Hyland Connect

georgesm · ‎02-20-2010

Hi

My goal is to set-up alfresco (3.2r) on my box (Ubuntu 9.10) so that's only accessible though https.
I don't need nor want FTP, SMB, cifs, RMI etc connectivity.
I ftped the archived and unzipped in /opt/alfresco.

My configuration is the following :
apache + mod_jk + tomcat.

Apache config


<VirtualHost *:80>
        ServerName www.mysite.com
        DocumentRoot /home/www
        <Location /phpmyadmin>
                RewriteEngine on
                RewriteCond %{HTTPS} off
        RewriteRule ^(.*)$ https://www.mysite.com/phpmyadmin [R]
        </Location>
        <Location /share>
                RewriteEngine on
                RewriteCond %{HTTPS} off
                RewriteRule ^(.*)$ https://www.mysite.com/share/ [R]
        </Location>
        <Location /alfresco>
                RewriteEngine on
                RewriteCond %{HTTPS} off
                RewriteRule ^(.*)$ https://www.mysite.com/alfresco/ [R]
        </Location>
</VirtualHost>

<VirtualHost *:443>
        ServerName www.mysite.com
        DocumentRoot /home/www
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile    /etc/apache2/ssl/cert
        SSLCertificateKeyFile /etc/apache2/ssl/key
        SSLCACertificateFile  /etc/apache2/ssl/chain
        JkMount /alfresco worker1
        JkMount /alfresco/* worker1
        JkMount /share worker1
        JkMount /share/* worker1
        SetEnvIf User-Agent ".*MSIE.*" \
                         nokeepalive ssl-unclean-shutdown \
                         downgrade-1.0 force-response-1.0
</VirtualHost>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

mod_jk workers.properties


workers.tomcat_home=/opt/alfresco/tomcat
workers.java_home=/usr/lib/jvm/java-6-sun
ps=/
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13
worker.worker1.lbfactor=1
‍‍‍‍‍‍‍‍‍‍

server.xml (hopefully relevant extracts)


    <Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8"
       connectionTimeout="20000"
       redirectPort="8443" />
 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
‍‍‍‍‍‍

Through apache I redirect, on port 80, all requests to alfresco to port 443 where apache uses mod_jk to communicate with tomcat.
So far, so good : https works fine.

Now alfresco is available on port 8080 (which I don't want).
If in the server.xml file I disable the port 8080 connection (and still use mod_jk) alfresco won't start.
So I left it as it is: the site is available on http through port 8080 and on https through the regular port.

I thought I could prevent that by disabling accessibility to port 8080 with iptables (rejecting all incoming traffic on port 8080).
If the iptables rule is set BEFORE I run the "alfresco.sh start" command, alfresco won't start (it can't acquire the port).
If I wait about 80s or so and alfresco is running, I can block port 8080.

I thought I could modify the alfresco.sh script to flush or load iptables, but since alfresco launches the "real" startup scripts (that I do want to break) I am always out of sync.

So here are my (stupid ?) questions :

How do I have alfresco only available through https, coexisting peacefully with apache ?

I have already managed to disable cifs and ftp (setting ftp/cifs.enabled=false in alfresco-global-properties). What should I do to disable the last rmi connectivity ?

What would be a smart way to protect ports 8009 and 8100 (ie ajp and ooffice) ?

How does one configure a firewall with alfresco (sub-question, Am I doing this completly the wrong way??)

Thank you,

Georges

dangruhn · ‎03-09-2010

I am looking for the same thing.

A related thread doesn't discuss this either (http://forums.alfresco.com/en/viewtopic.php?f=9&t=8965). One poster says Explorer and Share are both working, but I think that 8080 is still open for this.

I can disable 8080 access via my external access firewall, but I would like to have internal folks only use 8443 also.

Hyland Connect

Disabling RMI and firewall issues