Apache HTTP Server Installation and Configuration

The Apache HTTP server and the mod_ssl Apache module should have already been installed as dependencies for the td-webportal RPM package. You can verify this with the following command:

[root@webportal ~]# yum install httpd mod_ssl
Setting up Install Process
Package httpd-2.2.15-30.0.1.el6_5.x86_64 already installed and latest version
Package 1:mod_ssl-2.2.15-30.0.1.el6_5.x86_64 already installed and latest version
Nothing to do

Update httpd.conf

Open the web server configuration file /etc/httpd/conf/httpd.conf in a text editor to change the following parameters:

KeepAlive On
KeepAliveTimeout 2
ServerName <Your ServerName>

For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, FTP directory listings, etc):

ServerSignature Off

By default, the server version and operating system is also displayed in the Server response header field, e.g. Server: Apache/2.2.15 (CentOS). To suppress this output, we suggest updating the ServerTokens option as follows:

ServerTokens Prod

Disable Unneeded Apache Modules

The TeamDrive Web Portal only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration. Only the following modules should be left enabled in /etc/httpd/conf/httpd.conf:

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

You also need to comment out the following variables in /etc/httpd/conf/httpd.conf, to avoid syntax errors caused by the disabled modules:

# LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no
pl pt pt-BR ru sv zh-CN zh-TW
# ForceLanguagePriority Prefer Fallback
# BrowserMatch "Mozilla/2" nokeepalive
# BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
# BrowserMatch "RealPlayer 4\.0" force-response-1.0
# BrowserMatch "Java/1\.0" force-response-1.0
# BrowserMatch "JDK/1\.0" force-response-1.0
# BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
# BrowserMatch "MS FrontPage" redirect-carefully
# BrowserMatch "^WebDrive" redirect-carefully
# BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# BrowserMatch "^gnome-vfs/1.0" redirect-carefully
# BrowserMatch "^XML Spy" redirect-carefully
# BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

Configure mod_ssl

The web-based TeamDrive Web Portal Administration Console should be accessed via an encrypted SSL connection. To facilitate this, add the following to the end of the default <VirtualHost> section in /etc/httpd/conf.d/ssl.conf:

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

RewriteEngine on
RewriteLogLevel 0
RewriteLog "/var/log/httpd/rewrite.log"

RewriteRule ^/admin(.*)$ /yvva/admin$1 [PT]
RewriteRule ^/images/(.*)$ /yvva/images/$1 [PT]
RewriteRule ^/js/(.*)$ /yvva/js/$1 [PT]
RewriteRule ^/css/(.*)$ /yvva/css/$1 [PT]
RewriteRule ^/login /yvva/login [PT]
RewriteRule ^/getLoginInformation /yvva/getLoginInformation [PT]
RewriteRule ^/performExternalAuthentication /yvva/performExternalAuthentication [PT]
RewriteRule ^/requestResetPassword /yvva/requestResetPassword [PT]
RewriteRule ^/tempPasswordLogin /yvva/tempPasswordLogin [PT]

#
# Replace "127.0.0.1" below with the IP address of the Docker container host
#
RewriteRule "^/agent-([0-9]*)/(.*)" "http://127.0.0.1:$1/$2" [P]
ProxyPassReverse "/" "http://127.0.0.1/"

# httpd configuration for the client webinterface
Include conf.d/webportal-clientui.httpd.conf

<Location ~ "^/agent-([0-9]*)/(.*)">
ErrorDocument 503 /handle-503-error
</Location>

RewriteCond %{HTTP_ACCEPT} application/json [NC]
RewriteRule ^/handle-503-error /agent-503.json [PT]

RewriteCond %{HTTP_ACCEPT} !(application/json) [NC]
RewriteRule ^/handle-503-error /agent-503.html [PT]

</VirtualHost>

Note

The Apache HTTP Server package includes a self-signed SSL certificate for testing purposes. If you connect to the server using a web browser, it will likely raise an error about an untrusted/insecure connection. You should consider replacing this certificate with an appropriate one.

Follow the instructions provided by your certificate authority on how to obtain and install an SSL certificate for the Apache HTTP Server.

Verify your SSL configuration using the service from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html and make sure that the “Handshake Simulation” is working for current platforms and browser. The following ssl parameters for the apache web server will create an A-rating and make sure that the handshake is working for current platforms and browser:

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

As the comment indicates, the IP address “127.0.0.1” must be replaced with IP address or host name of the Docker host. This is the same value as the domain name in the DockerHost setting.

If the Docker host machine is the same as the Web Portal, then the re-write rules containing “127.0.0.1” need not be changed.