Enonic XP with HTTPS

Help
1

Not sure if this is something you could answer - but I’ll give it a shot.

How do I enable HTTPS for my Enonic XP installation? I see the web server is based on Jetty, so should be possible without too much hassle?

2

Hi!
In our hosting environment, we always use apache or equivalent as a reverse proxy in front and we then terminate SSL there.

Heres an apache vhost example with SSL and rewrite rule to force it too. You also have to make shure that the modules proxy_wstunnel, proxy_http and rewrite is loaded.

<VirtualHost *:80>

	ServerName enonic.com
	ServerAlias www.enonic.com
	CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.log combined
	DocumentRoot /var/www/html/enonic.com

	RewriteEngine on
	RewriteRule ^/(.*) https://enonic.com/$1 [L,R=301,NE]

</VirtualHost>

<VirtualHost *:443>

	ServerName enonic.com
	ServerAlias www.enonic.com
	DocumentRoot /var/www/html/enonic.com
	CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.ssl.log combined

	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	SSLCertificateFile /etc/apache2/ssl/enonic.com.crt
	SSLCertificateKeyFile /etc/apache2/ssl/enonic.com.key
	SSLCACertificateFile /etc/apache2/ssl/enonic.com.intermediate.crt
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

	ProxyRequests Off
	ProxyPreserveHost On

	ProxyPass /admin/event ws://80.65.59.104:8080/admin/event
	ProxyPassReverse /admin/event ws://80.65.59.104:8080/admin/event


	ProxyPass / http://80.65.59.104:8080/ timeout=5
	ProxyPassReverse / http://80.65.59.104:8080/ timeout=5

	RewriteEngine on
	RewriteCond %{HTTP_HOST} !^enonic\.com$
	RewriteCond %{HTTP_HOST} !^$
	RewriteRule ^/(.*) https://enonic.com/$1 [L,R,NE]

</VirtualHost>
4 Likes
3

Hi there i have a problem… i have started my Enonic instance over 8080 port, and make the following configuration, but i still getting a HTTP ERROR 404,

this is my configuration:

<VirtualHost *:443>

   ServerName myDomain.com
    DocumentRoot /var/www/html/
    CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.ssl.log combined

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/apache2/SSL/SSL/company.com.crt
    SSLCertificateKeyFile /etc/apache2/SSL/SSL/company.com.key
    SSLCertificateChainFile /etc/apache2/SSL/SSL/company.pem


    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass /admin/event ws://mypublicIP:8080/admin/event
    ProxyPassReverse /admin/event ws://mypublicIP:8080/admin/event


    ProxyPass / http://mypublicIP:8080/ timeout=5
    ProxyPassReverse / http://myPublicIP:8080/ timeout=5

    RewriteEngine on
    RewriteCond %{HTTP_HOST} !^myDomain\.com$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/(.*) https://myDomain.com/$1 [L,R,NE]

can u help me?

Regards,

4

What happens if you go to the server without https ??

I would like to know a bit about your server set up.
Is it a container set?
Is it two servers or one sever for each function (apache and enonic) or something else?

I’ll add a sample config of how I would set up XP-vhost and the apache vhost, with mydomain.com as domain. Note that this would be run in a container setup, so exp is an hostname in this config that my container system knows the ip-address for.

  ProxyPass / http://exp:8080/ timeout=5
  ProxyPassReverse / http://exp:8080/ timeout=5

One thing that is easy to do wrong is to forget mapping the vhost settings correctly. Like replacing /portal/master/mysite with /mysite
That said I can’t find anything particularly wrong with your set up and I think if apache had no connection with XP it should return 503 instead of 404.

com.enonic.xp.web.vhost.cfg

enabled = true

mapping.site.host = mydomain.com
mapping.site.source = /
mapping.site.target = /portal/master/mysite

mapping.admin.host = mydomain.com
mapping.admin.source = /admin
mapping.admin.target = /admin
mapping.admin.userStore = system

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

/etc/apache/sites-enabled/mydomain.com.conf

<VirtualHost *:80>
  ServerName mydomain.com

  RewriteEngine on
  RewriteRule ^/(.*) https://mydomain.com/$1 [L,R=301,NE]
</VirtualHost>

<VirtualHost *:443>
  ServerName mydomain.com

  RequestHeader set X-Forwarded-Proto "https"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/certs/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

  Header always set Strict-Transport-Security "max-age=15768000"

  ProxyRequests Off
  ProxyPreserveHost On

  ProxyPass / http://exp:8080/ timeout=5
  ProxyPassReverse / http://exp:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^mydomain\.com$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://mydomain.com/$1 [L,R]
</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
1 Like
5

Still unable to set Enonic XP with HTTPS

cat /home/xp/enonic/xp/config/com.enonic.xp.web.vhost.cfg

enabled = true

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

mapping.a.host = ofornecedor.com.br
mapping.a.source = /admin
mapping.a.target = /admin
mapping.a.userStore = system

mapping.b.host = ofornecedor.com.br
mapping.b.source = /
mapping.b.target = /portal/master/ofornecedor

000-default.conf

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

<VirtualHost *:80>
  ServerName ofornecedor.com.br

  RewriteEngine on
  RewriteRule ^/(.*) https://ofornecedor.com.br/$1 [L,R=301,NE]
</VirtualHost>

<VirtualHost *:443>
  ServerName ofornecedor.com.br

  RequestHeader set X-Forwarded-Proto "https"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/ofornecedor.com.br/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/ofornecedor.com.br/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/ofornecedor.com.br/chain.pem

  Header always set Strict-Transport-Security "max-age=15768000"

  ProxyRequests Off
  ProxyPreserveHost On

  ProxyPass / http://publicIp:8080/ timeout=5
  ProxyPass
Reverse / http://publicIp:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://publicIp:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^ofornecedor\.com\.br$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://ofornecedor.com.br/$1 [L,R]
</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

sudo service xp restart
sudo service apache2 restart

sudo service xp status

● xp.service - SYSV: Enonic XP server daemon
Loaded: loaded (/etc/init.d/xp; bad; vendor preset: enabled)
Active: active (exited) since Sat 2019-05-11 12:51:13 UTC; 1min 24s ago
Docs: man:systemd-sysv-generator(8)
Process: 2378 ExecStop=/etc/init.d/xp stop (code=exited, status=0/SUCCESS)
Process: 2392 ExecStart=/etc/init.d/xp start (code=exited, status=0/SUCCESS)
Tasks: 0
Memory: 0B
CPU: 0

May 11 12:51:13 ip-172-31-13-126 systemd[1]: Starting SYSV: Enonic XP server daemon…
May 11 12:51:13 ip-172-31-13-126 xp[2392]: Starting Enonic XP: xp…
May 11 12:51:13 ip-172-31-13-126 su[2397]: Successful su for xp by root
May 11 12:51:13 ip-172-31-13-126 su[2397]: + ??? root:xp
May 11 12:51:13 ip-172-31-13-126 su[2397]: pam_unix(su:session): session opened for user xp by (uid=0)
May 11 12:51:13 ip-172-31-13-126 xp[2392]: Enonic XP: xp started
May 11 12:51:13 ip-172-31-13-126 xp[2392]: ( with pid 2418 and exit code 0 )
May 11 12:51:13 ip-172-31-13-126 systemd[1]: Started SYSV: Enonic XP server daemon.

I am getting the default apache page instead of the app. :sweat:

What Am I missing here?

6

Hi!

Is this still a problem ? Your site looks good except its not rewriting automatically.

It may be a copy error but ProxyPassReverse should all be on one line.
OK:

  ProxyPassReverse / http://publicIp:8080/ timeout=5

NOT OK:

    ProxyPass
Reverse / http://publicIp:8080/ timeout=5

Also if XP is running on the same server as apache it makes sense to do like this (use localhost)

  ProxyPass / http://localhost:8080/ timeout=5
  ProxyPassReverse / http://localhost:8080/ timeout=5
7

Hey @_Jokerbusta. I hope you are well. Did you manage to get it working? Thanks.