In this KB article we describe the steps needed to configure the Apache httpd web server as a reverse proxy in front of the user portal that CMDaemon serves.
With this setup it is possible to assign a certificate signed by a public certification authority. Also, port 443 can be exposed instead of the default port 8081.
The first step is to create the configuration files userportal.conf and bright-view.conf for the reverse proxy.
For Apache httpd version 2.4, the following file format can be used:
# cat > /etc/httpd/conf.d/userportal.conf << _EOF_RewriteEngine onRewriteRule ^/(userportal)/(.*)$ https://%{SERVER_NAME}/\$1/\$2 [R,L]RewriteRule ^/(userportal)$ https://%{SERVER_NAME}/\$1/ [R,L]
ProxyPreserveHost OnProxyRequests OffSSLProxyEngine onSSLProxyVerify noneSSLProxyCheckPeerCN offSSLProxyCheckPeerName offSSLProxyCheckPeerExpire offProxyPass /userportal/ https://127.0.0.1:8081/userportal/ProxyPassReverse /userportal/ https://127.0.0.1:8081/userportal/ProxyPass /json https://127.0.0.1:8081/jsonProxyPassReverse /json https://127.0.0.1:8081/jsonProxyPass /shell https://127.0.0.1:8081/shellProxyPassReverse /shell https://127.0.0.1:8081/shell_EOF_
# cat > /etc/httpd/conf.d/bright-view.conf << _EOF_RewriteEngine onRewriteRule ^/(bright-view)/(.*)$ https://%{SERVER_NAME}/\$1/\$2 [R,L]RewriteRule ^/(bright-view)$ https://%{SERVER_NAME}/\$1/ [R,L]ProxyPreserveHost OnProxyRequests OffSSLProxyEngine onSSLProxyVerify noneSSLProxyCheckPeerCN offSSLProxyCheckPeerName offSSLProxyCheckPeerExpire offProxyPass /bright-view/ https://127.0.0.1:8081/bright-view/ProxyPassReverse /bright-view/ https://127.0.0.1:8081/bright-view/ProxyPass /json https://127.0.0.1:8081/jsonProxyPassReverse /json https://127.0.0.1:8081/jsonProxyPass /shell https://127.0.0.1:8081/shellProxyPassReverse /shell https://127.0.0.1:8081/shell_EOF_
For Apache httpd 2.2 the following file configurations can be used:
# cat > /etc/httpd/conf.d/userportal.conf << _EOF_RewriteEngine onRewriteRule ^/(userportal)/(.*)$ https://%{SERVER_NAME}/\$1/\$2 [R,L]RewriteRule ^/(userportal)$ https://%{SERVER_NAME}/\$1/ [R,L]ProxyPreserveHost OnProxyRequests OffSSLProxyEngine onProxyPass /userportal/ https://127.0.0.1:8081/userportal/ProxyPassReverse /userportal/ https://127.0.0.1:8081/userportal/ProxyPass /bright-view/ https://127.0.0.1:8081/bright-view/ProxyPassReverse /bright-view/ https://127.0.0.1:8081/bright-view/ProxyPass /json https://127.0.0.1:8081/jsonProxyPassReverse /json https://127.0.0.1:8081/jsonProxyPass /shell https://127.0.0.1:8081/shellProxyPassReverse /shell https://127.0.0.1:8081/shell_EOF_
# cat > /etc/httpd/conf.d/bright-view.conf << _EOF_RewriteEngine onRewriteRule ^/(bright-view)/(.*)$ https://%{SERVER_NAME}/\$1/\$2 [R,L]RewriteRule ^/(bright-view)$ https://%{SERVER_NAME}/\$1/ [R,L]ProxyPreserveHost OnProxyRequests OffSSLProxyEngine onProxyPass /bright-view/ https://127.0.0.1:8081/bright-view/ProxyPassReverse /bright-view/ https://127.0.0.1:8081/bright-view/ProxyPass /json https://127.0.0.1:8081/jsonProxyPassReverse /json https://127.0.0.1:8081/jsonProxyPass /shell https://127.0.0.1:8081/shellProxyPassReverse /shell https://127.0.0.1:8081/shell_EOF_
The second step is to include the change on the Bright Cluster web landing page (index.php). This will make it use the correct link (that is, strip out the :8081 for the user portal and bright-view) when constructing the URL for them:
# sed -i 's_:8081/userportal_/userportal_g' /var/www/html/index.php# sed -i 's_:8081/bright-view_/bright-view_g' /var/www/html/index.php
Beginning in 9.1, the above changes need to be made to the constants.php file instead:
# sed -i 's_:8081/userportal_/userportal_g' /var/www/html/constants.php# sed -i 's_:8081/bright-view_/bright-view_g' /var/www/html/constants.php
Now it is possible to access the user portal using the standard HTTPS port 443.
To figure out where you store your new certificate files on your head node, take a look at /etc/httpd/conf.d/ssl.conf on your head node, specifically the following directives:
SSLCertificateFileSSLCertificateKeyFileSSLCertificateChainFile
Then, change those directives to point to the new certificates and key.
With these configurations in place, reload the Apache httpd webserver:
# service httpd reloadTips:
It’s possible to automate the process of renewing signed SSL certificates. An example of requesting an SSL certificate and adding a scheduled job to renew that is being demonstrated here, in this example we’re using acme.sh to request and renew the certificate. Please note, in the both cases of certificate issuance and renewal, the public CA is going to access the web server over HTTP to verify if the requester controls the domain.
Install the script from GitHub (replace <email_address> with the administrator Email address).
# yum install git -y
# git clone https://github.com/acmesh-official/acme.sh.git
# cd acme.sh/
# ./acme.sh --install -m <email_address>
Request the certificate (please update <domain_name> with the appropriate domain name).
# acme.sh --issue -d <domain_name> --apache --cert-file /etc/pki/tls/certs/<domain_name>.cer --key-file /etc/pki/tls/private/<domain_name>.key --fullchain-file /etc/pki/tls/certs/fullchain.cer
Please update /etc/httpd/conf.d/ssl.conf as mentioned above and reload the httpd service.
Modify the existing acme.sh cronjob to reload the httpd service upon certificate renewal (please update <domain_name> with the appropriate domain name).
3 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null; find /etc/pki/tls/certs -name <domain_name>.cer -mmin -5 -exec systemctl reload httpd \;
In CM 9, I had to add the following to /etc/httpd/conf.d/bright-view.conf for the Connect->SSH functionality to work:
ProxyPass /shell https://127.0.0.1:8081/shell
ProxyReversePass /shell https://127.0.0.1:8081/shell
Hi Jon,
Indeed that’s correct. We’ll update the KB instructions accordingly. Thanks for the contribution.
–Ken