How to configure liferay to use a secure channel (https resp. ssl) for login using apache httpd

This how-to describes one way how to configure a liferay portal in a way that the credentials supplied (especially during the login process) are always encrypted (by using HTTPS) but still it is possible to browse the public content by HTTP for guest users. There is already a build-in property that should provide similar functionality (by setting company.security.auth.requires.https=true) but it seems to not work with the newer versions of tomcat (security feature, see the discussion on http://www.liferay.com/web/guest/community/forums/-/message_boards/message/1144949). The goal of this solution is to provide the following functinality:

  • The portal runs on both HTTP and HTTPS URLs.
  • All guest users (not authorized) can still fully browse the content unencrypted, using the HTTP URL (and saving you some bandwidth and providing faster response times because of the browser caching the http content). That should be no security issue as all contents such a user could see are configured as public anyway.
  • As far as someone tries to login , he/she is immediately redirected to the HTTPS URL.
  • After that the user stays completely on the HTTPS URL, so the whole potentially confidential content is being encrypted (e.g. it would be also not a good idea to change a user password, create a new user or write a confidential content on an unencrypted channel).
  • After the logged in user goes to a HTTP URL, he/she is not logged in anymore (so no potentially confidential content could be viewed or edited.

For this how to we are using liferay community version 5.2.3 (with a bundled tomcat 6.0.18), Apache httpd version 2.2.3-31 (with mod_proxy_ajp and mod_ssl) on
CentOS 5.4

Configuration

Let’s assume that the liferay portal is installed in /home/liferay/liferay-portal, the URLs are http://mycompany.com respectively https://mycompany.com and the apache httpd server IP is 10.1.1.1 (please replace this values to match your particular configuration)

Configuration of liferay portal

First edit the file portal-ext.properties (it should be in /home/liferay/liferay-portal/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/portal-ext.properties or in /home/liferay/liferay-portal/portal-ext.properties, if the file is not there then create it)

The following lines must be inserted (or adjusted) there:

web.server.host=mycompany.com
#
# Set ports for http server
#
web.server.http.port=80
web.server.https.port=443

Then check if the tomcat is configured with the AJP connector (if you don’t use mod_proxy_ajp but mod_proxy_http it is not necessary):

In the file file /home/liferay/liferay-portal/tomcat-6.0.18/conf/server.xml you must ensure that the following line is present:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />

Then restart the portal’s tomcat instance (in /home/liferay/liferay-portal/tomcat-6.0.18/bin run ./shutdown.sh, wait until the tomcat process is gone and restart it with ./startup.sh)

Check that the tomcat process is really listening on this port:

netstat -nap|grep 8009

you must see the following line there

tcp        0      0 :::8009                     :::*                        LISTEN      12345/java

Where 12345 is the tomcat unix process (ps -efwww|grep 12345)

Configuration of Apache httpd server

First ensure that Apache httpd itself and mod_ssl are installed (with root):

yum install httpd mod_ssl

Let’s configure the http URL first:

Then go to the configuration directory (/etc/httpd/conf.d) and create a new file mycompany.com.conf with the following content:

<VirtualHost 10.1.1.1:80>
ServerName mycompany.com
ServerAlias www.mycompany.com mycompany.net www.mycompany.net
CustomLog /var/log/httpd/mycompany_access_log combined
<LocationMatch "/c/portal/login">
Redirect permanent / https://company.com/
</LocationMatch>
ProxyPass / ajp://localhost:8009/
</VirtualHost>

Now restart the Apache httpd server (service httpd restart) and go to http://mycompany.com

Now you should already see that everything works on the portal except the login itself.

So let’s configure the SSL virtual host. With the installation of mod_ssl you get an example virtual host defined in ssl.conf. So let’s do the changes just there:

  • First provide and configure a real SSL certificate (e.g. on startssl.com you can get one for free with a pretty good browser acceptance) . It is not a must , you could run further with the self signed certificate but you are potentially vulnerable to man in the middle attacks.
  • Change the server name to:
    ServerName mycompany.com:443
    ServerAlias www.mycompany.com:443
  • Enable mod_proxy_ajp to forward everything to the tomcat instance:
    ProxyPass / ajp://localhost:8009/
  • Check the configuration:
    service httpd configtest

and if you see OK then restart the server (service httpd restart or service httpd graceful)

Now you should be able to view the portal on https://mycompany.com and on http://mycompany.com but if you try to login on a http URL you will be immediately redirected to the https://mycompany.com and stay there for the whole session.

Optionally you could configure many URL aliases (on HTTP) .eg. mycompany.net, www.mycompany.eu etc. (you must put them as server aliases in mycompany.com.conf file) and every thing will be immediately redirected to the mycompany.com site.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

five + twelve =