/
Add Apache TLS/SSL landing page for CollectionSpace

Add Apache TLS/SSL landing page for CollectionSpace

Using the Apache HTTP Server in font of CollectionSpace's Tomcat Server instance has many advantages.  The two most important for us are port hiding and supporting TLS/SSL connections. Learn more about the Apache HTTP Server here: https://en.wikipedia.org/wiki/Apache_HTTP_Server

Port Hiding

This is useful for creating a landing page for CollectionSpace so one can ignore the :8180 port number as well as have Apache redirect you to the full site location if the user only knows the domain (and subdomain.) This is useful as remembering demo.collectionspace.org is much nicer than remembering demo.collectionspace.org/collectionspace/ui/core/html/index.html.

TLS/SSL

TLS/SSL are cryptographic protocols that provide communications security over the Internet and a computer network in general.  Configuring CollectionSpace to communicate this way with its users is critical to protecting data and user information in a production instance.  If you have trouble get this to work, please reach out to the CollectionSpace community for help.  A great place to start is by sending an email to the CollectionSpace "Talk" email list at talk@collectionspace.org.

Instructions for installing on Ubuntu 16.04 LTS

First, make sure Apache HTTP Server is installed:

sudo apt-get install apache2

Enable the proxy and rewrite modules. These are necessary for what we wish to accomplish.

a2enmod rewrite
a2enmod proxy
a2enmod proxy_http

a2enmod mod_ssl

Then restart apache.

/etc/init.d/apache2 restart (sudo service apache restart)

Next, make sure proxying is turned on, which is usually turned off by default in Ubuntu. Edit /etc/apache2/mods-enabled/proxy.conf

<IfModule mod_proxy.c>

# If you want to use apache2 as a forward proxy, uncomment the
# 'ProxyRequests On' line and the <Proxy *> block below.
# WARNING: Be careful to restrict access inside the <Proxy *> block.
# Open proxy servers are dangerous both to your network and to the
# Internet at large.
#
# If you only want to use apache2 as a reverse proxy/gateway in
# front of some web application server, you DON'T need
# 'ProxyRequests On'.

#ProxyRequests On
ProxyRequests Off
<Proxy *>
        AddDefaultCharset off
        Order deny,allow
        Deny from all
        #Allow from .example.com
</Proxy>

# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#ProxyVia Off
ProxyVia On
</IfModule>

Next, create a new virtual host for your CollectionSpace instance.
Here is a sample VH directive for the server at mmidev.collectionspace.org (96.126.108.110) saved as /etc/apache2/sites-enabled/cspace

<VirtualHost 96.126.108.110:80>
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        ServerAdmin webmaster@localhost

        RewriteEngine on
        RewriteRule     /collectionspace/(.*)   http://mmidev.collectionspace.org:8180/collectionspace/$1 [P]

        # set server name
        ProxyPreserveHost On
        ServerName localhost

        DocumentRoot /var/www/html
        <Directory />
                Options FollowSymLinks
                AllowOverride all
        </Directory>
        <Directory /var/www/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

</VirtualHost>

The VH here will allow Apache to know what to serve when it gets a request for mmidev.collectionspace.org on port 80 (the default http port). Any requests for mmidev.collectionspace/* (port 80) will be sent to the tomcat server listening on port 8180. Apache acts as a proxy server in this case and rewrites all incoming and outgoing URLs so the URL can be 'prettified' by having the port number (8180) stripped out.

Next, we notify apache of the VH we want to enable. In this case, cspace

a2ensite cspace

This will also create a symbolic link in apache's sites-enabled directory.

Reload the apache configuration

/etc/init.d/apache2 reload

Finally, we want to create a landing page that will redirect the user to the full app location.
Save this template to your canonical default apache webdirectory: /var/www/index.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
        <head>
                <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
                <title>MMI CollectionSpace</title>

                <style>
                        body {padding:0; font:1.1em/1.5 Verdana, arial, sans-serif; color: #000; margin:2em 0; text-align: center;}
                        img {padding: 0; margin: 2em 0;}
                        p {margin:1em 0 0 0; padding: 0;}
                        a {text-decoration:none; color:#88AFD8;}

                </style>
                <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
                <META
                        HTTP-EQUIV="Refresh"
                        CONTENT="0; URL=http://mmidev.collectionspace.org/collectionspace/ui/core/html/index.html">

        </head>

        <body>
                <p>If you are not automatically forwarded to the MMI CollectionSpace page please <a href="http://mmidev.collectionspace.org/collectionspace/ui/core/html/index.html">click here</a>.</p>
        </body>

</html>

From here, the user can enter mmidev.collectionspace.org and root index.html page will redirect them to mmidev.collectionspace.org/collectionspace/ui/mmi/html/index.html. Apache will handle all requests in the default port and proxy them to tomcat listening on port 8180.