Tuesday, January 24, 2012

How to make http and https version of site in CQ / WEM

Use case : You want to access your site using both http and https protocol and at same time want all mapping in /etc/map to respect protocol as well. For example if requested page has protocol http then /etc/map/http should get preference and for https /etc/map/https should get preference.

Why : External user can only access https but internal can access http as well or some crazy reason :D

Pre requisite : CQ5.5 or 5.4 with some HF.

Assumption :
Publish http running on 4503
publish https running on 8443
web server http running on 80
web server https running on 443
Goal here is stabilise communication between webserver http to publish http and webserver https to publish https

Refer http://www.wemblog.com/2011/09/how-to-set-up-ssl-for-local-in-cq.html for how to set up all these.

Approach : https communication between dispatcher and publish is not possible (I mean https port of dispatcher communicating to https port of publish). So you have to create a SSL tunnel (stunnel) and then communicate through that. At a same time you need two cache to cache https and http site separately (Why ?? because links in https sites are rewritten to https and to http site in http, And you want to cache them accordingly, If you don't care about this then there is no need for this step).

Solution :
Step 1: Creating two separate cache for http and https site.
in httpd.conf (Or your embedded conf file) have two separate vhost entry for both http and https and use different document roots for them.
So your httpd.conf will look like this,

<VirtualHost *:80>
ServerName localhost
DocumentRoot <Path for http cache>
... All of your configuration
<Directory "<path for http cache>">
... All configuration
</Directory>
</VirtualHost>

Listen 443
<VirtualHost *:443>
ServerName localhost
DocumentRoot <Path for https cache>
... All of your configuration
#this is responsible for forwarding SSL request to another farm
<Location />
RequestHeader set Host "ssl.localhost.com"
</Location>

<Directory "<path for https cache>">
... All configuration
</Directory>
</VirtualHost>


Then in your dispatcher.any file create two separate farm as,

/farms
{
/website
{
/clientheaders
... All your configuration
/virtualhosts
{
"ssl.localhost.com"
}
# the load will be balanced among these render instances
/renders
{
/rend01
{
/hostname "localhost"
# port of the render (This is stunnel port which we set on step 2)
/port "8081"
}
... configurations
/docroot "<Https cache docroot>"
.. All your farm 1 configuration



#----------- Farm 2

# first farm entry (label is not important, just for your convenience)
/nonssl
{

/clientheaders
... All your configuration
/virtualhosts
{
"localhost"
}
# the load will be balanced among these render instances
/renders
{
/rend01
{
/hostname "localhost"
# port of the render (This is stunnel port which we set on step 2)
/port "4503"
}
.. All your farm 2 configuration
/docroot "<Http cache docroot>"
.. All your farm 2 configuration



Step 2: Enable stunnel on dispatcher server (Assuming dispatcher server is sun solaris, for different server approach would be different)

(On the dispatcher server) Run the following commands to install stunnel
1) sudo yum install stunnel
2) sudo /sbin/chkconfig --add stunnel
3) Open /etc/stunnel/stunnel.conf for editing using this command sudo vi /etc/stunnel/stunnel.conf
4) In stunnel.conf set client = yes
5) Add this to stunnel.conf (replace <cq5-instance-hostname> with the hostname of the cq5 instance)
[https]
accept = 8081
connect = :8443
6) start stunnel
7) sudo service stunnel start
8) Configure CQ dispatcher to point to stunnel port instead of the publish instance (Which is already done, See above)
9) restart apache and verify that the dispatcher still works when going through stunnel

(If you are using mac you can do following to install and start)
1) download build from http://www.stunnel.org/?page=downloads
2) untar
3) Using command line do following { Make sure that X-code is installed for this to work }
./configure
make
sudo make install
stunnel will get install under /usr/local/etc/stunnel/
4) go to /usr/local/etc/stunnel
5) sudo cp stunnel.conf-sample stunnel.conf
6) sudo vi stunnel.conf
7) Add following property (Or change them)
setuid = root
setgid = wheel
debug = 7
output =
debug = local6.err
;this is require to check if there is any error. Please comment this to run this process in foreground
foreground = yes
cert = <path for valid cert> {Give valid cert and key, Make sure that permission is valid}
key = <path for valid key>
;Comment everything and add following entry
; Example CQ instalce connection
[https]
client = yes
;Accept on this port {This is what you configure on dispatcher.any}
accept = 8081
;Redirect to this port {This is CQ port running on https}
connect = 8443
8) Start stunnel using command
sudo stunnel stunnel.conf
9) Configure CQ dispatcher to point to stunnel port instead of the publish instance (Which is already done, See above)
10) restart apache and verify that the dispatcher still works when going through stunnel

Now you should be all set to communicate from https port of dispatcher to https port of publish.

Special thanks to Adobe team member for guidance.

Important note: I have not tested this completely. Please test it before using it in production. And as always please read disclaimer :)

5 comments:

  1. Hi in the above example you have given for dispatcher configuration settings, could you please give an working copy example.

    Listen 443

    ServerName localhost
    DocumentRoot
    ... All of your configuration
    #this is responsible for forwarding SSL request to another farm

    RequestHeader set Host "ssl.localhost.com"


    ">
    ... All configuration



    In the above example you have provided what does it mean by "all your configurations".

    ReplyDelete
    Replies
    1. All configuration would be your Apache specific config. It could change from one use case to another use case. Do you want to know how to set up ssl cert in that config ?

      Delete
  2. Hi, i want to host publish instance for CQ5 application, when i'm doing this using generic procedure i'm able to publish content of author instance to publish instance it is working fine, now i want to host it on server along with Dispatcher so i have configured Dispatcher with IIS, now i'm a bit confused which instance Author or Publish should we host on IIS as site, and how to host that on IIS , can you suggest how can i complete my job.

    ReplyDelete
    Replies
    1. Hello Amit,

      Do you still have this issue ? You can configure your dispatcher on IIS (Using diapatcher IIS module) though I will suggest to use Apache if you can. And run author and publish as standalone java app. Please go through http://www.cqtutorial.com/courses/cq-admin/cq-admin-lessons to learn how to set up CQ instance.

      Yogesh

      Delete
  3. Hi Yogesh,
    I have a situation here. Our Author, Publisher and Dispatcher is not SSL enabled.

    The traffic is SSL terminated at the Web Server level (Apache). After that, its in clear text. We now, want to encrypt the traffic reaching to Dispatcher as well.

    To allow this, we made the dispatcher to be SSL enabled and installed certificates as well. Now, the traffic is SSL terminated at dispatcher and the sites also look good. The Author and Publisher continue to be Non-SSL.

    Though everything looks good, we noticed that the Flush from Publisher to dispatcher isn't working.

    The directives that we used to enable SSL in dispatch apache config are:
    SSLEngine on
    SSLHonorCipherOrder on
    SSLCipherSuite "RSA+AES256+SHA256 RSA+AES128+SHA256 RSA+AES256+SHA1 RSA+AES128+SHA1 RSA+3DES+SHA1"
    SSLProtocol all -SSLv2 -SSLv3
    SSLCertificateFile ***************
    SSLCertificateKeyFile ******************

    We tried playing with the SSLProtocol directive and changed it to different settings with the results:
    SSLProtocol all -SSLv3 : Flush doesn't work
    SSLProtocol all -SSLv2 -SSLv3 : Flush doesn't work
    SSLProtocol +TLSv1 : Flush doesn't work
    SSLProtocol +TLSv1.1 : Apache spits out error Illegal protocol 'TLSv1.1'
    SSLProtocol +TLSv2 : Apache spits out error Illegal protocol 'TLSv2'
    SSLProtocol all -TLSv1 : Flush works
    SSLProtocol +SSLv3 : Flush works
    SSLProtocol all : Flush works

    Apache version 2.2.23.81

    Not sure, what inference to draw from this other than that it only work if SSLv3 is allowed.
    i would truly appreciate, if you can take a moment to look at this post and provide your thoughts,

    ReplyDelete