IManager Virtual Host

From CoolSolutionsWiki

Open Enterprise Server runs a lot of web-based applications, most of them based on Tomcat. Sometimes it is advantageous to segment these applications into separate virtual hosts based on IP Address, port number, DNS name, or a combination.

This article details the process of setting up an application inside its own Apache Virtual Host on OES Linux, using iManager as an example.

Contents

Definitions

Scope

For this article, the term scope refers to the level of visibility of an application in Apache:

  • globally scoped - The application is visible on all interfaces, ports, and names.
  • interface scoped - The application is only visible on a particular interface.
  • port scoped - The application is only visible on a particular port.
  • name scoped - The application is only visible when accessed via a particular hostname (e.g. imanager.ewidgets.example)

These are just terms used for clarification as to how visible an application will be on the server.

eWidgets

For this example, we will use the fictitious company Example Widgets LTD. This company has a domain name, ewidgets.example, and an OES SP2 server named oes-1.ewidgets.example that we will set up the iManager virtual host on.

Apache Global Configuration

Some people hate the modular layout of Apache in SuSE Linux, and wish everything was in a monolithic httpd.conf file. Fortunately, this example is where SuSE's modular layout of Apache shines. Since each Novell application is configured in its own separate config file, it is trivial to move these applications around to different IP addresses, ports, and named virtual hosts.

Warning.gif Warning: Do not restart or reload Apache while performing these steps, or iManager may become unavailable temporarily until you complete all the steps required.

Remove the system-wide nps-Apache.conf link

Removing this symlink will stop iManager from being scoped globally on Apache, so we can assign it a smaller scope. Note that these are just symbolic links to the iManager Apache config file located at /etc/opt/novell/iManager/nps-Apache.conf, not the config file itself, so you are not deleting the config file, only removing the symbolic links to it:

Command: rm /etc/opt/novell/httpd/conf.d/nps-Apache.conf

Command: rm /etc/opt/novell/httpd/sslconf.d/nps-Apache.conf


Keep in mind that any subsequent upgrades of iManager may replace this link, causing iManager to be scoped globally once again. You may want to place a dummy file in its place to prevent this from happening:

Command: touch /etc/opt/novell/httpd/conf.d/nps-Apache.conf

Command: touch /etc/opt/novell/httpd/sslconf.d/nps-Apache.conf

Creating an iManager SSL VirtualHost on port 12345

This example will show how to set up iManager on port 12345 (on all IP addresses) using SSL. In this example, iManager will be port-scoped to only port 12345, and will not be accessible, for example, via port 80 or port 443.

Add the 12345 port to listen.conf

/etc/apache2/listen.conf is where all interfaces and listen ports are defined for the Apache server. You don't have to define them here, but it is recommended so that your system is consistent with the SuSE best practices.

File.gifFile: /etc/apache2/listen.conf (Comments removed, new lines in bold text)
Listen 80 Listen 12345 <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> Listen 443 </IfModule> </IfDefine> </IfDefine>

Sticky.gif Note: You can restrict the scope even further by using an IP address here. For instance, Listen 192.168.1.1:12345 will cause Apache to only listen on this particular IP address for iManager

Create a SSL VirtualHost config file for port 12345

Fortunately, the default SSL VirtualHost file works pretty well, with some minor adjustments. We will now copy that file to a new file, vhost-imanager-ssl.conf, and make some adjustments to it.

Command: cp /etc/apache2/vhosts.d/vhost-ssl.conf /etc/apache2/vhosts.d/vhost-imanager-ssl.conf

Command: mkdir /srv/www/imanager

Command: touch /srv/www/imanager/index.html

File.gifFile: /etc/apache2/vhosts.d/vhost-imanager.ssl.conf (Comments removed, new or changed lines in bold text, deleted lines replaced with comment)
<IfDefine SSL> <IfDefine !NOSSL> <VirtualHost *:12345> DocumentRoot "/srv/www/imanager" ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/ssl/servercerts/servercert.pem SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/ssl_request_log ssl_combined # LINE DELETED: Include /etc/opt/novell/httpd/sslconf.d/*.conf Include /etc/opt/novell/iManager/nps-Apache.conf </VirtualHost> </IfDefine> </IfDefine>

Restart Apache

At this point, you should restart apache to apply your changes.

Restarting Apache
Linux:> rcapache2 restart
Syntax OK Shutting down httpd2 (waiting for all children to terminate) done Starting httpd2 (worker) done

Testing

You should now be able to go to https://yourserver:12345/nps/iManager.html and have iManager come up, yet be able to go to https://yourserver/nps/iManager.html and get nothing.

Caveats

  • Keep in mind that all remaining globally-scoped applications will still be accessible in this virtual host unless you limit their scopes as well.

Going Further

More Complicated Scopes

This is just one example of how to limit the scope of a web-based application. For instance, you could assign each application an invidual IP address and DNS name, and give each application a redirect to its tomcat instance, so you can have URLs like the following:

  • https://iprint.ewidgets.example/
  • https://imanager.ewidgets.example/
  • https://ifolder.ewidgets.example/

instead of server1.ewidgets.example/nps/iManager.html, et. al.

Redirect

In the /srv/www/imanager.html file we created, you could put a simple HTML redirect to /nps/iManager.html, so that anyone who goes to https://yourserver:12345 automatically gets redirected to iManager.

Questions

Get stuck, need clarification, or just curious about something? Please post in the Discussion Page.

Primary Author

--Justin Grote - Network Architect - JWG Networks

References


Ff-icon.png This article is best viewed with a CSS-compliant browser, such as Mozilla Firefox

http://www.novell.com/products/openenterpriseserver/ Resource Management Solution Novell on Linux