Introduction

This section provides information about how to secure ConnectALL and methods for secure deployment in the Apache server.

High-Level Flow Diagram

 The below diagram illustrates how communication flows from the user interface to the ConnectALL server via a public network with a reverse proxy configuration.

The following steps explain how to make your web server more secure for ConnectALL to access over a public network.

Before You Start 

Before you start, ensure that you have generated the SSL certificates. Follow the procedure provided below to configure.

Configuration

  1. Install the apache package along with SSL and reverse proxy modules. Note that we have used the name demo.connectall.com as an example. You could have the name of the server you wish.  Note that the DNS name and the server name configured in the reverse proxy should be same.
  2. Open the http.conf file located under the /etc/httpd in a text editor and verify if the content <Virtualhost> is available in the same file. If not, please check /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or ssl.conf.
  3. Configure the virtual host for port 80. This is done to automatically redirect port 80 to 443.

    <VirtualHost *:80>

    ServerAdmin root@connectall.com

    ServerName demo.connectall.com

    ProxyPass / http://localhost:8080

    ProxyPassReverse / http://localhost:8080

    ProxyRequests     Off

    ProxyPreserveHost On

    RewriteEngine On

    <Proxy *>

     Order deny, allow

     Allow from all

    </Proxy>

    Header always set "Access-Control-Allow-Origin" "*"

    Header always set "Access-Control-Allow-Methods" "POST, GET, OPTIONS, DELETE, PUT"

    Header always set "Access-Control-Allow-Headers" "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

    </VirtualHost>


  4. Configure Port 443. This is where you need to configure the SSL.

    <VirtualHost *:443>

    DocumentRoot /var/www/website

    ServerName demo.connectall.com

    SSLEngine on

    SSLCertificateFile /etc/ssl/crt/primary.crt

    SSLCertificateKeyFile /etc/ssl/crt/private.key

    SSLCertificateChainFile /etc/ssl/crt/intermediate.crt

    </VirtualHost>

  5. Save the changes and restart the httpd service.

Port Blocking

All the other ports except 80 and 443 need to be blocked from outside access for security reasons. Note that ConnectALL uses some of the default ports. Hence those ports need to be blocked. The ports that you need to block are listed below.

Service NamePort Numbers
Mule Service8081
Activity Monitor Port9080
Scheduler Service9090
Push Service (Reverse Proxy Port)7070
GenericRest Service Port (Reverse Proxy Port)8090
UI Startup Port8080
UI Shutdown Port8005
Tomcat AJP Port8009
Runtime Monitor Port9081

Click here for more information about other ports accessed by ConnectALL. 

Blocking ports in Windows Environment

  1. Click "Start | Control Panel | System and Security | Windows Firewall."
  2. Select "Advanced Settings." Click "Inbound Rules" to block an inbound port.
  3. Select "New Rule." Choose "Port" from the options and then click “Next."
  4. Choose "TCP". Click "Specific Local Ports.”
  5. Enter the port number or numbers into the available field; separate multiple numbers with a comma (e.g., "80, 20, 443"). Click “Next."
  6. Click "Block the Connection," then "Next." Choose which network location or locations – public, private, and domain—the rule applies to, and then click “Next."
  7. Create a name for the rule and enter an optional description. Click "Finish" to block the ports on the computer.

Blocking Ports in Linux Environment

The syntax to block an incoming port using iptables is provided below. This applies to all the interfaces globally.

“iptables -A INPUT -p tcp --destination-port [port number] -j DROP”

To block port 21 (to block FTP), use the command below:

“iptables -A INPUT -p tcp --destination-port 21 -j DROP”

Once you are done with your changes, run the following command:

service iptables save

Reverse Proxy Configuration

To create a reverse proxy configuration, you have to install some module files in the Apache server. Some of the modules are not available by default. The dependent modules are as follows:

  • mod_proxy: The main proxy module for Apache that manages connections and redirects them.
  • mod_proxy_http: This module implements the proxy features for HTTP and HTTPS protocols.
  • mod_proxy_ftp: This module does the same but for FTP protocol.
  • mod_proxy_connect: This one is used for SSL tunneling.
  • mod_proxy_ajp: Used for working with the AJP protocol.
  • mod_proxy_wstunnel: Used for working with web-sockets (i.e. WS and WSS).
  • mod_proxy_balancer: Used for clustering and load-balancing.
  • mod_cache: Used for caching.
  • mod_headers: Used for managing HTTP headers.
  • mod_deflate: Used for compression.

Once you’ve installed all the dependent modules, change the default configuration.

Next, we are going to see how to modify the default configuration file, 000-default.conf, in the location, /etc/apache2/sites-enabled to set up the “proxying” functionality.

Edit the following file: “ /etc/apache2/sites-enabled/000-default.conf”.  We will be defining a proxy virtual host using mod_virtualhost and mod_proxy together in this file.

# HTTP

<VirtualHost *:80>

ServerAdmin root@connectall.com

ServerName demo.connectall.com

  RewriteEngine On

  RewriteCond %{HTTPS} off

  RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]


ProxyPass / http://localhost:8080

ProxyPassReverse / http://localhost:8080

ProxyRequests     Off

ProxyPreserveHost On

RewriteEngine On

<Proxy *>

 Order deny,allow

 Allow from all

</Proxy>

Header always set "Access-Control-Allow-Origin" "*"

Header always set "Access-Control-Allow-Methods" "POST, GET, OPTIONS, DELETE, PUT"

Header always set "Access-Control-Allow-Headers" "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

</VirtualHost>

# HTTPS

<VirtualHost *:443>

ServerAdmin root@connectall.com

ServerName demo.connectall.com


# SSL Configuration — uses strong cipher list. These might need to be downgraded, if you need to support older browsers/devices

  SSLEngine on

  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  SSLHonorCipherOrder On

  SSLCertificateFile /path/to/your/certificate.crt

  SSLCertificateKeyFile /path/to/your/certificate.private_key

  SSLCertificateChainFile /path/to/your/certificate/chainfile.crt


# Remove this if you need to use frames or iframes

  Header always set X-Frame-Options DENY

# Prevent MIME-based attacks

  Header set X-Content-Type-Options "nosniff"

# Reverse proxy configuration

  <Location />

    ProxyPass http://localhost:8080/

    ProxyPassReverse http://localhost:8080/

  </Location>


#Redirect all the other outside services to ConnectALL as reverse proxy config

  <Location /SyncService/push>

    ProxyPass http://localhost:7070/

    ProxyPassReverse http://localhost:7070/


</Location>

 <Location /connectall/api/2/search>

    ProxyPass http://localhost:8090/

    ProxyPassReverse http://localhost:8090/

  </Location>

</VirtualHost>

Testing the Configuration

After you configure, try the below steps to check your configuration. 

  1. Connect to the address, http:<IP_ADDRESS>:8080/ConnectAll from another machine on the same network. It should not be accessible.

  2. Verify if the URL http(s):<DOMAIN>/ConnectAll is accessible. It should be accessible. 

  3. Verify if the reverse proxy URLs configured are accessing the server (verify in the logs by posting some records).