This section provides information about how to secure ConnectALL and methods for secure deployment in the Apache server.
High-Level Flow Diagram
The below diagram illustrates how communication flows from the user interface to the ConnectALL server via a public network with a reverse proxy configuration.
The following steps explain how to make your web server more secure for ConnectALL to access over a public network.
Before You Start
Before you start, ensure that you have generated the SSL certificates. Follow the procedure provided below to configure.
- Install the apache package along with SSL and reverse proxy modules. Note that we have used the name demo.connectall.com as an example. You could have the name of the server you wish. Note that the DNS name and the server name configured in the reverse proxy should be same.
- Open the http.conf file located under the /etc/httpd in a text editor and verify if the content <Virtualhost> is available in the same file. If not, please check /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or ssl.conf.
Configure the virtual host for port 80. This is done to automatically redirect port 80 to 443.
Configure Port 443. This is where you need to configure the SSL.
- Save the changes and restart the httpd service.
All the other ports except 80 and 443 need to be blocked from outside access for security reasons. Note that ConnectALL uses some of the default ports. Hence those ports need to be blocked. The ports that you need to block are listed below.
|Service Name||Port Numbers|
|Activity Monitor Port||9080|
|Push Service (Reverse Proxy Port)||7070|
|GenericRest Service Port (Reverse Proxy Port)||8090|
|UI Startup Port||8080|
|UI Shutdown Port||8005|
|Tomcat AJP Port||8009|
|Runtime Monitor Port||9081|
Click here for more information about other ports accessed by ConnectALL.
Blocking ports in Windows Environment
- Click "Start | Control Panel | System and Security | Windows Firewall."
- Select "Advanced Settings." Click "Inbound Rules" to block an inbound port.
- Select "New Rule." Choose "Port" from the options and then click “Next."
- Choose "TCP". Click "Specific Local Ports.”
- Enter the port number or numbers into the available field; separate multiple numbers with a comma (e.g., "80, 20, 443"). Click “Next."
- Click "Block the Connection," then "Next." Choose which network location or locations – public, private, and domain—the rule applies to, and then click “Next."
- Create a name for the rule and enter an optional description. Click "Finish" to block the ports on the computer.
Blocking Ports in Linux Environment
The syntax to block an incoming port using iptables is provided below. This applies to all the interfaces globally.
Reverse Proxy Configuration
To create a reverse proxy configuration, you have to install some module files in the Apache server. Some of the modules are not available by default. The dependent modules are as follows:
- mod_proxy: The main proxy module for Apache that manages connections and redirects them.
- mod_proxy_http: This module implements the proxy features for HTTP and HTTPS protocols.
- mod_proxy_ftp: This module does the same but for FTP protocol.
- mod_proxy_connect: This one is used for SSL tunneling.
- mod_proxy_ajp: Used for working with the AJP protocol.
- mod_proxy_wstunnel: Used for working with web-sockets (i.e. WS and WSS).
- mod_proxy_balancer: Used for clustering and load-balancing.
- mod_cache: Used for caching.
- mod_headers: Used for managing HTTP headers.
- mod_deflate: Used for compression.
Once you’ve installed all the dependent modules, change the default configuration.
Next, we are going to see how to modify the default configuration file, 000-default.conf, in the location, /etc/apache2/sites-enabled to set up the “proxying” functionality.
Edit the following file: “ /etc/apache2/sites-enabled/000-default.conf”. We will be defining a proxy virtual host using mod_virtualhost and mod_proxy together in this file.
Testing the Configuration
After you configure, try the below steps to check your configuration.
Connect to the address, http:<IP_ADDRESS>:8080/ConnectAll from another machine on the same network. It should not be accessible.
Verify if the URL http(s):<DOMAIN>/ConnectAll is accessible. It should be accessible.
Verify if the reverse proxy URLs configured are accessing the server (verify in the logs by posting some records).