Here's a virtual host configuration for experts. I need recommendations on configuring Liferay (and ideas on possible workarounds in Apache if not possible).
Because there are security elements of the Apache VirtualHost configurations, I'll be using stubbed out descriptions. I will try to answer any questions about the configuration that will not compromise security.
Consider the following:
1. One (1) Liferay install behind Apache
2. The following Apache VirtualHosts, all using the same Liferay instance.
What I left out the VirtualHost configuration I don't think impacts this discussion. So you have our basic configuration, now let me explain what is going on.
If an unauthenticated user comes to Port 80, we redirect to Port 443. Standard stuff. Where it gets complicated is in the Federated Identity Management reverse proxy and configuring Liferay properties to construct proper URLs based on the virtual host being answered.
When a user logs in, the link basically takes the user to the FIM and the FIM then reverse proxies over 444 to Apache and Liferay. However Liferay does not appear to want to use the reverse proxied hostname in constructing portlet URLs, and in fact, guesses the port (444) correctly, but assembles a http scheme on the server name, e.g., http://ourhost.com:444/path/, when we need https://test.fim.authhost.com/path/ (where the FIM is reverse proxying over 444 to us.
The reason for this FIM reverse proxy on a different port is mainly to support the mutual SSL configuration. The "anonymous" SSL on 443 does not need this.
How do we support this in the Liferay configuration. It seems that it might be possible, but we may be taking the configuration properties at face value.
Any tips, thoughts, corrections, or eye rolls?
Much thanks!
Tim
Because there are security elements of the Apache VirtualHost configurations, I'll be using stubbed out descriptions. I will try to answer any questions about the configuration that will not compromise security.
Consider the following:
1. One (1) Liferay install behind Apache
2. The following Apache VirtualHosts, all using the same Liferay instance.
<virtualhost *:80>
ServerName ourhost.com
RewriteEngine on
RewriteCond %{SERVER_PORT} !443
RewriteRule ^/(.*)$ https://ourhost.com/$1 [R]
</virtualhost>
<virtualhost *:443>
#This is the "Public SSL" VirtualHost, all 80 traffic is basically sent to 443/SSL
ServerName ourhost.com
#SSL configuration
#RewriteConds preventing 444 requests on 443
#mod_proxy_balancer configuration to Liferay
</virtualhost>
<virtualhost *:444>
# Authentication Proxy Virtual Host. What's that?
# Basically, we have a Federated Identity Management provider that reverse proxies
# over port 444 under a host name we'll call "test.fim.authhost.com
# Port 444 is configured for SSL as shown
ServerName ourhost.com
ServerAlias test.fim.authhost.com
SSLEngine on
SSLProxyEngine on
SSLProtocol TSLv1
SSLCipherSuite ...
# Port 444 requires mutual SSL connections Server/Server SSL (one server is a client, you get the idea).
SSLVerifyClient require
SSLVerifyDepth ...
# Proxy configuration
ProxyRequests off
ProxyPreserveHost on
#mod_proxy_balancer configuration
</virtualhost>What I left out the VirtualHost configuration I don't think impacts this discussion. So you have our basic configuration, now let me explain what is going on.
If an unauthenticated user comes to Port 80, we redirect to Port 443. Standard stuff. Where it gets complicated is in the Federated Identity Management reverse proxy and configuring Liferay properties to construct proper URLs based on the virtual host being answered.
When a user logs in, the link basically takes the user to the FIM and the FIM then reverse proxies over 444 to Apache and Liferay. However Liferay does not appear to want to use the reverse proxied hostname in constructing portlet URLs, and in fact, guesses the port (444) correctly, but assembles a http scheme on the server name, e.g., http://ourhost.com:444/path/, when we need https://test.fim.authhost.com/path/ (where the FIM is reverse proxying over 444 to us.
The reason for this FIM reverse proxy on a different port is mainly to support the mutual SSL configuration. The "anonymous" SSL on 443 does not need this.
How do we support this in the Liferay configuration. It seems that it might be possible, but we may be taking the configuration properties at face value.
Any tips, thoughts, corrections, or eye rolls?
Much thanks!
Tim
