This how-to describes one way how to configure a liferay portal in a way that the credentials supplied (especially during the login process) are always encrypted (by using HTTPS) but still it is possible to browse the public content by HTTP for guest users. There is already a build-in property that should provide similar functionality (by setting company.security.auth.requires.https=true) but it seems to not work with the newer versions of tomcat (security feature, see the discussion on http://www.liferay.com/web/guest/community/forums/-/message_boards/message/1144949). The goal of this solution is to provide the following functinality:
- The portal runs on both HTTP and HTTPS URLs.
- All guest users (not authorized) can still fully browse the content unencrypted, using the HTTP URL (and saving you some bandwidth and providing faster response times because of the browser caching the http content). That should be no security issue as all contents such a user could see are configured as public anyway.
- As far as someone tries to login , he/she is immediately redirected to the HTTPS URL.
- After that the user stays completely on the HTTPS URL, so the whole potentially confidential content is being encrypted (e.g. it would be also not a good idea to change a user password, create a new user or write a confidential content on an unencrypted channel).
- After the logged in user goes to a HTTP URL, he/she is not logged in anymore (so no potentially confidential content could be viewed or edited.
For this how to we are using liferay community version 5.2.3 (with a bundled tomcat 6.0.18), Apache httpd version 2.2.3-31 (with mod_proxy_ajp and mod_ssl) on
Let’s assume that the liferay portal is installed in /home/liferay/liferay-portal, the URLs are http://mycompany.com respectively https://mycompany.com and the apache httpd server IP is 10.1.1.1 (please replace this values to match your particular configuration)
Configuration of liferay portal
First edit the file portal-ext.properties (it should be in /home/liferay/liferay-portal/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/portal-ext.properties or in /home/liferay/liferay-portal/portal-ext.properties, if the file is not there then create it)
The following lines must be inserted (or adjusted) there:
Then check if the tomcat is configured with the AJP connector (if you don’t use mod_proxy_ajp but mod_proxy_http it is not necessary):
In the file file /home/liferay/liferay-portal/tomcat-6.0.18/conf/server.xml you must ensure that the following line is present:
Then restart the portal’s tomcat instance (in /home/liferay/liferay-portal/tomcat-6.0.18/bin run ./shutdown.sh, wait until the tomcat process is gone and restart it with ./startup.sh)
Check that the tomcat process is really listening on this port:
you must see the following line there
Where 12345 is the tomcat unix process (ps -efwww|grep 12345)
Configuration of Apache httpd server
First ensure that Apache httpd itself and mod_ssl are installed (with root):
Let’s configure the http URL first:
Then go to the configuration directory (/etc/httpd/conf.d) and create a new file mycompany.com.conf with the following content:
Now restart the Apache httpd server (service httpd restart) and go to http://mycompany.com
Now you should already see that everything works on the portal except the login itself.
So let’s configure the SSL virtual host. With the installation of mod_ssl you get an example virtual host defined in ssl.conf. So let’s do the changes just there:
- First provide and configure a real SSL certificate (e.g. on startssl.com you can get one for free with a pretty good browser acceptance) . It is not a must , you could run further with the self signed certificate but you are potentially vulnerable to man in the middle attacks.
- Change the server name to:
- Enable mod_proxy_ajp to forward everything to the tomcat instance:
ProxyPass / ajp:
- Check the configuration:
service httpd configtest
and if you see OK then restart the server (service httpd restart or service httpd graceful)
Now you should be able to view the portal on https://mycompany.com and on http://mycompany.com but if you try to login on a http URL you will be immediately redirected to the https://mycompany.com and stay there for the whole session.
Optionally you could configure many URL aliases (on HTTP) .eg. mycompany.net, www.mycompany.eu etc. (you must put them as server aliases in mycompany.com.conf file) and every thing will be immediately redirected to the mycompany.com site.