You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Ted Byers <r....@gmail.com> on 2013/03/09 02:31:09 UTC
accessing ofbiz only over SSL/TLS using Apache's httpd server
I am studying how to install OFBiz and a multi-domain WordPress site
on the same server, and I want a) all access to all content in either
to be over a secure connection (but I have yet to succees to figure
out how to get mod_rewrite to redirect all requests coming in on port
80 using http to be remade using https over port 443 - I always get an
error that the redirection was done in a way that will never
complete), and b) to ensure that whatever I do getting ofbiz to work
with apache's httpd server will not break what I have to do to get a
working multi-site WordPress install (which I will begin with by
experimenting with simulating multiple virtual hosts served by httpd
based on a small number of entries to the hosts file on both the
server and a couple client virtual machines).
I know I found a web page in the past that talked about configuring
Apache's httpd server receive requests for OFBiz and pass them on to
OFBiz, but for the life of me, and despite many Google searchs, I have
not found it again. Does anyone know what the URL for that page is?
Thanks
Ted
Re: accessing ofbiz only over SSL/TLS using Apache's httpd server
Posted by Mike <mz...@gmail.com>.
This seems to be a good guide: http://www.garex.net/apache/
On Sat, Mar 9, 2013 at 9:49 AM, Ted Byers <r....@gmail.com> wrote:
> Thanks Mike,
>
> On Sat, Mar 9, 2013 at 12:38 PM, Mike <mz...@gmail.com> wrote:
> > There are a couple of ways to do it, each of which requires you to really
> > know apache the AJP module:
> >
> > On a running ofbiz system, there is this "runtime" directory:
> >
> > ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
> >
> > accounting bizznesstime droppingcrumbs example googlecheckout
> multiflex
> > ordermgr tempfiles workeffort ap bluelight ebay exampleext
> hhfacility
> > myportal osafe_theme tomahawk ar catalog ebaystore facility humanres
> > oagis partymgr assetmaint cmssite ecommerce flatgrey iCalendar
> > manufacturing ofbiz projectmgr webpos content images marketing
> > ofbizsetup webslinge birt googlebase ismgr minimal sfa webtools
> >
> > These are all reserved paths that ofbiz creates when started, so you can
> > create a bunch of <Location>...</Location> tags for each of the above
> > --or-- you can also just use: (with out /Location tags).
> >
> > proxyPass /catalog ajp://127.0.0.1:8009/catalog
> > proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> > proxyPass /content ajp://127.0.0.1:8009/content
> >
> > However, just looking at the shear amount of mount points that ofbiz
> > exposes by default it is crazy to expose all of them on the internet.
> You
> > can probably lock down the external facing mounts that you really need
> > (like /ecommerce) and just access the backend via a direct connection to
> > port 8080/8443, only from your LAN.
> >
>
> Would I not be able to handle the security implications of exposing
> some selection of mounts for the back end by requiring client side
> certificates for them. If so, I know how to add support or a
> requirement, for client side certificates in Apache's httpd server,
> but what about the application server OFBiz lives in?
>
> Thanks,
>
> Ted
>
Re: accessing ofbiz only over SSL/TLS using Apache's httpd server
Posted by Ted Byers <r....@gmail.com>.
Thanks Mike,
On Sat, Mar 9, 2013 at 12:38 PM, Mike <mz...@gmail.com> wrote:
> There are a couple of ways to do it, each of which requires you to really
> know apache the AJP module:
>
> On a running ofbiz system, there is this "runtime" directory:
>
> ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
>
> accounting bizznesstime droppingcrumbs example googlecheckout multiflex
> ordermgr tempfiles workeffort ap bluelight ebay exampleext hhfacility
> myportal osafe_theme tomahawk ar catalog ebaystore facility humanres
> oagis partymgr assetmaint cmssite ecommerce flatgrey iCalendar
> manufacturing ofbiz projectmgr webpos content images marketing
> ofbizsetup webslinge birt googlebase ismgr minimal sfa webtools
>
> These are all reserved paths that ofbiz creates when started, so you can
> create a bunch of <Location>...</Location> tags for each of the above
> --or-- you can also just use: (with out /Location tags).
>
> proxyPass /catalog ajp://127.0.0.1:8009/catalog
> proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
> proxyPass /content ajp://127.0.0.1:8009/content
>
> However, just looking at the shear amount of mount points that ofbiz
> exposes by default it is crazy to expose all of them on the internet. You
> can probably lock down the external facing mounts that you really need
> (like /ecommerce) and just access the backend via a direct connection to
> port 8080/8443, only from your LAN.
>
Would I not be able to handle the security implications of exposing
some selection of mounts for the back end by requiring client side
certificates for them. If so, I know how to add support or a
requirement, for client side certificates in Apache's httpd server,
but what about the application server OFBiz lives in?
Thanks,
Ted
Re: accessing ofbiz only over SSL/TLS using Apache's httpd server
Posted by Mike <mz...@gmail.com>.
There are a couple of ways to do it, each of which requires you to really
know apache the AJP module:
On a running ofbiz system, there is this "runtime" directory:
ls /opt/ofbiz.1104/runtime/catalina/work/default-server/0.0.0.0#
accounting bizznesstime droppingcrumbs example googlecheckout multiflex
ordermgr tempfiles workeffort ap bluelight ebay exampleext hhfacility
myportal osafe_theme tomahawk ar catalog ebaystore facility humanres
oagis partymgr assetmaint cmssite ecommerce flatgrey iCalendar
manufacturing ofbiz projectmgr webpos content images marketing
ofbizsetup webslinge birt googlebase ismgr minimal sfa webtools
These are all reserved paths that ofbiz creates when started, so you can
create a bunch of <Location>...</Location> tags for each of the above
--or-- you can also just use: (with out /Location tags).
proxyPass /catalog ajp://127.0.0.1:8009/catalog
proxyPass /cmssite ajp://127.0.0.1:8009/cmssite
proxyPass /content ajp://127.0.0.1:8009/content
However, just looking at the shear amount of mount points that ofbiz
exposes by default it is crazy to expose all of them on the internet. You
can probably lock down the external facing mounts that you really need
(like /ecommerce) and just access the backend via a direct connection to
port 8080/8443, only from your LAN.
On Sat, Mar 9, 2013 at 4:10 AM, Ted Byers <r....@gmail.com> wrote:
> Thanks,
>
> But ....
>
> On Fri, Mar 8, 2013 at 10:38 PM, Mike <mz...@gmail.com> wrote:
> >
> https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
> >
> > But you would do something like this:
> >
> > <Location /ecommerce/>
> > proxyPass ajp://127.0.0.1:8009/ecommerce/
> > </Location>
> > <Location /images/>
> > proxyPass ajp://127.0.0.1:8009/images/
> > </Location>
> > <Location /content/>
> > proxyPass ajp://127.0.0.1:8009/content/
> > </Location>
> >
> > You just have to make sure anything ofbiz-specific is short-circuited to
> > ajp://
> >
> > This also pretty much disables accessing the backend (/webtools/, etc.)
> as
> > well.
> >
>
> What would I need to do to ensure that the backend remains usable?
> For my situation, I need both the ecommerce support and the webtools.
>
> Thanks
>
> Ted
>
Re: accessing ofbiz only over SSL/TLS using Apache's httpd server
Posted by Ted Byers <r....@gmail.com>.
Thanks,
But ....
On Fri, Mar 8, 2013 at 10:38 PM, Mike <mz...@gmail.com> wrote:
> https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
>
> But you would do something like this:
>
> <Location /ecommerce/>
> proxyPass ajp://127.0.0.1:8009/ecommerce/
> </Location>
> <Location /images/>
> proxyPass ajp://127.0.0.1:8009/images/
> </Location>
> <Location /content/>
> proxyPass ajp://127.0.0.1:8009/content/
> </Location>
>
> You just have to make sure anything ofbiz-specific is short-circuited to
> ajp://
>
> This also pretty much disables accessing the backend (/webtools/, etc.) as
> well.
>
What would I need to do to ensure that the backend remains usable?
For my situation, I need both the ecommerce support and the webtools.
Thanks
Ted
Re: accessing ofbiz only over SSL/TLS using Apache's httpd server
Posted by Mike <mz...@gmail.com>.
https://cwiki.apache.org/OFBIZ/faq-tips-tricks-cookbook-howto.html#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
But you would do something like this:
<Location /ecommerce/>
proxyPass ajp://127.0.0.1:8009/ecommerce/
</Location>
<Location /images/>
proxyPass ajp://127.0.0.1:8009/images/
</Location>
<Location /content/>
proxyPass ajp://127.0.0.1:8009/content/
</Location>
You just have to make sure anything ofbiz-specific is short-circuited to
ajp://
This also pretty much disables accessing the backend (/webtools/, etc.) as
well.
On Fri, Mar 8, 2013 at 5:31 PM, Ted Byers <r....@gmail.com> wrote:
> I am studying how to install OFBiz and a multi-domain WordPress site
> on the same server, and I want a) all access to all content in either
> to be over a secure connection (but I have yet to succees to figure
> out how to get mod_rewrite to redirect all requests coming in on port
> 80 using http to be remade using https over port 443 - I always get an
> error that the redirection was done in a way that will never
> complete), and b) to ensure that whatever I do getting ofbiz to work
> with apache's httpd server will not break what I have to do to get a
> working multi-site WordPress install (which I will begin with by
> experimenting with simulating multiple virtual hosts served by httpd
> based on a small number of entries to the hosts file on both the
> server and a couple client virtual machines).
>
> I know I found a web page in the past that talked about configuring
> Apache's httpd server receive requests for OFBiz and pass them on to
> OFBiz, but for the life of me, and despite many Google searchs, I have
> not found it again. Does anyone know what the URL for that page is?
>
> Thanks
>
> Ted
>