Using Apache 2.4 to proxy Cascade CMS

Overview

This article is provided as an example of using Apache 2.4 to to proxy Cascade CMS. It is for informational purposes only, and Hannon Hill Product Support cannot provide Apache configuration support or assistance.

Apache 2.4 modules used

  • mod_authz_core
  • mod_deflate
  • mod_filter
  • mod_rewrite
  • mod_proxy
  • mpd_proxy_ajp
  • mod_proxy_wstunnel
  • mod_ssl

Base Configuration

Apache 2.4

Apache 2.4 can be used to proxy requests to the Cascade CMS Tomcat container. The benefit being additional control over request handling and simplified SSL handling. Here is a sample configuration that forces connections over SSL using mod_proxy, handles SSL using mod_ssl, proxies requests to the Tomcat container using mod_proxy and mod_proxy_ajp and adds compression using mod_deflate:

Listen 0.0.0.0:443
SSLStrictSNIVHostCheck off

<VirtualHost *:80>
 ServerName cascade.example.edu
 RewriteEngine on
 RewriteRule ^(.*)$ https:/cascade.example.edu$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
 ServerName cascade.example.edu
 SSLEngine on
 SSLProtocol all -SSLv2 -SSLv3
 SSLCipherSuite HIGH:!aNULL:!MD5
 SSLCertificateFile /path/to/cert.crt
 SSLCertificateKeyFile /path/to/key.key
 SSLCertificateChainFile /path/to/intermediate.xrt>

 ProxyIOBufferSize 65536

 # Websocket configuration
 ProxyPass /websocket ws://localhost:8080/websocket
 ProxyPassReverse /websocket ws://localhost:8080/websocket

 ProxyPass / ajp://localhost:8009/
 ProxyPassReverse / ajp://localhost:8009/

 AddOutputFilterByType DEFLATE "application/javascript" \
 "application/json" \
 "application/rss+xml" \
 "application/vnd.ms-fontobject" \
 "application/font-sfnt" \
 "application/font-woff" \
 "font/opentype" \
 "font/woff2" \
 "application/x-javascript" \
 "application/xhtml+xml" \
 "application/xml" \
 "font/eot" \
 "font/opentype" \
 "image/svg+xml" \
 "image/vnd.microsoft.icon" \
 "image/x-icon" \
 "text/css" \
 "text/html" \
 "text/javascript" \
 "text/plain" \
 "text/xml"
</VirtualHost>

Tomcat

Given the apove Apache 2.4 configuration, the following Connectors are assumed within the Tomcat container's server.xml configuration:

<Connector port="8080"
 maxThreads="256"
 maxPostSize="6000000"
 protocol="HTTP/1.1"
 connectionTimeout="20000"
 redirectPort="8443"
 maxSwallowSize="-1"
 compression="on"
 compressionMinSize="1024"
 noCompressionUserAgents="gozilla, traviata"
 compressableMimeType="application/javascript,application/json,application/rss+xml,application/vnd.ms-fontobject,application/font-sfnt,application/font-woff,font/opentype,font/woff2,application/x-javascript,application/xhtml+xml,application/xml,font/eot,font/opentype,image/svg+xml,image/vnd.microsoft.icon,image/x-icon,text/css,text/html,text/javascript,text/plain,text/xml" />
 
<Connector port="8009"
 protocol="AJP/1.3"
 redirectPort="8443"
 tomcatAuthentication="true"
 packetSize="65536"
 maxPostSize="6000000" />
Note: The server.xml configuration file is located within the Cascade CMS installation directory at tomcat/conf.

Websocket Support

Cascade CMS utilizes Websockets for almost-real-time notifications and partial UI refreshing, as opposed to repeatedly polling with AJAX requests. As such, the mod_proxy_wstunnel module and additional configuration are required in order to allow Apache to handle these websocket requests. Note the following section within the above configuration:

# Websocket configuration
ProxyPass /websocket ws://localhost:8080/websocket
ProxyPassReverse /websocket ws://localhost:8080/websocket

The key is the port within this directive needs to match the non-SSL port defined within the Tomcat container. Don't worry about this not being SSL here, normal web requests are forced over SSL and Cascade CMS will automatically change the websocket request over to wss://, which is the secure protocol for websockets.