Third-party software integration: Apache SSL and more
Expose OpenKM directly from JBoss can be dangerous if you need the application to be accessed from Internet. Also this 8080 may be closed by a firewall. For these reasons, is a good idea expose your OpenKM installation through the standard web port 80. In the following steps we explain how to configure Apache to handle these request and forward to JBoss application server using the AJP13 protocol.
From the Apache documentation: The AJP13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles.
Advanced configuration
If you don't want to show the /OpenKM context, try this as your VirtualHost configuration:
<VirtualHost *>
ServerName openkm.your-domain.com
ProxyPass / ajp://localhost:8009/OpenKM/
ProxyPassReverse / http://openkm.your-domain.com/OpenKM/
ErrorLog /var/log/apache2/your-domain.com-error.log
CustomLog /var/log/apache2/your-domain.com-access.log combined
RewriteEngine on
RewriteCond %{REQUEST_URI} /OpenKM*
RewriteRule ^(/.*)$ http://localhost:8080$1 [P]
RequestHeader edit X-GWT-Module-Base ^(http://openkm.your-domain)/frontend/(.*)$ $1/OpenKM/frontend/$2
</VirtualHost>
You need also set the configuration parameter system.apache.request.header.fix to on (true). Note than in OpenKM 5.1 the configuration is stored in database and the OpenKM.cfg configuration only make sense in the database (Hibernate) configuration parameters.
You have to enable explicitly the proxy access editing the Apache configuration file /etc/apache2/mods-available/proxy.conf:
<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
Deny from all
#Allow from .example.com
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia On
</IfModule>
Finally restart Apache:
$ sudo /etc/init.d/apache2 restart
Now you can access your OpenKM installation from http://openkm.your-domain.com/. Another advantage of using Apache is that you can log OpenKM access and generate web statistics.
SSL in Debian / Ubuntu
$ sudo mkdir /etc/apache2/ssl $ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem $ sudo a2enmod ssl
Ensure ports 443 is listen in /etc/apache2/ports.conf
Do the same task related to port 80 but changing the configuration file /etc/apache2/sites-available/openkm.conf with this content:
<VirtualHost *:443>
ServerName openkm.your-domain.com
RedirectMatch ^/$ /OpenKM
<Location /OpenKM>
ProxyPass ajp://127.0.0.1:8009/OpenKM
ProxyPassReverse http://openkm.your-domain.com/OpenKM
</Location>
ErrorLog /var/log/apache2/openkm.your-domain.com-error.log
CustomLog /var/log/apache2/openkm.your-domain.com-access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
SSL in Red Hat / CentOS
$ sudo yum install mod_ssl openssl crypto-utils
Generate private keys ( for more information visit Apache HTTP Secure Server Configuration)
$ genkey your-domain.com
During the process will be generated two files at
SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
Must modify the /etc/httpd/conf.d/openkm.conf file
<VirtualHost *:443>
ServerName your-domain.com
ProxyPass / ajp://localhost:8009/OpenKM/
ProxyPassReverse / http://your-domain.com/OpenKM/
ErrorLog /var/log/your-domain.com-error.log
CustomLog /var/log/your-domain.com-access.log combined
RewriteEngine on
RewriteCond %{REQUEST_URI} /OpenKM*
RewriteRule ^(/.*)$ http://localhost:8080$1 [P]
ProxyPassReverse / http://localhost:8080/
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
</VirtualHost>
Finally must modify SSLCertificateFile and SSLCertificateKeyFile values in file /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/your-domain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/your-domain.com.key
Now you can access your OpenKM installation from http://openkm.your-domain.com/. Another advantage of using Apache is that you can log OpenKM access and generate web statistics.
More info
For more info, visit: