Template:ApacheAppSuiteConf: Difference between revisions

From Open-Xchange
No edit summary
No edit summary
 
(19 intermediate revisions by 6 users not shown)
Line 3: Line 3:
  $ vim {{#if:{{{connectorConf|}}}|{{{connectorConf}}}|{{{ajpconf}}}}}
  $ vim {{#if:{{{connectorConf|}}}|{{{connectorConf}}}|{{{ajpconf}}}}}


# Please note that the servlet path to the soap API has changed:
 
<Location /webservices>
    # restrict access to the soap provisioning API
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    # you might add more ip addresses / networks here
    # Allow from 192.168 10 172.16
</Location>
# the old path is kept for compatibility reasons
<Location /servlet/axis2/services>
    # restrict access to the soap provisioning API
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    # you might add more ip addresses / networks here
    # Allow from 192.168 10 172.16
</Location>
  {{{loadmodule}}}
  {{{loadmodule}}}
   
   
  <IfModule mod_proxy_{{#if:{{{connector|}}}|{{{connector}}}|ajp}}.c>
  <IfModule mod_proxy_{{#if:{{{connector|}}}|{{{connector}}}|ajp}}.c>
     ProxyRequests Off
     ProxyRequests Off
    ProxyStatus On
     {{#ifeq: {{{connector}}} | http | {{Template:ApacheAppSuiteConf/httpProxyPreserveHost}} | }}
     {{#ifeq: {{{connector}}} | http | {{Template:ApacheAppSuiteConf/httpProxyPreserveHost}} | }}
    # Please note that the servlet path to the soap API has changed:
    <Location /webservices>
        # restrict access to the soap provisioning API
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
        # you might add more ip addresses / networks here
        # Allow from 192.168 10 172.16
    </Location>
 
    # The old path is kept for compatibility reasons
    <Location /servlet/axis2/services>
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
    </Location>
   
    # Enable the balancer manager mentioned in
    # https://oxpedia.org/wiki/index.php?title=AppSuite:Running_a_cluster#Updating_a_Cluster
    <IfModule mod_status.c>
      <Location /balancer-manager>
        SetHandler balancer-manager
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
      </Location>
    </IfModule>
   
     <Proxy balancer://oxcluster>
     <Proxy balancer://oxcluster>
         Order deny,allow
         Order deny,allow
         Allow from all
         Allow from all
         # multiple server setups need to have the hostname inserted instead localhost
         # multiple server setups need to have the hostname inserted instead localhost
         BalancerMember {{#if:{{{connector|}}}|{{{connector}}}|ajp}}://localhost:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX1
         BalancerMember {{#if:{{{connector|}}}|{{{connector}}}|ajp}}://localhost:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=APP1
         # Enable and maybe add additional hosts running OX here
         # Enable and maybe add additional hosts running OX here
         # BalancerMember {{#if:{{{connector|}}}|{{{connector}}}|ajp}}://oxhost2:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX2
         # BalancerMember {{#if:{{{connector|}}}|{{{connector}}}|ajp}}://oxhost2:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=APP2
       ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
       ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
       {{#ifeq: {{{connector}}} | http |
       {{#ifeq: {{{connector}}} | http |
Line 41: Line 51:
       | }}
       | }}
     </Proxy>
     </Proxy>
     {{#ifeq: {{{connector}}} | http | {{Template:ApacheAppSuiteConf/easHttpProxy|easProxyName={{{easProxyName}}}}} | }}
   
     # OX AppSuite frontend
    # The standalone documentconverter(s) within your setup (if installed)
     <Proxy /appsuite/api>
    # Make sure to restrict access to backends only
        ProxyPass balancer://oxcluster/ajax
    # See: http://httpd.apache.org/docs/$YOUR_VERSION/mod/mod_authz_host.html#allow for more infos
     </Proxy>
    #<Proxy balancer://oxcluster_docs>
    #    Order Deny,Allow
    #    Deny from all
    #    Allow from backend1IP
    #    BalancerMember {{#if:{{{connector|}}}|{{{connector}}}|ajp}}://converter_host:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 keepalive=On route=APP3
    #    ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
    #   SetEnv proxy-initial-not-pooled
    #    SetEnv proxy-sendchunked
    #</Proxy>
     {{#ifeq: {{{connector}}} | http | {{Template:ApacheAppSuiteConf/easHttpProxy|syncProxyName={{{syncProxyName}}}}} | }}
   
    # When specifying additional mappings via the ProxyPass directive be aware that the first matching rule wins. Overlapping urls of
    # mappings have to be ordered from longest URL to shortest URL.
    #
    # Example:
    #  ProxyPass /ajax      balancer://oxcluster_with_100s_timeout/ajax
    #  ProxyPass /ajax/test balancer://oxcluster_with_200s_timeout/ajax/test
    #
    # Requests to /ajax/test would have a timeout of 100s instead of 200s
    # 
    # See:
    # - http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass Ordering ProxyPass Directives
     # - http://httpd.apache.org/docs/current/mod/mod_proxy.html#workers Worker Sharing
    ProxyPass /ajax balancer://oxcluster/ajax
     ProxyPass /appsuite/api balancer://oxcluster/ajax
    ProxyPass /drive balancer://oxcluster/drive
    ProxyPass /infostore balancer://oxcluster/infostore
    {{#ifeq: {{{connector}}} | http | ProxyPass /realtime balancer://oxcluster/realtime | }}
    ProxyPass /servlet balancer://oxcluster/servlet
    ProxyPass /webservices balancer://oxcluster/webservices
    #ProxyPass /documentconverterws balancer://oxcluster_docs/documentconverterws
 
    ProxyPass /usm-json balancer://{{#if:{{{syncProxyName|}}}|{{{syncProxyName}}}|oxcluster}}/usm-json
     ProxyPass /Microsoft-Server-ActiveSync balancer://{{#if:{{{syncProxyName|}}}|{{{syncProxyName}}}|oxcluster}}/Microsoft-Server-ActiveSync
   
   
    # OX frontend
    <Proxy /ajax>
        ProxyPass balancer://oxcluster/ajax
    </Proxy>
    <Proxy /servlet>
        ProxyPass balancer://oxcluster/servlet
    </Proxy>
    <Proxy /infostore>
        ProxyPass balancer://oxcluster/infostore
    </Proxy>
    <Proxy /publications>
        ProxyPass balancer://oxcluster/publications
    </Proxy>
    # USM
    <Proxy /usm-json>
        ProxyPass balancer://oxcluster/usm-json
    </Proxy>
    # SOAP
    <Proxy /webservices>
        ProxyPass balancer://oxcluster/webservices
  </Proxy>
  {{#ifeq: {{{connector}}} | http |
    <Proxy /realtime>
        ProxyPass balancer://oxcluster/realtime
  </Proxy>
  | }}
    # OXtender{{#ifeq: {{{connector}}} | http | /EAS specific proxy container with higher timeout | }}
    <Proxy /Microsoft-Server-ActiveSync>
        ProxyPass balancer://{{#if:{{{easProxyName|}}}|{{{easProxyName}}}|oxcluster}}/Microsoft-Server-ActiveSync
    </Proxy>
  </IfModule>
  </IfModule>


Line 89: Line 103:
         DocumentRoot {{#if:{{{docroot|}}}|{{{docroot}}}|/var/www}}
         DocumentRoot {{#if:{{{docroot|}}}|{{{docroot}}}|/var/www}}
         <Directory {{#if:{{{docroot|}}}|{{{docroot}}}|/var/www}}>
         <Directory {{#if:{{{docroot|}}}|{{{docroot}}}|/var/www}}>
                 Options Indexes FollowSymLinks MultiViews
                 Options -Indexes +FollowSymLinks +MultiViews
                 AllowOverride None
                 AllowOverride None
                 Order allow,deny
                 Order allow,deny
Line 100: Line 114:
                 AllowOverride Indexes FileInfo
                 AllowOverride Indexes FileInfo
         </Directory>
         </Directory>
  </VirtualHost>
  </VirtualHost>


If you want to secure your Apache setup via HTTPS (which is highly recommended) or if you have proxies in front of your Apache please follow the instructions at:
If you want to secure your Apache setup via HTTPS (which is highly recommended) or if you have proxies in front of your Apache please follow the instructions at:


  * [[AppSuite:Grizzly#X-FORWARDED-PROTO_Header|X-FORWARDED-PROTO Header]]
* [[AppSuite:Grizzly#.2Fopt.2Fopen-xchange.2Fetc.2Fserver.conf|Grizzly configuration]] in general, and specifically:
  * [[AppSuite:Grizzly#.2Fopt.2Fopen-xchange.2Fetc.2Fserver.conf|Grizzly configuration]]
* [[AppSuite:Grizzly#X-FORWARDED-PROTO_Header|X-FORWARDED-PROTO Header]]
* [[AppSuite:Grizzly#X-FORWARDED-FOR_Header|X-FORWARDED-FOR Header]]
 


to properly instruct the backend about the security status of the connection and the remote IP used to contact the backend.<noinclude>
to properly instruct the backend about the security status of the connection and the remote IP used to contact the backend.<noinclude>
{{Template:ApacheAppSuiteConf/doc}}
{{Template:ApacheAppSuiteConf/doc}}
</noinclude>
</noinclude>

Latest revision as of 10:53, 25 January 2021

Configure the mod_proxy_{{#if:|{{{connector}}}|ajp}} module by creating a new Apache configuration file. 

$ vim {{#if:|{{{connectorConf}}}|{{{ajpconf}}}}}



{{{loadmodule}}}

<IfModule mod_proxy_{{#if:|{{{connector}}}|ajp}}.c>
   ProxyRequests Off
   ProxyStatus On
   {{#ifeq: {{{connector}}} | http |     # When enabled, this option will pass the Host: line from the incoming request to the proxied host.
   ProxyPreserveHost On | }}
   # Please note that the servlet path to the soap API has changed:
   <Location /webservices>
       # restrict access to the soap provisioning API
       Order Deny,Allow
       Deny from all
       Allow from 127.0.0.1
       # you might add more ip addresses / networks here
       # Allow from 192.168 10 172.16
   </Location>
 
   # The old path is kept for compatibility reasons
   <Location /servlet/axis2/services>
       Order Deny,Allow
       Deny from all
       Allow from 127.0.0.1
   </Location>
   
   # Enable the balancer manager mentioned in
   # https://oxpedia.org/wiki/index.php?title=AppSuite:Running_a_cluster#Updating_a_Cluster
   <IfModule mod_status.c>
     <Location /balancer-manager>
       SetHandler balancer-manager
       Order Deny,Allow
       Deny from all
       Allow from 127.0.0.1
     </Location>
   </IfModule>
   
   <Proxy balancer://oxcluster>
       Order deny,allow
       Allow from all
       # multiple server setups need to have the hostname inserted instead localhost
       BalancerMember {{#if:|{{{connector}}}|ajp}}://localhost:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=APP1
       # Enable and maybe add additional hosts running OX here
       # BalancerMember {{#if:|{{{connector}}}|ajp}}://oxhost2:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=APP2
      ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
      {{#ifeq: {{{connector}}} | http |
      SetEnv proxy-initial-not-pooled
      SetEnv proxy-sendchunked
      | }}
   </Proxy>
   
   # The standalone documentconverter(s) within your setup (if installed)
   # Make sure to restrict access to backends only
   # See: http://httpd.apache.org/docs/$YOUR_VERSION/mod/mod_authz_host.html#allow for more infos
   #<Proxy balancer://oxcluster_docs>
   #    Order Deny,Allow
   #    Deny from all
   #    Allow from backend1IP
   #    BalancerMember {{#if:|{{{connector}}}|ajp}}://converter_host:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 keepalive=On route=APP3
   #    ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
   #	   SetEnv proxy-initial-not-pooled
   #    SetEnv proxy-sendchunked
   #</Proxy>
   {{#ifeq: {{{connector}}} | http |     # Define another Proxy Container with different timeout for the sync clients. Microsoft recommends a minimum value of 15 minutes.
   # Setting the value lower than the one defined as com.openexchange.usm.eas.ping.max_heartbeat in eas.properties will lead to connection
   # timeouts for clients.  See http://support.microsoft.com/?kbid=905013 for additional information.
   #
   # NOTE for Apache versions < 2.4:
   # When using a single node system or using BalancerMembers that are assigned to other balancers please add a second hostname for that
   # BalancerMember's IP so Apache can treat it as additional BalancerMember with a different timeout.
   #
   # Example from /etc/hosts: 127.0.0.1	localhost localhost_sync
   #
   # Alternatively select one or more hosts of your cluster to be restricted to handle only eas/usm requests
   <Proxy balancer://{{{syncProxyName}}}>
      Order deny,allow
      Allow from all
      # multiple server setups need to have the hostname inserted instead localhost
      BalancerMember http://localhost_sync:8009 timeout=1900 smax=0 ttl=60 retry=60 loadfactor=50 route=APP1
      # Enable and maybe add additional hosts running OX here
      # BalancerMember http://oxhost2:8009 timeout=1900  smax=0 ttl=60 retry=60 loadfactor=50 route=APP2
      ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
      SetEnv proxy-initial-not-pooled
      SetEnv proxy-sendchunked
   </Proxy> | }}
   
   # When specifying additional mappings via the ProxyPass directive be aware that the first matching rule wins. Overlapping urls of
   # mappings have to be ordered from longest URL to shortest URL.
   # 
   # Example:
   #   ProxyPass /ajax      balancer://oxcluster_with_100s_timeout/ajax
   #   ProxyPass /ajax/test balancer://oxcluster_with_200s_timeout/ajax/test
   #
   # Requests to /ajax/test would have a timeout of 100s instead of 200s 
   #   
   # See:
   # - http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass Ordering ProxyPass Directives
   # - http://httpd.apache.org/docs/current/mod/mod_proxy.html#workers Worker Sharing
   ProxyPass /ajax balancer://oxcluster/ajax
   ProxyPass /appsuite/api balancer://oxcluster/ajax
   ProxyPass /drive balancer://oxcluster/drive
   ProxyPass /infostore balancer://oxcluster/infostore
   {{#ifeq: {{{connector}}} | http | ProxyPass /realtime balancer://oxcluster/realtime | }}
   ProxyPass /servlet balancer://oxcluster/servlet
   ProxyPass /webservices balancer://oxcluster/webservices

   #ProxyPass /documentconverterws balancer://oxcluster_docs/documentconverterws
 
   ProxyPass /usm-json balancer://{{#if:|{{{syncProxyName}}}|oxcluster}}/usm-json
   ProxyPass /Microsoft-Server-ActiveSync balancer://{{#if:|{{{syncProxyName}}}|oxcluster}}/Microsoft-Server-ActiveSync

</IfModule>


Modify the default website settings to display the Open-Xchange GUI 

$ vim {{{apacheconf}}}

<VirtualHost *:80>
       ServerAdmin webmaster@localhost

       DocumentRoot {{#if:|{{{docroot}}}|/var/www}}
       <Directory {{#if:|{{{docroot}}}|/var/www}}>
               Options -Indexes +FollowSymLinks +MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
               RedirectMatch ^/$ /appsuite/
       </Directory>

       <Directory {{#if:|{{{docroot}}}/appsuite|/var/www/appsuite}}>
               Options None +SymLinksIfOwnerMatch
               AllowOverride Indexes FileInfo
       </Directory>
</VirtualHost>

If you want to secure your Apache setup via HTTPS (which is highly recommended) or if you have proxies in front of your Apache please follow the instructions at:


to properly instruct the backend about the security status of the connection and the remote IP used to contact the backend.

Usage

Parameters used by this template

connector
ajp or http, fallback to ajp if empty
connectorConf
path to the configuration file of the chosen connector, fallback to ajpConf (deprecated)
loadmodule
Loadmodule directive needed for apache on RedHat based distros e.g.: LoadModule proxy_http_module modules/mod_proxy_http.so
apacheconf
path to the config file of the default apache vhost(http)
docroot
path to the apache docroot, fallback to /var/www
easProxyName
the proxyName to use for the eas specific proxy container, only when using http for the connector parameter

See also

Template:ApacheAppSuiteConf/testcases

Retrieved from "http:///wiki.open-xchange.com/wiki/index.php?title=Template:ApacheAppSuiteConf&oldid=25695"