Configure SSL for a Production Environment - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

This scenario provides a set of forwarding rules that your proxy needs to meet and the corresponding configuration, with sample configuration files for Apache HTTP Server.

Several proxy application servers are available to configure for SSL communications; for example, Apache HTTP Server, HAProxy or Nginx. Using a proxy server means that you do not have to edit your configuration files directly.

A client machine connects to the proxy server instead of the application server directly. As a result, Content Service and Alfresco Share must be configured to use an externally available URL, rather than an internal machine name. This external URL can then be passed to other parts of the Share application; for example, when Share creates a link to Alfresco Office Services for online editing.

For security reasons, configure your proxy to forward only requests to the resources that you want to expose to the outside world. In this scenario, the applications need to use the internal machine name when talking to each other, but use the external name when creating links for the user.

  1. Set your proxy to forward the following URL extensions:
     /share
     /share/*
     /alfresco/api/*/public/cmis/versions/*
     /alfresco/api/*/public/alfresco/versions/*
     /alfresco/api/cmis/versions/*
     /alfresco/service/api/server
     /alfresco/cmisatom/*
     /alfresco/service/cmis/*
    
  2. If you’re using WebDAV, add these URL extensions to your proxy:
     /alfresco/webdav
     /alfresco/webdav/*
    
  3. For Alfresco Office Services, add these URL extensions to your proxy:
     /_vti_inf.html
     /_vti_bin/*
     /alfresco/aos
     /alfresco/aos/*
    

    and for OPTIONS and PROPFIND requests:

     /
     /alfresco
     /alfresco/
    
  4. Block requests with these URL patterns:
     /share/*/proxy/alfresco/api/solr/*
     /share/-default-/proxy/alfresco/api/*
    

    The communication between Solr and Content Service is, by default, protected by SSL. These patterns need to be explicitly blocked to protect the API endpoints.

  5. Edit the alfresco-global.properties file with these values:
     alfresco.context=alfresco
     alfresco.host=<external-proxy-host-name>
     alfresco.port=443
     alfresco.protocol=https
     share.context=share
     share.host=<external-proxy-host-name>
     share.port=443
     share.protocol=https
     opencmis.context.override=false
     opencmis.context.value=
     opencmis.servletpath.override=false
     opencmis.servletpath.value=
     opencmis.server.override=true
     opencmis.server.value=https://<external-proxy-host-name>
    
    Note:

    Port 443 and the HTTPS protocol settings must be enabled in alfresco-global.properties in Content Services and Share. This is because if a proxy is serving https, and then proxying back to Tomcat using http, Tomcat determines that HTTP traffic is being served. This in turn informs the applications running in Tomcat that they’re serving traffic over HTTP, and when Share or Content Service internally generate URLs for page assets, they are generated with an http link (when the client browser expects https). Setting the following properties ensures that the applications generate URLs as HTTPS links:

     alfresco.port=443
     alfresco.protocol=https
     share.port=443
     share.protocol=https
    
  6. If you’re using a proxy server other than Apache with AJP, follow these steps:
    1. Add this line to your alfresco-global.properties file:
       aos.baseUrlOverwrite=https://<external-proxy-host-name>/alfresco/aos
      
    2. Configure proxy redirect responses sent by the application server.

      The server behind the proxy uses the http schema because it’s not aware of SSL. Here’s an example of an Nginx configuration:

       proxy_redirect http://example.com/alfresco/ https://example.com/alfresco/;
      
      Note: The proxy_redirect configuration shows the change from http to https.
  7. Use the following sample httpd.conf configuration file for Apache HTTP Server:
     # -------
     # General
     # -------
    
     ServerName  **yourserver.example.com**
     PidFile     **/path/to/your/http.pid**
     ErrorLog    **/path/to/your/apache/log/error\_log**
     LogLevel    info
    
     LoadModule  unixd_module       **/path/to/your/apache/modules/mod\_unixd.so**
     LoadModule  authn_core_module  **/path/to/your/apache/modules/mod\_authn\_core.so**
     LoadModule  authz_host_module  **/path/to/your/apache/modules/mod\_authz\_host.so**
     LoadModule  authz_core_module  **/path/to/your/apache/modules/mod\_authz\_core.so**
     LoadModule  rewrite_module     **/path/to/your/apache/modules/mod\_rewrite.so | <IfModule unixd_module>
         User _www
         Group _www
     </IfModule>
    
     # ------------------
     # Block API requests
     # ------------------
    
     LoadModule     rewrite_module      **/path/to/your/apache/modules/mod\_rewrite.so**
     RewriteEngine  on
     RewriteBase    /
     RewriteRule    ^/share/(.*)/proxy/alfresco/api/solr/(.*)$   * [F]
     RewriteRule    ^/share/-default-/proxy/alfresco/api/(.*)$   * [F]
    
     # -------
     # Proxy
     # --------
    
     LoadModule     jk_module **/path/to/your/apache/modules/mod\_jk.so**
     JkWorkersFile  **/path/to/your/workers.properties**
     JkLogFile      **/path/to/your/apache/log/mod\_jk.log**
     JkLogLevel     info
     JkShmFile      **/path/to/your/apache/log/jk-runtime-status**
    
     # -------
     # SSL
     # --------
    
     LoadModule ssl_module **/path/to/your/apache/modules/mod\_ssl.so**
     Listen 443
     <VirtualHost *:443>
         SSLEngine           on
         SSLProtocol         all -SSLv2
         SSLCipherSuite      HIGH:!aNULL:!MD5
         SSLVerifyClient     none
         SSLCertificateFile  **/path/to/your/certificate.pem**
         ErrorLog            **/path/to/your/apache/log/ssl\_error\_log**
         LogLevel            warn
         JkMount /share alfresco-worker
         JkMount /share/* alfresco-worker
         JkMount /alfresco/webdav alfresco-worker
         JkMount /alfresco/webdav/* alfresco-worker
         JkMount / alfresco-worker
         JkMount /_vti_inf.html alfresco-worker
         JkMount /_vti_bin/* alfresco-worker
         JkMount /alfresco alfresco-worker
         JkMount /alfresco/ alfresco-worker
         JkMount /alfresco/aos alfresco-worker
         JkMount /alfresco/aos/* alfresco-worker
         JkMount /alfresco/images/* alfresco-worker
         JkMount /alfresco/css/* alfresco-worker
         # Un-comment these lines for public API access
         # JkMount /alfresco/api/*/cmis/versions/*
         # JkMount /alfresco/api/*/public/cmis/versions/* alfresco-worker
         # JkMount /alfresco/api/*/public/alfresco/versions/* alfresco-worker
         # JkMount /alfresco/service/api/server alfresco-worker
         # JkMount /alfresco/cmisatom/* alfresco-worker
         # JkMount  /alfresco/service/cmis/* alfresco-worker
         # JkMount /alfresco/api/cmis/versions/* alfresco-worker
         # Un-comment these lines for Desktop Sync
         # JkMount /alfresco/api/*/private/alfresco/versions/* alfresco-worker
     </VirtualHost>
    

    This configuration file has been tested with Apache httpd 2.4. Replace the values in bold font with the file names and directories that are relevant to your system.

  8. Use the following sample worker.properties configuration file for Apache HTTP Server:
     worker.list=alfresco-worker
     worker.alfresco-worker.port=8009
     worker.alfresco-worker.host=**your-internal-alfresco-host-name**
     worker.alfresco-worker.type=ajp13
     worker.alfresco-worker.lbfactor=1
    

    In this example, Apache is configured to accept strong encryption only. Adapt SSLCipherSuite if this causes you problems.

  9. (Optional) Only required if configuring Alfresco Share.

    Add and set the following properties in the JAVA_OPTS environmental variable referenced by the Share application, as they’re required at Share start up:

     -Dhttp.secured.session=true
     -Dcookies.sameSite=none
    

    When using Share with Chromium-based browsers (such as Google Chrome or the latest releases of Microsoft Edge) with Alfresco Content Connector for Salesforce, the share web must be secured using an HTTPS (SSL/TLS) certificate.

  10. (Optional) Only required if configuring Alfresco Share.

    Add and set the property in the JAVA_OPTS environmental variable corresponding to the JVM of the Tomcat instance when deploying Share:

    -Dhttp.secured.session=true
    

    This property secures the JESSIONID cookie. It’s not enabled by default because it would break HTTP-only (non-secure) environments. See Control JVM System Properties for more information on how to set JAVA_OPTS for Tomcat deployments.