificate configurations
#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert
#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key
RewriteEngine on
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Alternatively use those lines for private key and certificate configurations
#SSLCertificateFile /etc/apache2/ssl/www.mysite.net.cert
#SSLCertificateKeyFile /etc/apache2/ssl/www.mysite.net.key
RewriteEngine on
Note that those configuration instructions are "apache-ssl" specific. It is of course possible
to use the "apache" and "libapache-mod-ssl" packages, instead of using the "apache-ssl"
package, but the configuration might be slightly different.
3.1 Prerequisites
What you need:
3. You should have the SSLDisable option at the server configuration level because we
will be using virtual hosts.
4. You should generate a private key and certificate files for your web server.
Example:
<VirtualHost 192.168.2.20:80>
ServerName www.mysite.net
RewriteEngine on
<VirtualHost 192.168.2.20:443>
ServerName www.mysite.net
SSLEnable
SSLCertificateFile /etc/apache-ssl/ssl.crt/apache.pem
# Alternatively use those lines for private key and certificate configurations
SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.cert
SSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key
RewriteEngine on
Example:
RewriteEngine on
SSLEnable
SSLCertificateFile /etc/apache-ssl/ssl.crt/apache.pem
# Alternatively use those lines for private key and certificate configurations
SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.cert
SSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key
RewriteEngine on
SSLEnable
SSLCertificateFile /etc/apache-ssl/ssl.crt/www.mysite.net.cert
SSLCertificateKeyFile /etc/apache-ssl/ssl.key/www.mysite.net.key
RewriteEngine on
4 Developer information
Information about how to handle paths/urls in products using CPS, to make them
work properly with virtual hosting:
http://www.cps-project.org/sections/documentation/developers/virtual_hosting_in_cps
http://svn.nuxeo.org/trac/pub/file/CPSCore/trunk/doc/virtual-hosting.txt