PhenixID

PSD1077 – Using Apache HTTP Server and AJP for Reverse Proxy

Overview

Using a reverse proxy infront of PhenixID Identity Manager (IM), PhenixID Password Self Service (PPSS) or PhenixID Certificate Service (CS) make sure there are no direct access to the servers. All client communication goes through the ReverseProxy.

This document is our, PhenixID, best practice to using Reverse Proxy.

For our products based on PhenixID Platform Service we recommend using HTTP instead.
Link to document – PSD1075

Technical Overview

Apache terminates the SSL session and then forwards all traffic to the PhenixID service.

The PhenixID service holds all program logic except for the SSL negotiation.
It is recommended that Apache and PhenixID services are installed on separate hardware but they may also be installed on the same physical server.

Appropriate firewall openings made (for example below):
Internet -> Apache HTTP server, TCP port 443 (HTTPS)
Apache HTTP server -> PhenixID IM/PPS/CS, TCP port 8009 (AJP)

Linux or Windows

This document consist of to main section.

  1. Configure on Linux
  2. Configure on Windows

Prerequisite for using AJP is that the applications run on Apache Tomcat.

1. Configure on Linux

Apache modules

Mod_jk is the module responsible for forwarding traffic using AJP from Apache to the PhenixID service.

First install mod_jk, for example:
sudo apt-get install libapache2-mod-jk

If the module does not get enabled when doing install, enable mod_jk (for example):
a2enmod jk

Apache configuration

Create a new text file (if not created through install) in /etc/apache2/mods-available, named jk.conf.

Add the following contents:
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/jk.log
JkLogLevel info
JkExtractSSL On
JkMount /selfservice* selfservice

Create a new text file in /etc/apache2, named workers.properties
Add the following contents, where <back-end-ip> is the IP address to the PhenixID server:
worker.list=selfservice
worker.selfservice.port=8009
worker.selfservice.host=192.168.0.19
worker.selfservice.type=ajp13
Open /etc/apache2/sites-available/default-ssl.conf in a text editor.
Add the following lines within the virtual host directive:
JkMount /selfservice* selfservice
The Apache service needs to be restarted after the changes.

Tomcat configuration

In the Tomcat file structure in the file conf/server.xml verify that the AJP connector is enabled.
Should look something like this:
<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

The Tomcat service needs to be restarted after the changes.

***************   END of section “Configure on Linux” ***************

2. Configure on Windows

Server version used for this instruction was Windows Server 2016.

Download and install Apache HTTP server on Windows

******************** Important! ********************
There are several sites where you can download an installer for Apache HTTP server, www.apachelounge.com is one of them and well known. After you have downloaded and before you attempt to install, you should make sure that the installer is is intact and has not been tampered with. Use the PGP Signature and/or the SHA Checksums to verify the integrity. PhenixID is not accountable for the content or availability of these websites or sources where you can download Apache software. PhenixID gives no guarantee, nor does it accept any responsibility for the content, data, advices, announcements, software, products or other material on these websites or sources.
*****************************************************

  1. Download the latest stable version of Apache HTTP server for Windows.
    For this document we used version 2.4.25

    1. Go to https://www.apachelounge.com/download/
    2. Download Apache HTTP server for Windows
  2. Download Microsoft prerequisite for above Apache HTTP server version
    1. Download  “Microsoft Visual C++ 2015 Redistributable Update 3”
    2. https://www.microsoft.com/en-us/download/confirmation.aspx?id=53840
  3. Install Apache HTTP server and Microsoft prereq on Windows
    1. Install “Microsoft Visual C++ 2015 Redistributable Update 3”
      1. Run vc_redist.x64.exe
      2. Run through and complete installation wizard
    2. Unzip httpd-2.4.25-win64-VC14.zip
    3. Open the folder and copy the folder /Apache24 to c:/ (or other preferred drive)
    4. C:\Apache24
  4. Install Apache HTTP Server as a service
    1. Open Command Prompt
    2. Type “cd Apache24/bin” and press Enter
    3. Type “httpd.exe -k install” and press Enter
  5. Verify that Apache HTTP Server was installed succesfully
    1. Open Services (services.msc)
    2. Look for service named Apache2.4
    3. Start service

Configure server.xml to disable http on IM/PPSS/CS

Disable http port on IM/PPSS or CS server

  1. Open server.xml (\tomcat8-im\conf)
  2. Find following line and disable defautl port of IM/PPSS or CS. In this case the port was 8090. Use <!– –> to disable port.
    <!– <Connector port=”8090″ protocol=”HTTP/1.1″
    connectionTimeout=”20000″
    redirectPort=”8443″ />
    –>
  3. Save and restart service
  4. Verify that port is not active any more.

Verify that AJP port is enabled

  1. Open server.xml (\tomcat8-im\conf)
  2. Verify following line is not disabled
    <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />
  3. Save and restart service if needed

Download and add appropriate Tomcat connector

  1. Download corresponding Tomcat connector from https://www.apachelounge.com/download/
    1. For this configuration we download mod_jk-1.2.42-win64-VC14.zip
  2. Unzip and copy mod_jk.so to drive:\..\Apache2.2\modules

Load appropriate modules in httpd.conf

  1. Open httpd.conf
    • C:\Apache24\conf
  2. Add following module by
    LoadModule jk_module modules/mod_jk.so
  3. Enable following modules by removing the #
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  4. Save file httpd.conf
  5. Restart Apache HTTP server and verify

Disable port 80 on Apache HTTP server

For security reasons you might like to disable http or port 80 or maybe you disable this access is configured in your firewall.
To disable port 80 on Apache HTTP server:

  1. Open file httpd.conf
  2. Find “Listen 80”
  3. Remove line or add a # in start of line
    # Listen 80
  4. Save file httpd.conf
  5. Restart Apache HTTP server and verify

Add SSL certificate to your installation

Please visit PSD1078

Include httpd-ssl.conf in httpd.conf

  1. Open file httpd.conf
  2. Locate following lines and make sure include line is NOT disable.
    Correct configuration should look like follows:
    # Secure (SSL/TLS) connections
    Include conf/extra/httpd-ssl.conf
  3. Save file httpd.conf
  4. Restart Apache HTTP server and verify

Include jk.conf in httpd-ssl.conf

  1. Open file extra/httpd-ssl.conf
  2. Locate following lines and make sure include line is NOT disable.
    Correct configuration should look like follows:
    Include conf/jk.conf
  3. Save file httpd-ssl.conf
  4. Restart Apache HTTP server and verify

Include parameter to httpd-ssl.conf

  1. Open file extra/httpd-ssl.conf
  2. Locate following lines in file: <VirtualHost _default_:443>
  3. Below that line add following line:
    JkMountCopy On
  4. Save file httpd-ssl.conf
  5. Restart Apache HTTP server and verify

Create files workers.properties and jk.conf

Create and configure workers.properties (this example shows how to enable IM)

  1. Create file “workers.properties” and save it to /Apache24/conf/
  2. Add the following lines:
    # Worker for IdentityManager.
    worker.list=IdentityManager
    worker.IdentityManager.port=8009
    worker.IdentityManager.host=127.0.0.1
    worker.IdentityManager.type=ajp13
  3. Above  example, IM is on same server as Apache HTTP Server
  4. Create file “jk.conf” and save it to /Apache24/conf/
  5. Open jk.conf and add the following lines:
    JkWorkersFile conf/workers.properties
    JkLogFile logs/jk.log
    JkLogLevel info
    JkExtractSSL On
    JkMount /phenixid* IdentityManager
  6. Above example, IM is on same server as Apache HTTP Server
  7. Save both files and restart the Apache HTTP Server

Verify configuration

Open a browser and go to your FQDN and verify your configuration
e.g. https://server_name.phenixid.local/phenixid/

Misc

Ghostcat fix

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
By exploiting of the Ghostcat vulnerability, an attacker will be able to read the contents of configuration files and source code files of all webapps deployed on Tomcat.

Configuration of server.xml

Add the secret parameter

  1. Open server.xml (drive:\…\PhenixID\IM\server\conf)
  2. Find the line <!– <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ secret=”changePasswordreadPSD1097″/> –>
    By default AJP is disabled. To enable AJP, remove <!– in front and –> at the end.
  3. Result should look like:
    <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ secret=”changePasswordreadPSD1097″/>

Configuration of workers.properties.minimal

Add the worker.ajp13w.secret parameter

  1. Open workers.properties.minimal (drive:\…TomcatConnectorIIS\conf)
  2. Add worker.ajp13w.secret=changePasswordreadPSD1097 to a password of your choice.
  3. Restart the IIS service
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se