Add Apache TLS/SSL landing page for CollectionSpace
Using the Apache HTTP Server in font of CollectionSpace's Tomcat Server instance has many advantages. The two most important for us are port hiding and supporting TLS/SSL connections. Learn more about the Apache HTTP Server here: https://en.wikipedia.org/wiki/Apache_HTTP_Server
Port Hiding
This is useful for creating a landing page for CollectionSpace so one can ignore the :8180
port number as well as have Apache redirect you to the full site location if the user only knows the domain (and subdomain.) This is useful as remembering demo.collectionspace.org
is much nicer than remembering demo.collectionspace.org/collectionspace/ui/core/html/index.html
.
TLS/SSL
TLS/SSL are cryptographic protocols that provide communications security over the Internet and a computer network in general. Configuring CollectionSpace to communicate this way with its users is critical to protecting data and user information in a production instance. If you have trouble get this to work, please reach out to the CollectionSpace community for help. A great place to start is by sending an email to the CollectionSpace "Talk" email list at talk@collectionspace.org.
Instructions for installing on Ubuntu 16.04 LTS
First, make sure Apache HTTP Server is installed:
sudo apt-get install apache2
Enable the proxy and rewrite modules. These are necessary for what we wish to accomplish.
a2enmod rewrite a2enmod proxy a2enmod proxy_http a2enmod mod_ssl
Then restart apache.
/etc/init.d/apache2 restart (sudo service apache restart)
Next, make sure proxying is turned on, which is usually turned off by default in Ubuntu. Edit /etc/apache2/mods-enabled/proxy.conf
<IfModule mod_proxy.c> # If you want to use apache2 as a forward proxy, uncomment the # 'ProxyRequests On' line and the <Proxy *> block below. # WARNING: Be careful to restrict access inside the <Proxy *> block. # Open proxy servers are dangerous both to your network and to the # Internet at large. # # If you only want to use apache2 as a reverse proxy/gateway in # front of some web application server, you DON'T need # 'ProxyRequests On'. #ProxyRequests On ProxyRequests Off <Proxy *> AddDefaultCharset off Order deny,allow Deny from all #Allow from .example.com </Proxy> # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block #ProxyVia Off ProxyVia On </IfModule>
Next, create a new virtual host
for your CollectionSpace instance.
Here is a sample VH directive for the server at mmidev.collectionspace.org (96.126.108.110) saved as /etc/apache2/sites-enabled/cspace
<VirtualHost 96.126.108.110:80> <Proxy *> Order deny,allow Allow from all </Proxy> ServerAdmin webmaster@localhost RewriteEngine on RewriteRule /collectionspace/(.*) http://mmidev.collectionspace.org:8180/collectionspace/$1 [P] # set server name ProxyPreserveHost On ServerName localhost DocumentRoot /var/www/html <Directory /> Options FollowSymLinks AllowOverride all </Directory> <Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined </VirtualHost>
The VH here will allow Apache to know what to serve when it gets a request for mmidev.collectionspace.org on port 80 (the default http port). Any requests for mmidev.collectionspace/* (port 80) will be sent to the tomcat server listening on port 8180. Apache acts as a proxy server in this case and rewrites all incoming and outgoing URLs so the URL can be 'prettified' by having the port number (8180) stripped out.
Next, we notify apache of the VH we want to enable. In this case, cspace
a2ensite cspace
This will also create a symbolic link in apache's sites-enabled
directory.
Reload the apache configuration
/etc/init.d/apache2 reload
Finally, we want to create a landing page that will redirect the user to the full app location.
Save this template to your canonical default apache webdirectory: /var/www/index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>MMI CollectionSpace</title> <style> body {padding:0; font:1.1em/1.5 Verdana, arial, sans-serif; color: #000; margin:2em 0; text-align: center;} img {padding: 0; margin: 2em 0;} p {margin:1em 0 0 0; padding: 0;} a {text-decoration:none; color:#88AFD8;} </style> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> <META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://mmidev.collectionspace.org/collectionspace/ui/core/html/index.html"> </head> <body> <p>If you are not automatically forwarded to the MMI CollectionSpace page please <a href="http://mmidev.collectionspace.org/collectionspace/ui/core/html/index.html">click here</a>.</p> </body> </html>
From here, the user can enter mmidev.collectionspace.org
and root index.html page will redirect them to mmidev.collectionspace.org/collectionspace/ui/mmi/html/index.html
. Apache will handle all requests in the default port and proxy them to tomcat listening on port 8180.