Setting up a Jahia cluster
October 8, 2024
Here are the steps followed to install an Jahia cluster for a production environment. We will also detail the installation of two Apache2 front-ends.
General
Jahia will be installed on a cluster of three nodes:
- The first node, the processing, will be used for the contribution (addition of content, etc)
- The two other servers will be used for the consultation
Each node has :
- CentOS
- 40 GB of hard drive
- 4 CPUs
- 8 GB of memory
We will also need two servers for Apache2 and one server for the PostgreSQL database (version 9.X).
A F5 or a failover configuration (like Haproxy) above are recommended but won't be described in this document.
Matrix
The following parameters will be used between "<" an ">" in the next parts of the documentation.
| Variable | Value | Description |
|---|---|---|
| DB_NAME | jahia | Name of the PostgreSQL database |
| DB_PORT | 5432 | Port used by PostgreSQL |
| DB_PASSWORD | Change_it_it_s_important | Password to access the database |
| DB_SRV_FQDN | psql01.int.jahia.com | Fully qualified domain name of the DB server |
| DB_USER_NAME | jahia | User to access the DV |
| DX_DATASTORE | /srv/datastore/jahia | Path of the Jahia datastore |
| DX_HOME | /src/jahia | Home of Jahia |
| DX_INSTALLER | DigitalExperienceManager-EnterpriseDistribution-7.2.2.0-r57545.4233.jar | Name of the Jahia installer |
| DX_TOOLS_PASSWORD | Needs_to_be_complexed! | Password to access the Jahia tools |
| DX_TOOLS_USER | jahia | User to access the Jahia tools |
| DX_ROOT_PASSWORD | Needs_to_be_very_very_omplexed! | Password for the user root |
| JAHIA_LINUX_USER | jahia | Linux user used to install and to run Jahia |
| JAHIA_SRV_01 | jahia01 | Hostname for the first Jahia server |
| JAHIA_SRV_02 | jahia02 | Hostname for the second Jahia server |
| JAHIA_SRV_03 | jahia03 | Hostname for the third Jahia server |
| JAHIA_SRV_FQDN_01 | jahia01.int.jahia.com | Fully qualified domain name for the first Jahia server |
| JAHIA_SRV_FQDN_02 | jahia02.int.jahia.com | Fully qualified domain name for the second Jahia server |
| JAHIA_SRV_FQDN_03 | jahia03.int.jahia.com | Fully qualified domain name for the third Jahia server |
| MAIL_ADDRESS | it@jahia.com | E-Mail address used to send/receive communications from Jahia |
| ORACLE_JDK_FILE_NAME | jdk-8u191-linux-i586.rpm | Package for the Oracke JDK 8 |
| TOMCAT_HOME | <DX_HOME>/tomcat | Home of Tomcat |
| WEB_SRV_FQDN_01 | web1.int.jahia.com | Fully qualified domain name for the first web server |
| WEB_SRV_FQDN_02 | web2.int.jahia.com | Fully qualified domain name for the second web server |
| PUBLIC_CONTRIBUTE_DOMAIN | exemple-contribute.jahia.com | Public domain to access the contribution/edition |
| PUBLIC_DOMAIN | example.jahia.com | Public domain used to access Jahia |
Prerequisites
Install
Oracle JDK 8
Jahia runs on a Java platform so it needs the Oracle JDK to be installed on the system.
- Go to the Oracle download page
- Look for the last JDK 8, download the Linux appropriate .rpm package then install it:
sudo yum localinstall <ORACLE_JDK_FILE_NAME> - Once it's installed, check that the following command returns the correct version:
java -version - If you expect the JVM to communicate with SSL endpoints/certicates that are not recognized by default, do not forget to add them to the JVM repository and to disable the automatic update of the JDK.
LibreOffice
LibreOffice is being using by Jahia for document conversion.
- Install it:
sudo yum install libreoffice
ImageMagick
ImageMagick is being used by Jahia for all operations related to the images (resizing, thumbnails, etc.)
- Install it:
sudo yum install ImageMagick
Development tools
Even if you should not need these tools, they might be useful in case of an outage.
- Install maven/subversion/git:
sudo yum install maven subversion git
LogRotate
By default, the logs are being rotated but there isn't any mechanism to remove logs older than a specific date. Linux offers a very useful tool to handle the logs.
- LogRotate should already be installed by default but if it's not the case:
sudo yum install logrotate
Swappiness
Swappiness is a value between 1 and 100 that controls the priority of the use of the RAM vs the SWAP. In Java applications, the garbage collector might end up using the swap which can slow a lot an application.
- Check the swappiness
sudo cat /proc/sys/vm/swappiness
- If it's below or equal to 10, you don't have to do anything. Otherwise, apply the modifications at runtime:
sudo sysctl vm.swappiness=10 sudo swapoff -a sudo swapon -a
- Make the modifications persistent by modifying the file
/etc/sysctl.conf:vm.swappiness = 10
Entropy
Jahia is generating some UUIDs and for that, it needs some randomness and that needs a good entropy. In some virtualized environments, this entropy is not good at all and needs to be improved in order to have good performances.
Please follow this documentation: Jahia and entropy
Jahia Linux user
- For security reasons, Jahia will need to be installed under a specific user:
sudo adduser --quiet --disabled-password --disabled-login --home <DX_HOME> --gecos "" <JAHIA_LINUX_USER>
Database connection
- The nodes of a Jahia cluster are communicating between each other thanks to two TCP ports (By default 7860 and 7870). Please check with your IT team that these flows are authorized.
Database connection
- The latency against the database needs to be very small, < 0 ms, in order to get good performances:
ping <DB_SRV_FQDN> - Check also that you are able to connect with the DB client and the credentials that will be used for Jahia. This user needs to be able to create the necessary tables and to insert/update/delete their content.
- In case you're using a dedicated schema, please be sure that it's the default schema or you will have to customiez the JDBC url.
SMTP connection
- Check that you're able to send mail with the SMTP server you want to use (SMTP relay, SMTP service, etc) from each Jahia server
Shared folder
The Jahia cluster will need a shared folder in order to store the datastore. In order to prevent a SPOF, we advise to check that you the related hardware and software have some redundancy. The easiest way is to give full rights for this user on this table.
- Check that the user jahia has the right to create a file in the datastore
sudo -u <JAHIA_LINUX_USER> touch <DX_DATASTORE> - Do not forget to remove this file
Internet connection
Check that you have access to Internet
Jahia cluster
Install
- First we are going to install the processing node
- Become the user jahia:
sudo -i -u <JAHIA_LINUX_USER> - Retrieve the last minor version of Jahia you're using from the page Jahia . Why this version? Because it might contains a lot of bug fixes.
- To install it:
java -jar <DX_INSTALLER> -console - Then follow these actions:
- Accept the license
- Enter the path of Jahia: <DX_HOME>
- Choose the Custom install (advanced)
- By default, keep the installation of Tomcat
- By default, use a standalone DBMS (DataBase Management System)
- Choose PostgreSQL 9.X (item n°3)
- By default, keep the Database driver: org.postgresql.Driver
- Enter the Database URL related to your environment: jdbc:postgresql://<DB_SRV_FQDN>:<DB_PORT>/<DB_NAME>
- Enter the Database username: <DB_USER_NAME>
- Enter the Database password: <DB_PASSWORD>
- The datastore will be a shared folder so do not store binary data in the database
- By default, create the required database tables
- By default, keep the context name empty
- Specify the Jahia tool manager username: <DX_TOOLS_USER>
- Specify the Jahia tool manager password (it has to be complex for security reasons): <DX_TOOLS_PASSWORD>
- By default, keep the SSH console port set to 8101
- By default, keep the HTTP connector port set to 8080
- By default, keep the HTTPS redirect port set to 8443
- By default, keep the AJP connector port set to 8009
- By defaut, keep the Server shutdown port set to 8005
- Set the jvmRoute to the hostname, it will ease the maintenance/debugging later: <JAHIA_SRV_01>
- Set the Maximum heap size in MB to 6144
- By default, keep the Maximum PermGen size in MB to 384
- There is no need at this level to add any additional option to the JVM
- Set the operating mode to Production
- If not needed, do not configure an LDAP provider
- Activate the cluster mode by selecting the option Provide cluster configuration for this server
- As this is the first server of the cluster, it has to be a background job processing server. A cluster can only have one processing server otherwise it can lead to a full corruption of the data.
- If your server has multiple network interfaces, enter the IP that will be used to communicate with the other servers
- By default, keep the Port number set to 7870
- By default, keep the Hazelcast Port set to 7860
- For the Current node server ID, set it to the hostname, it will the maintenance/debugging later
- CSet the path to the datastore: <DX_DATASTORE>
- Enter the password for the root user (it needs to be complex): <DX_ROOT_PASSWORD>
- Confirm it
- The First name, Last name and E-mail are optional, put what you want
- Choose the Preferred language: 1 for English, 3 for French
- Set the Mail server to 127.0.0.1
- Set the Mail administrator to the team that will handle the servers: <MAIL_ADDRESS>
- Set the Mail from - sender to the team that will handle Jahia: <MAIL_ADDRESS>
- Validate the settings to be sure that Jahia will be correctly installed
- If LibreOffice is installed, its path should be automatically set. If it's not the case, it's should be /usr/lib64/libreoffice in CentOS
- The binaries of ImageMagik should be installed by default in /usr/bin
- Choose the default language: 41 for English, 60 for French
- Keep the development license provided by default
- No need to add a path to a folder with additional modules to be deployed
- By default, keep the Runtime data path: <DX_HOME>/digital-factory-data
- By default, keep the Configuration path: <DX_HOME>/digital-factory-config
- Installation should be done and here is what you should have in the console:
[ Starting to unpack ] [ Processing package: Jahia + Jahia Core Content Platform (1/2) ] [ Processing package: Add Apache Tomcat - generate a complete installation folder (2/2) ] [ Unpacking finished ] Install was successful application installed on /srv/jahia [ Console installation done ]
Logs rotation
- Modify the file <DX_HOME>/digital-factory-config-jahia/jahia.log4j.xml in order to replace the term DaileRollingFileAppender with FileAppender:
sed -i 's/DailyRollingFileAppender/FileAppender/' log4j.xml
- Modify the file <TOMCAT_HOME>/conf/server.xml in order to have the following content for the ValveAccessLog:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="access-log" suffix=".txt" rotatable="false"
pattern="%h %l %u %t "%r" %s %b" />
- Below the following modification, add also this content for the RemoteIpValve:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https"/>
- Modify the file <TOMCAT_HOME>/conf/logging.properties in order to have the following content:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = java.util.logging.ConsoleHandler
.handlers = java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 90
2localhost.org.apache.juli.AsyncFileHandler.level = FINE
2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
3manager.org.apache.juli.AsyncFileHandler.level = FINE
3manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.AsyncFileHandler.prefix = manager.
3manager.org.apache.juli.AsyncFileHandler.maxDays = 90
4host-manager.org.apache.juli.AsyncFileHandler.level = FINE
4host-manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.AsyncFileHandler.prefix = host-manager.
4host-manager.org.apache.juli.AsyncFileHandler.maxDays = 90
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler
# For example, set the org.apache.catalina.util.LifecycleBase logger to log
# each component that extends LifecycleBase changing state:
#org.apache.catalina.util.LifecycleBase.level = FINE
# To see debug messages in TldLocationsCache, uncomment the following line:
#org.apache.jasper.compiler.TldLocationsCache.level = FINE
# To see debug messages for HTTP/2 handling, uncomment the following line:
#org.apache.coyote.http2.level = FINE
# To see debug messages for WebSocket handling, uncomment the following line:
#org.apache.tomcat.websocket.level = FINE
- Create the file /etc/logrotate.d/jahia_logrotate with the following content:
<TOMCAT_HOME>/logs/access-log.txt {
missingok
su jahia jahia
compress
copytruncate
rotate 14
daily
maxsize 500M
dateext
dateformat _%Y-%m-%d
}
<TOMCAT_HOME>/logs/catalina.out {
missingok
su jahia jahia
compress
copytruncate
rotate 14
daily
maxsize 500M
dateext
dateformat _%Y-%m-%d
}
<TOMCAT_HOME>/logs/jahia_access.log {
missingok
su jahia jahia
compress
copytruncate
rotate 14
daily
maxsize 500M
dateext
dateformat _%Y-%m-%d
}
<TOMCAT_HOME>/logs/jahia.log {
missingok
su jahia jahia
compress
copytruncate
rotate 14
daily
maxsize 500M
dateext
dateformat _%Y-%m-%d
}
<TOMCAT_HOME>/tomcat/logs/jahia_profiler.log {
missingok
su jahia jahia
compress
copytruncate
rotate 14
daily
maxsize 500M
dateext
dateformat _%Y-%m-%d
}
- Check that the previous file has the correct permission 644
Jahia as a service
- Create the file /etc/systemd/system/jahia.service with the following content:
[Unit]
Description=Jahia
After=network.target
[Service]
Type=simple
Environment=CATALINA_PID=<TOMCAT_HOME>/temp/tomcat.pid
Environment=CATALINA_HOME=<TOMCAT_HOME>
Environment=CATALINA_BASE=<TOMCAT_HOME>
Environment="CATALINA_OPTS=-server"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/urandom"
ExecStart=<TOMCAT_HOME>/bin/catalina.sh run
ExecStop=/bin/kill -15 $MAINPID
WorkingDirectory=<DX_HOME>
User=jahia
Group=jahia
RestartSec=10
Restart=on-failure
SuccessExitStatus=143
TimeoutSec=300
[Install]
WantedBy=multi-user.target
- Enable the service with the following command:
systemctl enable jahia
Securing
- Retrieve the last version of the module security-filter on our store.
- Be aware that if you have done your developments and test without it, it is strongly advised to read and follow this documentation.
wget https://store.jahia.com/cms/mavenproxy/private-app-store/org/jahia/modules/security-filter/1.0.2/security-filter-1.0.2.jar - Transfer the module to <DX_HOME>/digital-factory-data/modules:
mv security-filter-1.0.2.jar <DX_HOME>/digital-factory-data/modules/
Bugs workaround
QA-10559
On each node, add the following line to the file <DX_HOME>/digital-factory-config/jahia/jahia.properties:
modules.purgeAtStartup = false
On each node, add the following line to the file <DX_HOME>/digital-factory-config/jahia/jahia.properties:
repositoryDirectoryListingDisabled = true
On each node, add the following line to the file <TOMCAT_HOME>/bin/setenv.sh:
CATALINA_OPTS="$CATALINA_OPTS -Dkaraf.handle.sigterm=false"
Start and check Jahia
- Start Jahia thanks to its service:
systemctl start jahia - Display the stdout logs:
journalctl -f -u jahia - Wait for Jahia to be completely started, you should see that in the logs:
--------------------------------------------------------------------------------------------------
P R O D U C T I O N M O D E A C T I V E
--------------------------------------------------------------------------------------------------
Modules:
Started: 38
--------------------------------------------------------------------------------------------------
- If you don't have all the default modules started, it might be the consequence of a problem. If that's the case, please contact our support at https://support.jahia.com if you have a subscription.
- Now it's time to check that we have access to the administration and to the tools:
- Go to http://<JAHIA_SRV_01>:8080/administration and login
- Go to http://<JAHIA_SRV_01>:8080/tools and login
- Open the cluster view and check that everything seems to be correct: you should see in the tables the processing server with the correct IP and ports. If you have a doubt, please contact our support at https://support.jahia.com if you have a subscription.
Installation of the two other nodes
- Stop Jahia on the processing node and make a backup thanks to an archive. The archive is used in order to preverse the attributes of the files (permissions and timestamps).
- Transfer the archive to the two other servers
- On each server:
- Check that the prerequisites are fine
- As the user jahia, extract the archive in the same folder than the processing node
- Modify the file <DX_HOME>/digital-factory-config/jahia/jahia.node.properties
- Property cluster.tcp.bindAddress has to be set to the IP of the server if you have multiple network interfaces
- Property processingServer has to be uncommented and set to false
- Property cluster.node.serverId has to be set to the hostname of the server
- Look for the file discovery.config in a subfolder of <DX_HOME>/digital-factory-data/bundles-deployed and removed it
- Put into place the log rotation as before
- Put into place the service as before
- Apply the modifications to work around the know bugs as previously
- Start Jahia thanks to its service on each node then check the same things than before
Apache2 front-ends
The front-end will proxy the Jahia nodes thanks to the HTTP protocol. Depending at what levels the SSL is being handled (Failover and/or Apache2 and/or Tomcat), the next steps might need some changes.
- Here is an example of the configuraiton for an Apache2 virtual host, that shoud be in /etc/httpd/sites-available/<PUBLIC_DOMAIN>.conf:
<VirtualHost *:80> ServerName <PUBLIC_DOMAIN> DocumentRoot /var/www/vhosts/<PUBLIC_DOMAIN>/html/ <Directory /var/www/vhosts/<PUBLIC_DOMAIN>/html> Options -Indexes </Directory> CustomLog /var/log/apache2/access-<PUBLIC_DOMAIN>.log combined ErrorLog /var/log/apache2/error-<PUBLIC_DOMAIN>.log RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost *:80> ServerName <PUBLIC_CONTRIBUTE_DOMAIN> DocumentRoot /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html/ <Directory /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html> Options -Indexes </Directory> CustomLog /var/log/apache2/access-<PUBLIC_CONTRIBUTE_DOMAIN>.log combined ErrorLog /var/log/apache2/error-<PUBLIC_CONTRIBUTE_DOMAIN>.log RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost *:443> ServerName <PUBLIC_DOMAIN> DocumentRoot /var/www/vhosts/<PUBLIC_DOMAIN>/html/ <Directory /var/www/vhosts/<PUBLIC_DOMAIN>/html> Options -Indexes </Directory> CustomLog /var/log/apache2/access-<PUBLIC_DOMAIN>.log combined ErrorLog /var/log/apache2/error-<PUBLIC_DOMAIN>.log ProxyPreserveHost On ProxyRequests Off ProxyPass /robots.txt ! ProxyPass /errors/ ! ProxyErrorOverride On ErrorDocument 503 /errors/503.html ErrorDocument 404 /errors/404.html ErrorDocument 401 /cms/login ProxyPass / balancer://jahia_cluster/ ProxyPassReverse / balancer://jahia_cluster/ <Proxy balancer://jahia_cluster> BalancerMember http://<JAHIA_SRV_FQDN_02>:8080 route=<JAHIA_SRV_02> connectiontimeout=20 timeout=300 ttl=120 BalancerMember http://<JAHIA_SRV_FQDN_03>:8080 route=<JAHIA_SRV_03> connectiontimeout=20 timeout=300 ttl=120 ProxySet lbmethod=bytraffic stickysession=JSESSIONID|jsessionid </Proxy> RemoteIPHeader X-Forwarded-For Include ssl-common.conf # BACKLOG-5641 Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff # BACKLOG-5641 Header set X-Frame-Options: "sameorigin" # BACKLOG-7050 SessionMaxAge 63072000 Include protection.conf Include dx-security.conf # Redirect to edit mode when /cms/edit is present in the URI RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule ^(/cms/edit/.*)$ https://<PUBLIC_CONTRIBUTE_DOMAIN>%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost *:443> ServerName <PUBLIC_CONTRIBUTE_DOMAIN> DocumentRoot /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html/ <Directory /var/www/vhosts/<PUBLIC_CONTRIBUTE_DOMAIN>/html> Options -Indexes </Directory> CustomLog /var/log/apache2/access-<PUBLIC_CONTRIBUTE_DOMAIN>.log combined ErrorLog /var/log/apache2/error-<PUBLIC_CONTRIBUTE_DOMAIN>.log ProxyPreserveHost On ProxyRequests Off ProxyPass /robots.txt ! ProxyPass /errors/ ! ProxyErrorOverride On ErrorDocument 503 /errors/503.html ErrorDocument 404 /errors/404.html ErrorDocument 401 /cms/login ProxyPass / balancer://jahia_cluster/ ProxyPassReverse / balancer://jahia_cluster/ <Proxy balancer://jahia_cluster> BalancerMember http://<JAHIA_SRV_FQDN_01>:8080 route=<JAHIA_SRV_01> connectiontimeout=20 timeout=300 ttl=120 ProxySet lbmethod=bytraffic stickysession=JSESSIONID|jsessionid </Proxy> RemoteIPHeader X-Forwarded-For RequestHeader set X-Forwarded-Proto "https" Include ssl-common.conf Header set X-Robots-Tag "noindex, nofollow" # BACKLOG-5641 Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff # BACKLOG-5641 Header set X-Frame-Options: "sameorigin" # BACKLOG-7050 SessionMaxAge 63072000 Include protection.conf Include dx-security.conf </VirtualHost>
And here are some files included in this virtual host:
- dx-security.conf: restrict the access to sensitive URLs (administration, contributing, edition, tools, etc) to some trusted IPs
# secure admin/contrib URLs from outside our network Define allowed_ip "LIST_OF_SECURED_IPS" <LocationMatch "^/(start|cms\/admin|welcome\/adminmode|cms\/edit|cms\/contribute|cms\/studio|tools|modules\/tools|repository|server)"> Require ip ${allowed_ip} </LocationMatch> - protection.conf: some standards URLs that hackers are trying to use and consequently the logs can be polluted
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} ^/adminer_nq.php$ [NC,OR] RewriteCond %{REQUEST_URI} ^/adminer.php$ [NC,OR] RewriteCond %{REQUEST_URI} ^/adm.php$ [NC,OR] RewriteCond %{REQUEST_URI} ^/.*\.asp$ [NC,OR] RewriteCond %{REQUEST_URI} ^/.*\.aspx$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.bak$ [NC,OR] RewriteCond %{REQUEST_URI} ^/cgi-bin/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/clientaccesspolicy.xml$ [NC,OR] RewriteCond %{REQUEST_URI} ^/crossdomain.xml$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.dat$ [NC,OR] RewriteCond %{REQUEST_URI} ^/\.env$ [NC,OR] RewriteCond %{REQUEST_URI} ^/\.ftpconfig$ [NC,OR] RewriteCond %{REQUEST_URI} ^/\.git/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/\.git$ [NC,OR] RewriteCond %{REQUEST_URI} ^/Joomla/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/MySQLDumper/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/php.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/ping-fstrz$ [NC,OR] RewriteCond %{REQUEST_URI} ^/plus/.*\.php$ [NC,OR] RewriteCond %{REQUEST_URI} ^/pma/.*\.php$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.rar$ [NC,OR] RewriteCond %{REQUEST_URI} ^/readme.html$ [NC,OR] RewriteCond %{REQUEST_URI} ^/SQLiteManager/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/SQLiteManager/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/SQLite/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.sql$ [NC,OR] RewriteCond %{REQUEST_URI} ^/sql.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/sugarcrm/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/SugarCRM/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.tar\.gz$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.tar$ [NC,OR] RewriteCond %{REQUEST_URI} ^/wordpress/.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC,OR] RewriteCond %{REQUEST_URI} ^/wp-.*$ [NC,OR] RewriteCond %{REQUEST_URI} ^/[^/]+\.zip$ [NC] RewriteRule ^.*$ - [F,L] </IfModule> - ssl-common.conf: only few directives in order to activate the SSL.
SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/privkey.pem SSLCertificateFile /etc/apache2/ssl/fullchain.pem RequestHeader set X-Forwarded-Proto "https" - Once your configuration is ready, you have to activate the site with this command:
a2ensite <PUBLIC_DOMAIN> - Depending on your configuration, you will need to activate the Apache2 modules.
- Here is a list according to our example:
- headers_module
- lbmethod_bytraffic_module
- mpm_prefork_module
- proxy_module
- proxy_balancer_module
- proxy_http_module
- remoteip_module
- reqtimeout_module
- rewrite_module
- ssl_module
- status_module
- Activate the related module thanks to this command:
a2enmod <MODULE_NAME>
- Here is a list according to our example:
- Do not forget to run this command before reloading/restarting the Apache2 service in order to test it:
apachectl configtest- If you're getting an error like Invalid command ‘XXXXX’, perhaps misspelled or defined by a module, it means that an HTTP module needs to be activated. To correct that, you have to:
- Go to the Apache2 documentation and look for module who handles this command/directive, we will call it <MODULE_NAME>
- Activate the related module thanks to this command:
a2enmod <MODULE_NAME> - Test again your configuration
- If you're getting an error like Invalid command ‘XXXXX’, perhaps misspelled or defined by a module, it means that an HTTP module needs to be activated. To correct that, you have to:
- If it's ok, reload the service:
systemctl reload httpd - Once your Apache2 is setup, you can check a few things:
- Connect to Jahia and check in the logs that the client IP is correct. It should be the one of the client and not the one from the web server or any network element at an upper level. To get the expected IP of the client, you can to the website What is my public IP
- In the administration mode of Jahia, create a sample website with the server name set to the same public domain used in the virtual host and publish the website. Try to connect to it and you should have an URL like https://<PUBLIC_DOMAIN>.home.html and not something like https://<PUBLIC_DOMAIN>/cms/render/live/en/sites/<SITE_KEY>/home.html
- Check the quality of your SSL thanks to this website: https://www.ssllabs.com/ssltest/
- If it's not A+, please check this website in order to improve the score: https://cipherli.st/