Not sure if this is something you could answer - but I’ll give it a shot.
How do I enable HTTPS for my Enonic XP installation? I see the web server is based on Jetty, so should be possible without too much hassle?
Not sure if this is something you could answer - but I’ll give it a shot.
How do I enable HTTPS for my Enonic XP installation? I see the web server is based on Jetty, so should be possible without too much hassle?
Hi!
In our hosting environment, we always use apache or equivalent as a reverse proxy in front and we then terminate SSL there.
Heres an apache vhost example with SSL and rewrite rule to force it too. You also have to make shure that the modules proxy_wstunnel, proxy_http and rewrite is loaded.
<VirtualHost *:80>
ServerName enonic.com
ServerAlias www.enonic.com
CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.log combined
DocumentRoot /var/www/html/enonic.com
RewriteEngine on
RewriteRule ^/(.*) https://enonic.com/$1 [L,R=301,NE]
</VirtualHost>
<VirtualHost *:443>
ServerName enonic.com
ServerAlias www.enonic.com
DocumentRoot /var/www/html/enonic.com
CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.ssl.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/apache2/ssl/enonic.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/enonic.com.key
SSLCACertificateFile /etc/apache2/ssl/enonic.com.intermediate.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /admin/event ws://80.65.59.104:8080/admin/event
ProxyPassReverse /admin/event ws://80.65.59.104:8080/admin/event
ProxyPass / http://80.65.59.104:8080/ timeout=5
ProxyPassReverse / http://80.65.59.104:8080/ timeout=5
RewriteEngine on
RewriteCond %{HTTP_HOST} !^enonic\.com$
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) https://enonic.com/$1 [L,R,NE]
</VirtualHost>
Hi there i have a problem… i have started my Enonic instance over 8080 port, and make the following configuration, but i still getting a HTTP ERROR 404,
this is my configuration:
<VirtualHost *:443>
ServerName myDomain.com
DocumentRoot /var/www/html/
CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.ssl.log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/apache2/SSL/SSL/company.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/SSL/company.com.key
SSLCertificateChainFile /etc/apache2/SSL/SSL/company.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /admin/event ws://mypublicIP:8080/admin/event
ProxyPassReverse /admin/event ws://mypublicIP:8080/admin/event
ProxyPass / http://mypublicIP:8080/ timeout=5
ProxyPassReverse / http://myPublicIP:8080/ timeout=5
RewriteEngine on
RewriteCond %{HTTP_HOST} !^myDomain\.com$
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) https://myDomain.com/$1 [L,R,NE]
can u help me?
Regards,
What happens if you go to the server without https ??
I would like to know a bit about your server set up.
Is it a container set?
Is it two servers or one sever for each function (apache and enonic) or something else?
I’ll add a sample config of how I would set up XP-vhost and the apache vhost, with mydomain.com as domain. Note that this would be run in a container setup, so exp
is an hostname in this config that my container system knows the ip-address for.
ProxyPass / http://exp:8080/ timeout=5
ProxyPassReverse / http://exp:8080/ timeout=5
One thing that is easy to do wrong is to forget mapping the vhost settings correctly. Like replacing /portal/master/mysite with /mysite
That said I can’t find anything particularly wrong with your set up and I think if apache had no connection with XP it should return 503 instead of 404.
com.enonic.xp.web.vhost.cfg
enabled = true
mapping.site.host = mydomain.com
mapping.site.source = /
mapping.site.target = /portal/master/mysite
mapping.admin.host = mydomain.com
mapping.admin.source = /admin
mapping.admin.target = /admin
mapping.admin.userStore = system
mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api
/etc/apache/sites-enabled/mydomain.com.conf
<VirtualHost *:80>
ServerName mydomain.com
RewriteEngine on
RewriteRule ^/(.*) https://mydomain.com/$1 [L,R=301,NE]
</VirtualHost>
<VirtualHost *:443>
ServerName mydomain.com
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
Header always set Strict-Transport-Security "max-age=15768000"
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://exp:8080/ timeout=5
ProxyPassReverse / http://exp:8080/ timeout=5
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteCond %{REQUEST_URI} /admin [NC]
RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]
RewriteCond %{HTTP_HOST} !^mydomain\.com$
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) https://mydomain.com/$1 [L,R]
</VirtualHost>
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Still unable to set Enonic XP with HTTPS
cat /home/xp/enonic/xp/config/com.enonic.xp.web.vhost.cfg
enabled = true
mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api
mapping.a.host = ofornecedor.com.br
mapping.a.source = /admin
mapping.a.target = /admin
mapping.a.userStore = system
mapping.b.host = ofornecedor.com.br
mapping.b.source = /
mapping.b.target = /portal/master/ofornecedor
000-default.conf
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
<VirtualHost *:80>
ServerName ofornecedor.com.br
RewriteEngine on
RewriteRule ^/(.*) https://ofornecedor.com.br/$1 [L,R=301,NE]
</VirtualHost>
<VirtualHost *:443>
ServerName ofornecedor.com.br
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/ofornecedor.com.br/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ofornecedor.com.br/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ofornecedor.com.br/chain.pem
Header always set Strict-Transport-Security "max-age=15768000"
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://publicIp:8080/ timeout=5
ProxyPass
Reverse / http://publicIp:8080/ timeout=5
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteCond %{REQUEST_URI} /admin [NC]
RewriteRule /admin/(.*) ws://publicIp:8080/admin/$1 [P,L]
RewriteCond %{HTTP_HOST} !^ofornecedor\.com\.br$
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) https://ofornecedor.com.br/$1 [L,R]
</VirtualHost>
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
sudo service xp restart
sudo service apache2 restart
sudo service xp status
● xp.service - SYSV: Enonic XP server daemon
Loaded: loaded (/etc/init.d/xp; bad; vendor preset: enabled)
Active: active (exited) since Sat 2019-05-11 12:51:13 UTC; 1min 24s ago
Docs: man:systemd-sysv-generator(8)
Process: 2378 ExecStop=/etc/init.d/xp stop (code=exited, status=0/SUCCESS)
Process: 2392 ExecStart=/etc/init.d/xp start (code=exited, status=0/SUCCESS)
Tasks: 0
Memory: 0B
CPU: 0
May 11 12:51:13 ip-172-31-13-126 systemd[1]: Starting SYSV: Enonic XP server daemon…
May 11 12:51:13 ip-172-31-13-126 xp[2392]: Starting Enonic XP: xp…
May 11 12:51:13 ip-172-31-13-126 su[2397]: Successful su for xp by root
May 11 12:51:13 ip-172-31-13-126 su[2397]: + ??? root:xp
May 11 12:51:13 ip-172-31-13-126 su[2397]: pam_unix(su:session): session opened for user xp by (uid=0)
May 11 12:51:13 ip-172-31-13-126 xp[2392]: Enonic XP: xp started
May 11 12:51:13 ip-172-31-13-126 xp[2392]: ( with pid 2418 and exit code 0 )
May 11 12:51:13 ip-172-31-13-126 systemd[1]: Started SYSV: Enonic XP server daemon.
I am getting the default apache page instead of the app.
What Am I missing here?
Hi!
Is this still a problem ? Your site looks good except its not rewriting automatically.
It may be a copy error but ProxyPassReverse should all be on one line.
OK:
ProxyPassReverse / http://publicIp:8080/ timeout=5
NOT OK:
ProxyPass
Reverse / http://publicIp:8080/ timeout=5
Also if XP is running on the same server as apache it makes sense to do like this (use localhost)
ProxyPass / http://localhost:8080/ timeout=5
ProxyPassReverse / http://localhost:8080/ timeout=5