Written by The Jahia Team
 
Sysadmins
   Estimated reading time:
7.2.3.1 7.2.3.2 7.3.0.0 7.2.2.0 7.2.2.1

Here are the steps followed to install an Jahia cluster for a production environment. We will also detail the installation of two Apache2 front-ends.

General

Jahia will be installed on a cluster of three nodes:

  1. The first node, the processing, will be used for the contribution (addition of content, etc)
  2. The two other servers will be used for the consultation

Each node has :

  • CentOS
  • 40 GB of hard drive
  • 4 CPUs
  • 8 GB of memory

We will also need two servers for Apache2 and one server for the PostgreSQL database (version 9.X).

A F5 or a failover configuration (like Haproxy) above are recommended but won't be described in this document.

Matrix

The following parameters will be used between "<" an ">" in the next parts of the documentation.

Variable Value Description
DB_NAME jahia Name of the PostgreSQL database
DB_PORT 5432 Port used by PostgreSQL
DB_PASSWORD Change_it_it_s_important Password to access the database
DB_SRV_FQDN psql01.int.jahia.com Fully qualified domain name of the DB server
DB_USER_NAME jahia User to access the DV
DX_DATASTORE /srv/datastore/jahia Path of the Jahia datastore
DX_HOME /src/jahia Home of Jahia
DX_INSTALLER DigitalExperienceManager-EnterpriseDistribution-7.2.2.0-r57545.4233.jar Name of the Jahia installer
DX_TOOLS_PASSWORD Needs_to_be_complexed! Password to access the Jahia tools
DX_TOOLS_USER jahia User to access the Jahia tools
DX_ROOT_PASSWORD Needs_to_be_very_very_omplexed! Password for the user root
JAHIA_LINUX_USER jahia Linux user used to install and to run Jahia
JAHIA_SRV_01 jahia01 Hostname for the first Jahia server
JAHIA_SRV_02 jahia02 Hostname for the second Jahia server
JAHIA_SRV_03 jahia03 Hostname for the third Jahia server
JAHIA_SRV_FQDN_01 jahia01.int.jahia.com Fully qualified domain name for the first Jahia server
JAHIA_SRV_FQDN_02 jahia02.int.jahia.com Fully qualified domain name for the second Jahia server
JAHIA_SRV_FQDN_03 jahia03.int.jahia.com Fully qualified domain name for the third Jahia server
MAIL_ADDRESS it@jahia.com E-Mail address used to send/receive communications from Jahia
ORACLE_JDK_FILE_NAME jdk-8u191-linux-i586.rpm Package for the Oracke JDK 8
TOMCAT_HOME <DX_HOME>/tomcat Home of Tomcat
WEB_SRV_FQDN_01 web1.int.jahia.com Fully qualified domain name for the first web server
WEB_SRV_FQDN_02 web2.int.jahia.com Fully qualified domain name for the second web server
PUBLIC_CONTRIBUTE_DOMAIN exemple-contribute.jahia.com Public domain to access the contribution/edition
PUBLIC_DOMAIN example.jahia.com Public domain used to access Jahia

Prerequisites

Install

Oracle JDK 8

Jahia runs on a Java platform so it needs the Oracle JDK to be installed on the system.

  • Go to the Oracle download page
  • Look for the last JDK 8, download the Linux appropriate .rpm package then install it:
    sudo yum localinstall <ORACLE_JDK_FILE_NAME>
  • Once it's installed, check that the following command returns the correct version:
    java -version
  • If you expect the JVM to communicate with SSL endpoints/certicates that are not recognized by default, do not forget to add them to the JVM repository and to disable the automatic update of the JDK.

 

LibreOffice

LibreOffice is being using by Jahia for document conversion.

  • Install it:
    sudo yum install libreoffice

ImageMagick

ImageMagick is being used by Jahia for all operations related to the images (resizing, thumbnails, etc.)

  • Install it:
    sudo yum install ImageMagick

Development tools

Even if you should not need these tools, they might be useful in case of an outage.

  • Install maven/subversion/git:
    sudo yum install maven subversion git

LogRotate

By default, the logs are being rotated but there isn't any mechanism to remove logs older than a specific date. Linux offers a very useful tool to handle the logs.

  • LogRotate should already be installed by default but if it's not the case:
    sudo yum install logrotate

Swappiness

Swappiness is a value between 1 and 100 that controls the priority of the use of the RAM vs the SWAP. In Java applications, the garbage collector might end up using the swap which can slow a lot an application.

  • Check the swappiness
    sudo cat /proc/sys/vm/swappiness
  • If it's below or equal to 10, you don't have to do anything. Otherwise, apply the modifications at runtime:
    sudo sysctl vm.swappiness=10
    sudo swapoff -a
    sudo swapon -a
    
  • Make the modifications persistent by modifying the file /etc/sysctl.conf:
    vm.swappiness = 10

Entropy

Jahia is generating some UUIDs and for that, it needs some randomness and that needs a good entropy. In some virtualized environments, this entropy is not good at all and needs to be improved in order to have good performances.

Please follow this documentation: Jahia and entropy

Jahia Linux user

  • For security reasons, Jahia will need to be installed under a specific user:
    sudo adduser --quiet --disabled-password --disabled-login --home <DX_HOME> --gecos "" <JAHIA_LINUX_USER>

Database connection

  • The nodes of a Jahia cluster are communicating between each other thanks to two TCP ports (By default 7860 and 7870). Please check with your IT team that these flows are authorized.

Database connection

  • The latency against the database needs to be very small, < 0 ms, in order to get good performances:
    ping <DB_SRV_FQDN>
  • Check also that you are able to connect with the DB client and the credentials that will be used for Jahia. This user needs to be able to create the necessary tables and to insert/update/delete their content.
  • In case you're using a dedicated schema, please be sure that it's the default schema or you will have to customiez the JDBC url.

SMTP connection

  • Check that you're able to send mail with the SMTP server you want to use (SMTP relay, SMTP service, etc) from each Jahia server

Shared folder

The Jahia cluster will need a shared folder in order to store the datastore. In order to prevent a SPOF, we advise to check that you the related hardware and software have some redundancy. The easiest way is to give full rights for this user on this table.

  • Check that the user jahia has the right to create a file in the datastore
    sudo -u <JAHIA_LINUX_USER> touch <DX_DATASTORE>
  • Do not forget to remove this file

Internet connection

Check that you have access to Internet

Jahia cluster

Install

  • First we are going to install the processing node
  • Become the user jahia:
    sudo -i -u <JAHIA_LINUX_USER>
  • Retrieve the last minor version of Jahia you're using from the page Jahia . Why this version? Because it might contains a lot of bug fixes.
  • To install it:
    java -jar <DX_INSTALLER> -console
  • Then follow these actions:
    1. Accept the license
    2. Enter the path of Jahia: <DX_HOME>
    3. Choose the Custom install (advanced)
    4. By default, keep the installation of Tomcat
    5. By default, use a standalone DBMS (DataBase Management System)
    6. Choose PostgreSQL 9.X (item n°3)
    7. By default, keep the Database driver: org.postgresql.Driver
    8. Enter the Database URL related to your environment: jdbc:postgresql://<DB_SRV_FQDN>:<DB_PORT>/<DB_NAME>
    9. Enter the Database username: <DB_USER_NAME>
    10. Enter the Database password: <DB_PASSWORD>
    11. The datastore will be a shared folder so do not store binary data in the database
    12. By default, create the required database tables
    13. By default, keep the context name empty
    14. Specify the Jahia tool manager username: <DX_TOOLS_USER>
    15. Specify the Jahia tool manager password (it has to be complex for security reasons): <DX_TOOLS_PASSWORD>
    16. By default, keep the SSH console port set to 8101
    17. By default, keep the HTTP connector port set to 8080
    18. By default, keep the HTTPS redirect port set to 8443
    19. By default, keep the AJP connector port set to 8009
    20. By defaut, keep the Server shutdown port set to 8005
    21. Set the jvmRoute to the hostname, it will ease the maintenance/debugging later: <JAHIA_SRV_01>
    22. Set the Maximum heap size in MB to 6144
    23. By default, keep the Maximum PermGen size in MB to 384
    24. There is no need at this level to add any additional option to the JVM
    25. Set the operating mode to Production
    26. If not needed, do not configure an LDAP provider
    27. Activate the cluster mode by selecting the option Provide cluster configuration for this server
    28. As this is the first server of the cluster, it has to be a background job processing server. A cluster can only have one processing server otherwise it can lead to a full corruption of the data.
    29. If your server has multiple network interfaces, enter the IP that will be used to communicate with the other servers
    30. By default, keep the Port number set to 7870
    31. By default, keep the Hazelcast Port set to 7860
    32. For the Current node server ID, set it to the hostname, it will the maintenance/debugging later
    33. CSet the path to the datastore: <DX_DATASTORE>
    34. Enter the password for the root user (it needs to be complex): <DX_ROOT_PASSWORD>
    35. Confirm it
    36. The First name, Last name and E-mail are optional, put what you want
    37. Choose the Preferred language: 1 for English, 3 for French
    38. Set the Mail server to 127.0.0.1
    39. Set the Mail administrator to the team that will handle the servers: <MAIL_ADDRESS>
    40. Set the Mail from - sender to the team that will handle Jahia: <MAIL_ADDRESS>
    41. Validate the settings to be sure that Jahia will be correctly installed
    42. If LibreOffice is installed, its path should be automatically set. If it's not the case, it's should be /usr/lib64/libreoffice in CentOS
    43. The binaries of ImageMagik should be installed by default in /usr/bin
    44. Choose the default language: 41 for English, 60 for French
    45. Keep the development license provided by default
    46. No need to add a path to a folder with additional modules to be deployed
    47. By default, keep the Runtime data path: <DX_HOME>/digital-factory-data
    48. By default, keep the Configuration path: <DX_HOME>/digital-factory-config
    49. Installation should be done and here is what you should have in the console:
      [ Starting to unpack ]
      [ Processing package: Jahia + Jahia Core Content Platform (1/2) ]
      [ Processing package: Add Apache Tomcat - generate a complete installation folder (2/2) ]
      [ Unpacking finished ]
      Install was successful
      application installed on /srv/jahia
      [ Console installation done ]

Logs rotation

  • Modify the file <TOMCAT_HOME>/conf/server.xml in order to have the following content for the ValveAccessLog:
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="access-log" suffix=".txt" rotatable="false"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
  • Below the following modification, add also this content for the RemoteIpValve:
        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               remoteIpHeader="x-forwarded-for"
               proxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" 
               protocolHeaderHttpsValue="https"/>
  • Modify the file <TOMCAT_HOME>/conf/logging.properties in order to have the following content:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

handlers = java.util.logging.ConsoleHandler

.handlers = java.util.logging.ConsoleHandler

############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################

1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 90

2localhost.org.apache.juli.AsyncFileHandler.level = FINE
2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90

3manager.org.apache.juli.AsyncFileHandler.level = FINE
3manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.AsyncFileHandler.prefix = manager.
3manager.org.apache.juli.AsyncFileHandler.maxDays = 90

4host-manager.org.apache.juli.AsyncFileHandler.level = FINE
4host-manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.AsyncFileHandler.prefix = host-manager.
4host-manager.org.apache.juli.AsyncFileHandler.maxDays = 90

java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter


############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler

# For example, set the org.apache.catalina.util.LifecycleBase logger to log
# each component that extends LifecycleBase changing state:
#org.apache.catalina.util.LifecycleBase.level = FINE

# To see debug messages in TldLocationsCache, uncomment the following line:
#org.apache.jasper.compiler.TldLocationsCache.level = FINE

# To see debug messages for HTTP/2 handling, uncomment the following line:
#org.apache.coyote.http2.level = FINE

# To see debug messages for WebSocket handling, uncomment the following line:
#org.apache.tomcat.websocket.level = FINE
  • Create the file /etc/logrotate.d/jahia_logrotate with the following content:
<TOMCAT_HOME>/logs/access-log.txt {
        missingok
        su jahia jahia
        compress
        copytruncate
        rotate 14
        daily
        maxsize 500M
        dateext
        dateformat _%Y-%m-%d
}

<TOMCAT_HOME>/logs/catalina.out {
        missingok
        su jahia jahia
        compress
        copytruncate
        rotate 14
        daily
        maxsize 500M
        dateext
        dateformat _%Y-%m-%d
}

<TOMCAT_HOME>/logs/jahia_access.log {
        missingok
        su jahia jahia
        compress
        copytruncate
        rotate 14
        daily
        maxsize 500M
        dateext
        dateformat _%Y-%m-%d
}

<TOMCAT_HOME>/logs/jahia.log {
        missingok
        su jahia jahia
        compress
        copytruncate
        rotate 14
        daily
        maxsize 500M
        dateext
        dateformat _%Y-%m-%d
}

<TOMCAT_HOME>/tomcat/logs/jahia_profiler.log {
        missingok
        su jahia jahia
        compress
        copytruncate
        rotate 14
        daily
        maxsize 500M
        dateext
        dateformat _%Y-%m-%d
}
  • Check that the previous file has the correct permission 644

Jahia as a service

  • Create the file /etc/systemd/system/jahia.service with the following content:
[Unit]
Description=Jahia
After=network.target

[Service]
Type=simple

Environment=CATALINA_PID=<TOMCAT_HOME>/temp/tomcat.pid
Environment=CATALINA_HOME=<TOMCAT_HOME>
Environment=CATALINA_BASE=<TOMCAT_HOME>
Environment="CATALINA_OPTS=-server"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/urandom"

ExecStart=<TOMCAT_HOME>/bin/catalina.sh run
ExecStop=/bin/kill -15 $MAINPID
WorkingDirectory=<DX_HOME>

User=jahia
Group=jahia
RestartSec=10
Restart=on-failure
SuccessExitStatus=143
TimeoutSec=300

[Install]
WantedBy=multi-user.target
  • Enable the service with the following command:
systemctl enable jahia

Securing

  • Retrieve the last version of the module security-filter on our store.
    • Be aware that if you have done your developments and test without it, it is strongly advised to read and follow this documentation.
    wget https://store.jahia.com/cms/mavenproxy/private-app-store/org/jahia/modules/security-filter/1.0.2/security-filter-1.0.2.jar
  • Transfer the module to <DX_HOME>/digital-factory-data/modules:
    mv security-filter-1.0.2.jar <DX_HOME>/digital-factory-data/modules/

Bugs workaround

QA-10559

On each node, add the following line to the file <DX_HOME>/digital-factory-config/jahia/jahia.properties:

modules.purgeAtStartup = false

QA-10727

On each node, add the following line to the file <DX_HOME>/digital-factory-config/jahia/jahia.properties:

repositoryDirectoryListingDisabled = true

QA-10454

On each node, add the following line to the file <TOMCAT_HOME>/bin/setenv.sh:

CATALINA_OPTS="$CATALINA_OPTS -Dkaraf.handle.sigterm=false"

Start and check Jahia

  • Start Jahia thanks to its service:
    systemctl start jahia
  • Display the stdout logs:
    journalctl -f -u jahia
  • Wait for Jahia to be completely started, you should see that in the logs:
--------------------------------------------------------------------------------------------------
  P R O D U C T I O N   M O D E   A C T I V E
--------------------------------------------------------------------------------------------------
  Modules:
      Started: 38
--------------------------------------------------------------------------------------------------
  • If you don't have all the default modules started, it might be the consequence of a problem. If that's the case, please contact our support at https://support.jahia.com if you have a subscription.
  • Now it's time to check that we have access to the administration and to the tools:
    • Go to http://<JAHIA_SRV_01>:8080/administration and login
    • Go to http://<JAHIA_SRV_01>:8080/tools and login
      • Open the cluster view and check that everything seems to be correct: you should see in the tables the processing server with the correct IP and ports. If you have a doubt, please contact our support at https://support.jahia.com if you have a subscription.

Installation of the two other nodes

  • Stop Jahia on the processing node and make a backup thanks to an archive. The archive is used in order to preverse the attributes of the files (permissions and timestamps).
  • Transfer the archive to the two other servers
  • On each server:
    • Check that the prerequisites are fine
    • As the user jahia, extract the archive in the same folder than the processing node
    • Modify the file <DX_HOME>/digital-factory-config/jahia/jahia.node.properties
      • Property cluster.tcp.bindAddress has to be set to the IP of the server if you have multiple network interfaces
      • Property processingServer has to be uncommented and set to false
      • Property cluster.node.serverId has to be set to the hostname of the server
    • Look for the file discovery.config in a subfolder of <DX_HOME>/digital-factory-data/bundles-deployed and removed it
  • Put into place the log rotation as before
  • Put into place the service as before
  • Apply the modifications to work around the know bugs as previously
  • Start Jahia thanks to its service on each node then check the same things than before

Apache2 front-ends

The front-end will proxy the Jahia nodes thanks to the HTTP protocol. Depending at what levels the SSL is being handled (Failover and/or Apache2 and/or Tomcat), the next steps might need some changes.

  • Here is an example of the configuraiton for an Apache2 virtual host, that shoud be in /etc/httpd/sites-available/<PUBLIC_DOMAIN>.conf:
    <VirtualHost *:80>
            ServerName <PUBLIC_DOMAIN>
            DocumentRoot /var/www/vhosts/<PUBLIC_DOMAIN>/html/
    
            <Directory /var/www/vhosts/<PUBLIC_DOMAIN>/html>
                    Options -Indexes
            </Directory>
    
            CustomLog /var/log/apache2/access-<PUBLIC_DOMAIN>.log combined
            ErrorLog /var/log/apache2/error-<PUBLIC_DOMAIN>.log
    
            RewriteEngine On
            RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
            RewriteRule .* - [F]
    
            RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
    </VirtualHost>
    
    <VirtualHost *:80>
            ServerName <PUBLIC_CONTRIBUTE_DOMAIN>
            DocumentRoot /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html/
    
            <Directory /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html>
                    Options -Indexes
            </Directory>
    
            CustomLog /var/log/apache2/access-<PUBLIC_CONTRIBUTE_DOMAIN>.log combined
            ErrorLog /var/log/apache2/error-<PUBLIC_CONTRIBUTE_DOMAIN>.log
    
            RewriteEngine On
            RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
            RewriteRule .* - [F]
    
            RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
    </VirtualHost>
    
    <VirtualHost *:443>
            ServerName <PUBLIC_DOMAIN>
            DocumentRoot /var/www/vhosts/<PUBLIC_DOMAIN>/html/
    
            <Directory /var/www/vhosts/<PUBLIC_DOMAIN>/html>
                    Options -Indexes
            </Directory>
    
            CustomLog /var/log/apache2/access-<PUBLIC_DOMAIN>.log combined
            ErrorLog /var/log/apache2/error-<PUBLIC_DOMAIN>.log
    
            ProxyPreserveHost On
            ProxyRequests Off
            ProxyPass /robots.txt !
    
            ProxyPass /errors/ !
            ProxyErrorOverride On
            ErrorDocument 503 /errors/503.html
            ErrorDocument 404 /errors/404.html
            ErrorDocument 401 /cms/login
    
            ProxyPass / balancer://jahia_cluster/
            ProxyPassReverse / balancer://jahia_cluster/
            <Proxy balancer://jahia_cluster>
                    BalancerMember http://<JAHIA_SRV_FQDN_02>:8080 route=<JAHIA_SRV_02> connectiontimeout=20 timeout=300 ttl=120
                    BalancerMember http://<JAHIA_SRV_FQDN_03>:8080 route=<JAHIA_SRV_03> connectiontimeout=20 timeout=300 ttl=120                
                    ProxySet lbmethod=bytraffic stickysession=JSESSIONID|jsessionid
            </Proxy>
    
            RemoteIPHeader X-Forwarded-For
            Include ssl-common.conf
    
            # BACKLOG-5641
            Header set X-XSS-Protection "1; mode=block"
            Header set X-Content-Type-Options nosniff
            # BACKLOG-5641
            Header set X-Frame-Options: "sameorigin"
            # BACKLOG-7050
            SessionMaxAge 63072000
    
            Include protection.conf
            Include dx-security.conf
    
            # Redirect to edit mode when /cms/edit is present in the URI
            RewriteEngine On
            RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
            RewriteRule .* - [F]
            RewriteRule ^(/cms/edit/.*)$ https://<PUBLIC_CONTRIBUTE_DOMAIN>%{REQUEST_URI} [R=301,L]
    </VirtualHost>
    
    <VirtualHost *:443>
            ServerName <PUBLIC_CONTRIBUTE_DOMAIN>
            DocumentRoot /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html/
    
            <Directory /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html>
                    Options -Indexes
            </Directory>
    
            CustomLog /var/log/apache2/access-<PUBLIC_CONTRIBUTE_DOMAIN>.log combined
            ErrorLog /var/log/apache2/error-<PUBLIC_CONTRIBUTE_DOMAIN>.log
    
            ProxyPreserveHost On
            ProxyRequests Off
            ProxyPass /robots.txt !
    
            ProxyPass /errors/ !
            ProxyErrorOverride On
            ErrorDocument 503 /errors/503.html
            ErrorDocument 404 /errors/404.html
            ErrorDocument 401 /cms/login
    
            ProxyPass / balancer://jahia_cluster/
            ProxyPassReverse / balancer://jahia_cluster/
            <Proxy balancer://jahia_cluster>
                    BalancerMember http://<JAHIA_SRV_FQDN_01>:8080 route=<JAHIA_SRV_01> connectiontimeout=20 timeout=300 ttl=120
                    ProxySet lbmethod=bytraffic stickysession=JSESSIONID|jsessionid
            </Proxy>
    
            RemoteIPHeader X-Forwarded-For
            RequestHeader set X-Forwarded-Proto "https"
    
            Include ssl-common.conf
            Header set X-Robots-Tag "noindex, nofollow"
    
            # BACKLOG-5641
            Header set X-XSS-Protection "1; mode=block"
            Header set X-Content-Type-Options nosniff
            # BACKLOG-5641
            Header set X-Frame-Options: "sameorigin"
            # BACKLOG-7050
            SessionMaxAge 63072000
    
            Include protection.conf
            Include dx-security.conf
    </VirtualHost>
    
    
    

And here are some files included in this virtual host:

  • dx-security.conf: restrict the access to sensitive URLs (administration, contributing, edition, tools, etc) to some trusted IPs
    # secure admin/contrib URLs from outside our network
    Define allowed_ip "LIST_OF_SECURED_IPS"
    <LocationMatch "^/(start|cms\/admin|welcome\/adminmode|cms\/edit|cms\/contribute|cms\/studio|tools|modules\/tools|repository|server)">
        Require ip ${allowed_ip}
    </LocationMatch>
    
  • protection.conf: some standards URLs that hackers are trying to use and consequently the logs can be polluted
    <IfModule mod_rewrite.c>
    	RewriteEngine On
            RewriteCond %{REQUEST_URI} ^/adminer_nq.php$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/adminer.php$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/adm.php$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/.*\.asp$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/.*\.aspx$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.bak$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/cgi-bin/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/clientaccesspolicy.xml$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/crossdomain.xml$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.dat$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/\.env$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/\.ftpconfig$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/\.git/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/\.git$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/Joomla/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/MySQLDumper/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/php.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/ping-fstrz$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/plus/.*\.php$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/pma/.*\.php$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.rar$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/readme.html$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/SQLiteManager/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/SQLiteManager/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/SQLite/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.sql$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/sql.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/sugarcrm/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/SugarCRM/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.tar\.gz$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.tar$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/wordpress/.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/wp-.*$ [NC,OR]
            RewriteCond %{REQUEST_URI} ^/[^/]+\.zip$ [NC]
    	RewriteRule ^.*$ - [F,L]
    </IfModule>
    
    
  • ssl-common.conf: only few directives in order to activate the SSL.
    SSLEngine on
    SSLCertificateKeyFile /etc/apache2/ssl/privkey.pem
    SSLCertificateFile /etc/apache2/ssl/fullchain.pem
    RequestHeader set X-Forwarded-Proto "https"
    
  • Once your configuration is ready, you have to activate the site with this command:
    a2ensite <PUBLIC_DOMAIN>
  • Depending on your configuration, you will need to activate the Apache2 modules.
    • Here is a list according to our example:
      • headers_module
      • lbmethod_bytraffic_module
      • mpm_prefork_module
      • proxy_module
      • proxy_balancer_module
      • proxy_http_module
      • remoteip_module
      • reqtimeout_module
      • rewrite_module
      • ssl_module
      • status_module
    • Activate the related module thanks to this command:
      a2enmod <MODULE_NAME>
  • Do not forget to run this command before reloading/restarting the Apache2 service in order to test it:
    apachectl configtest
    • If you're getting an error like Invalid command ‘XXXXX’, perhaps misspelled or defined by a module, it means that an HTTP module needs to be activated.  To correct that, you have to:
      • Go to the Apache2 documentation and look for module who handles this command/directive, we will call it <MODULE_NAME>
      • Activate the related module thanks to this command:
        a2enmod <MODULE_NAME>
      • Test again your configuration
  • If it's ok, reload the service:
    systemctl reload httpd
  • Once your Apache2 is setup, you can check a few things:
    • Connect to Jahia and check in the logs that the client IP is correct. It should be the one of the client and not the one from the web server or any network element at an upper level. To get the expected IP of the client, you can to the website What is my public IP
    • In the administration mode of Jahia, create a sample website with the server name set to the same public domain used in the virtual host and publish the website. Try to connect to it and you should have an URL like https://<PUBLIC_DOMAIN>.home.html and not something like https://<PUBLIC_DOMAIN>/cms/render/live/en/sites/<SITE_KEY>/home.html
    • Check the quality of your SSL thanks to this website: https://www.ssllabs.com/ssltest/
    • If it's not A+, please check this website in order to improve the score: https://cipherli.st/