Enonic XP with HTTPS


#1

Not sure if this is something you could answer - but I’ll give it a shot.

How do I enable HTTPS for my Enonic XP installation? I see the web server is based on Jetty, so should be possible without too much hassle?


#2

Hi!
In our hosting environment, we always use apache or equivalent as a reverse proxy in front and we then terminate SSL there.

Heres an apache vhost example with SSL and rewrite rule to force it too. You also have to make shure that the modules proxy_wstunnel, proxy_http and rewrite is loaded.

<VirtualHost *:80>

	ServerName enonic.com
	ServerAlias www.enonic.com
	CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.log combined
	DocumentRoot /var/www/html/enonic.com

	RewriteEngine on
	RewriteRule ^/(.*) https://enonic.com/$1 [L,R=301,NE]

</VirtualHost>

<VirtualHost *:443>

	ServerName enonic.com
	ServerAlias www.enonic.com
	DocumentRoot /var/www/html/enonic.com
	CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.ssl.log combined

	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	SSLCertificateFile /etc/apache2/ssl/enonic.com.crt
	SSLCertificateKeyFile /etc/apache2/ssl/enonic.com.key
	SSLCACertificateFile /etc/apache2/ssl/enonic.com.intermediate.crt
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

	ProxyRequests Off
	ProxyPreserveHost On

	ProxyPass /admin/event ws://80.65.59.104:8080/admin/event
	ProxyPassReverse /admin/event ws://80.65.59.104:8080/admin/event


	ProxyPass / http://80.65.59.104:8080/ timeout=5
	ProxyPassReverse / http://80.65.59.104:8080/ timeout=5

	RewriteEngine on
	RewriteCond %{HTTP_HOST} !^enonic\.com$
	RewriteCond %{HTTP_HOST} !^$
	RewriteRule ^/(.*) https://enonic.com/$1 [L,R,NE]

</VirtualHost>

#3

Hi there i have a problem… i have started my Enonic instance over 8080 port, and make the following configuration, but i still getting a HTTP ERROR 404,

this is my configuration:


<VirtualHost *:443>

   ServerName myDomain.com
    DocumentRoot /var/www/html/
    CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.ssl.log combined

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/apache2/SSL/SSL/company.com.crt
    SSLCertificateKeyFile /etc/apache2/SSL/SSL/company.com.key
    SSLCertificateChainFile /etc/apache2/SSL/SSL/company.pem


    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass /admin/event ws://mypublicIP:8080/admin/event
    ProxyPassReverse /admin/event ws://mypublicIP:8080/admin/event


    ProxyPass / http://mypublicIP:8080/ timeout=5
    ProxyPassReverse / http://myPublicIP:8080/ timeout=5

    RewriteEngine on
    RewriteCond %{HTTP_HOST} !^myDomain\.com$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/(.*) https://myDomain.com/$1 [L,R,NE]

can u help me?

Regards,


#4

What happens if you go to the server without https ??

I would like to know a bit about your server set up.
Is it a container set?
Is it two servers or one sever for each function (apache and enonic) or something else?

I’ll add a sample config of how I would set up XP-vhost and the apache vhost, with mydomain.com as domain. Note that this would be run in a container setup, so exp is an hostname in this config that my container system knows the ip-address for.

  ProxyPass / http://exp:8080/ timeout=5
  ProxyPassReverse / http://exp:8080/ timeout=5

One thing that is easy to do wrong is to forget mapping the vhost settings correctly. Like replacing /portal/master/mysite with /mysite
That said I can’t find anything particularly wrong with your set up and I think if apache had no connection with XP it should return 503 instead of 404.

com.enonic.xp.web.vhost.cfg

enabled = true

mapping.site.host = mydomain.com
mapping.site.source = /
mapping.site.target = /portal/master/mysite

mapping.admin.host = mydomain.com
mapping.admin.source = /admin
mapping.admin.target = /admin
mapping.admin.userStore = system

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

/etc/apache/sites-enabled/mydomain.com.conf

<VirtualHost *:80>
  ServerName mydomain.com

  RewriteEngine on
  RewriteRule ^/(.*) https://mydomain.com/$1 [L,R=301,NE]
</VirtualHost>

<VirtualHost *:443>
  ServerName mydomain.com

  RequestHeader set X-Forwarded-Proto "https"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/certs/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

  Header always set Strict-Transport-Security "max-age=15768000"

  ProxyRequests Off
  ProxyPreserveHost On

  ProxyPass / http://exp:8080/ timeout=5
  ProxyPassReverse / http://exp:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^mydomain\.com$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://mydomain.com/$1 [L,R]
</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)