Grizzly with SSL deprecated

Configure Grizzly with SSL

Use secure connections with grizzly on a single-node setup.

Configure hostnames

To workaround a bug in Apache2.2, add alias localhost_tls for localhost to /etc/hosts

127.0.0.1       localhost localhost_tls

Create private key and certificate for grizzly

openssl genrsa -aes256 -out server.key 1024 openssl req -x509 -sha256 -new -key server.key -out server.csr #use localhost_tls as common name! openssl x509 -sha256 -days 3652 -in server.csr -signkey server.key -out selfsigned.crt

Export to PKCS#12 keystore and convert into jks keystore

openssl pkcs12 -export -name localhost_tls -in selfsigned.crt -inkey server.key -out store.p12 keytool -importkeystore -destkeystore store.jks -srckeystore store.p12 -srcstoretype pkcs12 -alias localhost_tls

ln -s selfsigned.crt $(openssl x509 -hash -noout -in selfsigned.crt).0

Apache proxy_http configuration

Paste into /etc/apache/conf-available/proxy_http.conf when using Apache 2.4, /etc/apache/conf.d/proxy_http.conf when using Apache 2.2

<IfModule mod_proxy_http.c>
  ProxyRequests Off
  ProxyStatus On
  # When enabled, this option will pass the Host: line from the incoming request to the proxied host.
  ProxyPreserveHost On
  # Please note that the servlet path to the soap API has changed:
  <Location /webservices>
    # restrict access to the soap provisioning API
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    # you might add more ip addresses / networks here
    # Allow from 192.168 10 172.16
  </Location>
  # The old path is kept for compatibility reasons
  <Location /servlet/axis2/services>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
  </Location>
  # Enable the balancer manager mentioned in
  # http://oxpedia.org/wiki/index.php?title=AppSuite:Running_a_cluster#Updating_a_Cluster
  <IfModule mod_status.c>
    <Location /balancer-manager>
      SetHandler balancer-manager
      Order Deny,Allow
      Deny from all
      Allow from 127.0.0.1
    </Location>
  </IfModule>
  <Proxy balancer://oxcluster>
    Order deny,allow
    Allow from all
    # multiple server setups need to have the hostname inserted instead localhost
    BalancerMember http://localhost:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX0
    #BalancerMember http://10.242.2.6:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX0
    # Enable and maybe add additional hosts running OX here
    # BalancerMember http://oxhost2:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX2
    ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-sendchunked
  </Proxy> 
</IfModule>

Paste into /etc/apache/conf-available/proxy_https.conf when using Apache 2.4, /etc/apache/conf.d/proxy_https.conf when using Apache 2.2

<IfModule mod_proxy_http.c>
  ProxyRequests Off
  ProxyStatus On
  # When enabled, this option will pass the Host: line from the incoming request to the proxied host.
  ProxyPreserveHost On
  # Please note that the servlet path to the soap API has changed:
  <Location /webservices>
    # restrict access to the soap provisioning API
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    # you might add more ip addresses / networks here
    # Allow from 192.168 10 172.16
  </Location>
  # The old path is kept for compatibility reasons
  <Location /servlet/axis2/services>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
  </Location>
  # Enable the balancer manager mentioned in
  # http://oxpedia.org/wiki/index.php?title=AppSuite:Running_a_cluster#Updating_a_Cluster
  <IfModule mod_status.c>
    <Location /balancer-manager>
      SetHandler balancer-manager
      Order Deny,Allow
      Deny from all
      Allow from 127.0.0.1
    </Location>
  </IfModule>
  <Proxy balancer://oxcluster_tls>
    Order deny,allow
    Allow from all
    # multiple server setups need to have the hostname inserted instead localhost
    BalancerMember http://localhost:8010 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX0
    #BalancerMember http://10.242.2.6:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX0
    # Enable and maybe add additional hosts running OX here
    # BalancerMember http://oxhost2:8009 timeout=100 smax=0 ttl=60 retry=60 loadfactor=50 route=OX2
    ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-sendchunked
  </Proxy> 
</IfModule>

Enable configuration (Apache 2.4 only) a2enconf proxy_http proxy_https

Apache virtual hosts configuration

Configure virtual host for non-secure connections, paste into /etc/apache/sites-available/ox.conf

<VirtualHost *:80>
  ServerAdmin webmaster@localhost

  <Directory /var/www/html/appsuite>
    Options None +SymLinksIfOwnerMatch
    AllowOverride Indexes FileInfo
  </Directory>

  ProxyPass /ajax balancer://oxcluster/ajax
  ProxyPass /appsuite/api balancer://oxcluster/ajax
  ProxyPass /drive balancer://oxcluster/drive
  ProxyPass /infostore balancer://oxcluster/infostore
  ProxyPass /publications balancer://oxcluster/publications
  ProxyPass /realtime balancer://oxcluster/realtime
  ProxyPass /servlet balancer://oxcluster/servlet
  ProxyPass /webservices balancer://oxcluster/webservices
  ProxyPass /socket.io balancer://oxcluster/socket.io

  RewriteEngine On
  RewriteCond %{HTTP_USER_AGENT}      Calendar           [OR]
  RewriteCond %{HTTP_USER_AGENT}      Reminders          [OR]
  RewriteCond %{HTTP_USER_AGENT}      DataAccess         [OR]
  RewriteCond %{HTTP_USER_AGENT}      DAVKit             [OR]
  RewriteCond %{HTTP_USER_AGENT}      Lightning          [OR]
  RewriteCond %{HTTP_USER_AGENT}      Adresboek          [OR]
  RewriteCond %{HTTP_USER_AGENT}      dataaccessd        [OR]
  RewriteCond %{HTTP_USER_AGENT}      Preferences        [OR]
  RewriteCond %{HTTP_USER_AGENT}      Adressbuch         [OR]
  RewriteCond %{HTTP_USER_AGENT}      AddressBook        [OR]
  RewriteCond %{HTTP_USER_AGENT}      Address\ Book      [OR]
  RewriteCond %{HTTP_USER_AGENT}      CalendarStore      [OR]
  RewriteCond %{HTTP_USER_AGENT}      CalendarAgent      [OR]
  RewriteCond %{HTTP_USER_AGENT}      accountsd          [OR]
  RewriteCond %{HTTP_USER_AGENT}      eM\ Client         [OR]
  RewriteCond %{HTTP_USER_AGENT}      CoreDAV
  RewriteRule (.*)                  http://localhost:8009/servlet/dav$1  [P]
</VirtualHost>

Configure virtual host for secure connections, paste into /etc/apache/sites-available/ox-ssl.conf

<VirtualHost *:443>
  ServerAdmin webmaster@localhost
  SSLEngine On
  SSLCertificateFile /path/to/certificate.crt
  SSLCertificateKeyFile /path/to/private.key
  RequestHeader set X-Forwarded-Proto "https"
  SSLProxyEngine On
  SSLProxyCheckPeerCN on
  SSLProxyCheckPeerExpire on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  SSLHonorCipherOrder  on
  SSLProxyVerifyDepth 2
  SSLProxyCACertificatePath /etc/apache2/ssl/
  SSLProxyEngine On
  SSLProxyVerify require

  ProxyPass /ajax balancer://oxcluster_tls/ajax
  ProxyPass /appsuite/api balancer://oxcluster_tls/ajax
  ProxyPass /drive balancer://oxcluster_tls/drive
  ProxyPass /infostore balancer://oxcluster_tls/infostore
  ProxyPass /publications balancer://oxcluster_tls/publications
  ProxyPass /realtime balancer://oxcluster_tls/realtime
  ProxyPass /servlet balancer://oxcluster_tls/servlet
  ProxyPass /webservices balancer://oxcluster_tls/webservices
  ProxyPass /socket.io balancer://oxcluster_tls/socket.io

  <Directory /var/www/html/appsuite>
    Options None +SymLinksIfOwnerMatch
    AllowOverride Indexes FileInfo
  </Directory>

  RewriteEngine On
  RewriteCond %{HTTP_USER_AGENT}      Calendar           [OR]
  RewriteCond %{HTTP_USER_AGENT}      Reminders          [OR]
  RewriteCond %{HTTP_USER_AGENT}      DataAccess         [OR]
  RewriteCond %{HTTP_USER_AGENT}      DAVKit             [OR]
  RewriteCond %{HTTP_USER_AGENT}      Lightning          [OR]
  RewriteCond %{HTTP_USER_AGENT}      Adresboek          [OR]
  RewriteCond %{HTTP_USER_AGENT}      dataaccessd        [OR]
  RewriteCond %{HTTP_USER_AGENT}      Preferences        [OR]
  RewriteCond %{HTTP_USER_AGENT}      Adressbuch         [OR]
  RewriteCond %{HTTP_USER_AGENT}      AddressBook        [OR]
  RewriteCond %{HTTP_USER_AGENT}      Address\ Book      [OR]
  RewriteCond %{HTTP_USER_AGENT}      CalendarStore      [OR]
  RewriteCond %{HTTP_USER_AGENT}      CalendarAgent      [OR]
  RewriteCond %{HTTP_USER_AGENT}      accountsd          [OR]
  RewriteCond %{HTTP_USER_AGENT}      eM\ Client         [OR]
  RewriteCond %{HTTP_USER_AGENT}      CoreDAV
  RewriteRule (.*)                  https://localhost_tls:8010/servlet/dav$1        [P]
</VirtualHost>

Enable virtual hosts and ssl module

a2ensite ox.conf ox-ssl.conf a2enmod ssl

Then restart apache service apache2 restart

Configure grizzly

Copy keystore into open-xchange configuration folder cp store.jks /opt/open-xchange/etc/store.jks`

Add to /opt/open-xchange/etc/grizzly.properties

com.openexchange.http.grizzly.hasSSLEnabled=true
com.openexchange.http.grizzly.keystorePath=/opt/open-xchange/etc/store.jks
com.openexchange.http.grizzly.keystorePassword=secret

Then restart OX service open-xchange restart