Simple SSL proxy for Alfresco share

Introduction

After installing Alfresco, you will typically be accessing it using a URL like http://mydomain.com:8080/share.  The problem with that, particularly if your server is internet-facing, is that each time you log in, your username and password are sent as plain text across the network. This is a security risk. If you login via a SSL proxy server, though, your credentials and data are encrypted.  This article outlines a simple method that has worked for me on both Alfresco 4.2 and Alfresco 5.0.d – both running on Ubuntu 14.04.  Many thanks to Bob Johnson for his reply to an Alfresco forums article in 2013 – this post reflects my adaptation of Bob’s instructions.

Install Apache with SSL

  • Install Apache on the server that is running Alfresco.
    sudo apt-get install apache2
  • Enable the SSL module
    sudo a2enmod ssl
  sudo a2ensite default-ssl 
  • This creates sites-enabled/default-ssl.conf which is a link to sites-available/default-ssl.conf
  • Rename sites-enabled/000-default.conf – this is now superseded
cd /etc/apache2/sites-enabled
sudo mv 000-default.conf 000-default.old
  • Edit /etc/apache2/sites-available/default-ssl.conf​
<IfModule mod_ssl.c>
<VirtualHost *:80>
  ServerName www.yourdomain.com
  # change http to https
  Redirect permanent / https://www.yourdomain.com
</VirtualHost>

<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile /etc/apache2/server.cert
  SSLCACertificateFile /etc/apache2/intermediate.cert
  ServerName www.yourdomain.com
  DocumentRoot /var/www/html
</VirtualHost>

 </IfModule>

Set up Apache as a proxy

  • We will be using the mod_jk module in Apache to talk to Alfresco (ie. tomcat) using the AJP protocol.  First ensure that tomcat is set up to use the AJP protocol by checking server.xml – eg. /opt/alfresco-5.0.d/tomcat/conf/server.xml
  • Ensure that the ‘AJP/1.3’ protocol line below is not commented out.
  <!-- Define an AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="8443" />
  • If you needed to modify server.xml above, restart apache
  sudo service apache2 restart
  • Install mod_jk for apache2
  sudo apt-get install libapache2-mod-jk
  • Modify /etc/apache2/sites-available/default-ssl.conf further.
    Notice the new ‘location’ section and the ‘JkMount’ line.
<IfModule mod_ssl.c>

<VirtualHost *:80>
   ServerName www.yourdomain.com
   Redirect permanent / https://www.yourdomain.com/
</VirtualHost>
 
<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile /etc/apache2/server.cert
  SSLCACertificateFile /etc/apache2/intermediate.cert
 
  ServerName www.yourdomain.com
  DocumentRoot /var/www/html

  <Location />
    SSLRequireSSL On
    SSLVerifyClient optional
    SSLRenegBufferSize 104860000
    SSLVerifyDepth 1
    SSLOptions +StdEnvVars +StrictRequire
  </Location>

  # Send everything for the context / to worker named worker1 via ajp13
  JkMount /* ajp13_worker
</VirtualHost>

</IfModule>

Test by browsing to http://www.yourdomain.com/share. You should be redirected to https://www.yourdomain.com/share and this should present the Alfresco share login screen.

Alfresco login screen

Alfresco login screen

Your credentials, and subsequent data transfers between your browser and Alfresco share, will now be encrypted.

Further Reading

Configuring SSL for a production environment in the official Alfresco documentation.

Apache JServe Protocol http://www.ehow.com/facts_7181755_ajp-protocol_.html

Order of the Bee – an independent organisation of the Alfresco community. Web-site includes good technical and non-technical posts and other information, focussed on Alfresco Community Edition (CE).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s