Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Timothy Stone
Multiple Virtual Hosts, One Site, Federated Identity Manager
April 19, 2012 9:39 AM
Answer

Timothy Stone

Rank: New Member

Posts: 5

Join Date: February 18, 2012

Recent Posts

Here's a virtual host configuration for experts. I need recommendations on configuring Liferay (and ideas on possible workarounds in Apache if not possible).

Because there are security elements of the Apache VirtualHost configurations, I'll be using stubbed out descriptions. I will try to answer any questions about the configuration that will not compromise security.

Consider the following:

1. One (1) Liferay install behind Apache

2. The following Apache VirtualHosts, all using the same Liferay instance.

 1<VirtualHost *:80>
 2  ServerName ourhost.com
 3 
 4  RewriteEngine on
 5  RewriteCond %{SERVER_PORT} !443
 6  RewriteRule ^/(.*)$ https://ourhost.com/$1 [R]
 7</VirtualHost>
 8
 9<VirtualHost *:443>
10  #This is the "Public SSL" VirtualHost, all 80 traffic is basically sent to 443/SSL
11  ServerName ourhost.com
12 
13  #SSL configuration
14  #RewriteConds preventing 444 requests on 443
15  #mod_proxy_balancer configuration to Liferay
16
17</VirtualHost>
18
19<VirtualHost *:444>
20  # Authentication Proxy Virtual Host. What's that?
21  # Basically, we have a Federated Identity Management provider that reverse proxies
22  # over port 444 under a host name we'll call "test.fim.authhost.com
23
24  # Port 444 is configured for SSL as shown
25
26  ServerName ourhost.com
27  ServerAlias test.fim.authhost.com
28
29  SSLEngine on
30  SSLProxyEngine on
31  SSLProtocol TSLv1
32  SSLCipherSuite ...
33
34  # Port 444 requires mutual SSL connections Server/Server SSL (one server is a client, you get the idea).
35  SSLVerifyClient require
36  SSLVerifyDepth ...
37
38  # Proxy configuration
39  ProxyRequests off
40  ProxyPreserveHost on
41
42  #mod_proxy_balancer configuration
43</VirtualHost>


What I left out the VirtualHost configuration I don't think impacts this discussion. So you have our basic configuration, now let me explain what is going on.

If an unauthenticated user comes to Port 80, we redirect to Port 443. Standard stuff. Where it gets complicated is in the Federated Identity Management reverse proxy and configuring Liferay properties to construct proper URLs based on the virtual host being answered.

When a user logs in, the link basically takes the user to the FIM and the FIM then reverse proxies over 444 to Apache and Liferay. However Liferay does not appear to want to use the reverse proxied hostname in constructing portlet URLs, and in fact, guesses the port (444) correctly, but assembles a http scheme on the server name, e.g., http://ourhost.com:444/path/, when we need https://test.fim.authhost.com/path/ (where the FIM is reverse proxying over 444 to us.

The reason for this FIM reverse proxy on a different port is mainly to support the mutual SSL configuration. The "anonymous" SSL on 443 does not need this.

How do we support this in the Liferay configuration. It seems that it might be possible, but we may be taking the configuration properties at face value.

Any tips, thoughts, corrections, or eye rolls? emoticon

Much thanks!
Tim
Aldo De Vleeschauwer
RE: Multiple Virtual Hosts, One Site, Federated Identity Manager
November 15, 2012 1:00 AM
Answer

Aldo De Vleeschauwer

Rank: New Member

Posts: 20

Join Date: March 9, 2011

Recent Posts

Hi Tim,

did you find a solution to set this up in Liferay ?

Thanks,
- Aldo -