Preserving client ip with apache reverse proxy

The first thing that I thought of was the “X-Forwarded-For” headers, which is an HTTP header inserted into the original HTTP GET request whose value is equal to the client’s public IP. Turns out apache reverse proxy inserts this header by default. So we somehow need to instruct the backend server itself to provide the application with the correct client IP.

If your backend server is a Tomcat server the solution cam be using the RemoteIP tomcat valve.

It’s quite simple to configure in that all that needs to be done is to modify tomcat server.xml to recognise original client IP rather than the proxy IP by adding the following to server.xml:

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.0\.0\.1" />

make sure to change 127.0.0.1 to the address of the apache reverse proxy.

The application could now recognise the original client IP.

The apache equivalent of the above method is using mod_rpaf for Apache 1.3 & 2.2.x and mod_remoteip for Apache 2.4 and 2.5. 

These apache modules can be used to preserve both remote IP/HOST. Internally they use X-Forwarded-For header to detect a proxy in it’s list of known proxies and reset the headers accordingly. This works with any proxy server in the front end provided that the proxy server sets X-Forwarded-For header. 

To use mod_rpaf, install and enable it in the backend server and add following directives in the module’s configuration:

RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1

Remote IP is automatically preserved when RPAFenable On directive is used. RPAFsethostname On directive should be used to preserve host and RPAFproxy_ips is the list of known proxy ips.

Restart backend apache server and you are good to go.

For mod_remoteip, it’s a bit similar, the configuration should look something lke this:

RemoteIPHeader X-Real-IP
RemoteIPInternalProxy 1.2.3.4
RemoteIPInternalProxy 5.6.7.8

mod_remoteip however has a lot more configuration options.

When the proxy server is an Apache, ProxyPreserveHost directive in mod_proxy can be used to preserve the remote host not the remote ip. This is useful for situations where name based virtual hosting is used and the backend server needs to know the virtual name of host.

Open mod_proxy configuration file of your proxy server and enter directive, ProxyPreserveHost On, and restart your apache instance.

Create keystore from certificates

I had a wildcard certificate that already been used previously on a few apacahe servers. so I had already generated a CSR.

To generate a new keystore from the existing certificates I used the following commands:

Create a pkcs12 keystore from the certificate using openssl:

openssl pkcs12 -export -in star_domain_com.crt -inkey star_domain_com.key -certfile DigiCertCA.crt -out keystore.p12

Convert the pkcs12 keystore into a jks keystore:

keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore -srcstoretype pkcs12

You can use the following command to check your keystore contents:

keytool -list -keystore keystore

Usually your certificate will be stored under the alias 1, you might want to change that to tomcat, use the command:

keytool -changealias -alias 1 -destalias tomcat -keystore keystore

Deploying Alfresco To Apache Server

This guide will detail a setup to deploy Alfresco Share to a live server using Tomcat and Apache with mod_jk and mod_ssl it also covers the deployment of the Alfresco's SharePoint interface using Apache with mod_proxy.

Setting up Tomcat

First let's set up a default context so there's no prefix path visible in the URL for Alfresco share. The proper way to do this is by creating the file $CATALINA_BASE/conf/[enginename]/[hostname]/ROOT.xml. When Tomcat is located at /opt/alfresco/tomcat/ the full path will be /opt/alfresco/tomcat/conf/Catalina/localhost/ROOT.xml. Create the following XML document inside the file:

<?xml version="1.0" encoding="UTF-8"?>
<Context path="" docBase="share.war">
</Context>

The path attribute sets the context used in the URL. Using "" as the path thus means 'use as default'. The docBase attribute sets where the real webapp is. When using Alfresco Share this is share.war by default, it's not necessary to use the absolute path.
Now if you restart Tomcat you should be able to reach Alfresco Share at [host]:[port], without specifying the share prefix.
Next we need to setup a connector for Apache. It's possible this is already done on your Tomcat install by default, if not add the following in the Catalina Service section in $CATALINA_BASE/conf/server.xml:

...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
...

Restart Tomcat again for the connector to be available.

Setting up Apache

If you haven't done already, install mod_jk (libapache2-mod-jk in Ubuntu).
First we define the workers, I used $CATALINA_BASE/conf/workers.properties as configuration file:

worker.list=tomcat
worker.tomcat.port=8009
worker.tomcat.host=localhost
worker.tomcat.type=ajp13
worker.tomcat.lbfactor=1

The name tomcat is arbitrary, so you can replace all occurrences with whatever you like.
Next point Apache to this configuration file. You can either edit your httpd.conf, or if you're using a distribution with a config dir setup (for example, /etc/apache2/conf.d/ in Ubuntu) create a file and add the following content:

JkWorkersFile /opt/alfresco/tomcat/conf/workers.properties

Remember to use your own $CATALINA_BASE if it's not /opt/alfresco/tomcat/.
Finally, setup a virtualhost that will connect to Tomcat:

<VirtualHost *:80>
ServerName share.host.name
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://share.host.name/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName share.host.name
JkMount /* tomcat
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/certificate.pem
SSLCertificateFile /etc/ssl/private/certificate.crt
SSLCACertificateFile /etc/ssl/private/authority.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

This will create a virtualhost at share.host.name (replace this with your (sub)domain location), will force port 80/http to be redirected to port 443/https (forces the secure connection, the 301 will tell the browser it's a permanent redirect) and will serve all content (/*) using the worker tomcat as specified in our workers file (if you changed the name there, also change it here). Be sure to enter your own certificate information instead of what I entered.
You can extend this configuration file in the same way you'd normally do with Apache, so you can add rewrite rules etc..
Restart Apache for the configuration to have effect.

You now have Alfresco Share on a user friendly location, with a user friendly and secure setup. If Alfresco explorer is deployed on the same Tomcat instance, you can reach it at https://[host]/alfresco. Your other webapps should also still be reachable at their context path.

If you want to do the same with Alfresco with the SharePoint Protocol you'll have to set up another vhost in Apache, in this case we will use mod_proxy, like this:

<VirtualHost *:80>
ServerName sharepoint.host.name
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://sharepoint.host.name/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName sharepoint.host.name
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/sharepoint.key
SSLCertificateFile /etc/apache2/ssl/sharepoint.crt
SSLCACertificateFile /etc/apache2/ssl/sharepoint.crt
SSLProxyEngine On
ProxyPass / http://localhost:7070/
ProxyPassReverse / http://localhost:7070/
ProxyPass /alfresco/ http://localhost:7070/alfresco/
ProxyPassReverse /alfresco/ http://localhost:7070/alfresco/
ProxyPass /share/ http://localhost:7070/share/
ProxyPassReverse /share/ http://localhost:7070/share/
ProxyPass /_vti_bin/ http://localhost:7070/_vti_bin/
ProxyPassReverse /_vti_bin/ http://localhost:7070/_vti_bin/
ProxyPass /_vti_inf.html http://localhost:7070/_vti_inf.html
ProxyPassReverse /_vti_inf.html http://localhost:7070/_vti_inf.html
ProxyPass /_vti_history/ http://localhost:7070/_vti_history/
ProxyPassReverse /_vti_history/ http://localhost:7070/_vti_history/
#RewriteCond %{SERVER_PORT} !443
#RewriteRule ^(.*)$ https://sharepoint.host.name/$1 [R,L]
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

Finally, on your Alfresco's global.properties file you'll have to set the following variables:

vti.server.external.host=sharepoint.host.name
vti.server.external.port=443
vti.server.external.protocol=https

so that your Edit Online links are generated correctly.