Reverse Proxying Apache Lenya
Introduction
The Lenya LinkRewritingTransformer enables a flexible way of proxy configuration.
It is possible to define different proxies for each pair of area (authoring and live),
and encryption (not encrypted or SSL). The Lenya part of the
proxy configuration is done in $PUBLICATION/config/publication.xconf
If you specify your proxy setup in that file, the LinkRewritingTransformer will rewrite links in your
publication to match these settings.
Configuration in publication.xconf
The publication.xconf of the default publication has proxying disabled by default:
<publication> <languages> <language default="true">en</language> <language>de</language> </languages> <path-mapper>org.apache.lenya.cms.publication.DefaultDocumentIdToPathMapper</path-mapper> <document-builder>org.apache.lenya.cms.publication.DefaultDocumentBuilder</document-builder> <breadcrumb-prefix/> <!-- <proxy area="live" ssl="true" url="https://www.host.com/ssl/default"/> <proxy area="live" ssl="false" url="http://www.host.com/default"/> <proxy area="authoring" ssl="true" url="https://www.host.com/lenya/default/authoring"/> <proxy area="authoring" ssl="false" url="http://www.host.com/lenya/default/authoring"/> --> </publication>
A possible configuration for two servers (an authoring server and a live server) may look like:
<publication> <languages> <language default="true">de</language> <language>en</language> </languages> <path-mapper>org.apache.lenya.cms.publication.DefaultDocumentIdToPathMapper</path-mapper> <document-builder>org.apache.lenya.cms.publication.DefaultDocumentBuilder</document-builder> <breadcrumb-prefix>University of Zurich</breadcrumb-prefix> <proxy url="https://cms.live.ch/lenya/sandbox" ssl="true" area="live"/> <proxy url="http://cms.sandbox.live.ch/lenya" ssl="false" area="live"/> <proxy url="https://cms.authoring.ch/lenya/sandbox/authoring" ssl="true" area="authoring"/> <proxy url="http://cms.authoring.ch/lenya/sandbox/authoring" ssl="false" area="authoring"/> </publication>
- There is an ssl enabled authoring server (cms.authoring.ch) and the URL you get is e.g.
http://cms.authoring.com/lenya/sandbox/authoring/index.html
. - There is an ssl enabled live server with (cms.live.ch and cms.sandbox.live.ch) and the URL you get on the live side is e.g.
http://cms.sandbox.live.ch/lenya/index.html
Note: Up to now, session is only working if you add /lenya after your domain because the cookie which is sent to the client stores the web application context. Therefore the browser did not send back the cookie if you request a page like http://cms.sandbox.live.ch/index.html.
This is also mentioned on the Cocoon Wiki page on proxying. With Apache 2.1 a recently introduced proxy directive for translating the cookie path ProxyPassReverseCookiePath
will be available, which will allow you to
get the cookie path translated by Apache with ProxyPassReverseCookiePath /lenya /
so that the cookie is always sent back to the server. As of today even the trunk version of Apache httpd does not have this feature. If you still want to use it with Apache 2.0 you will have
to apply a patch http://issues.apache.org/bugzilla/show_bug.cgi?id=10722 and rebuild the Apache modules mod_proxy and mod_http_proxy. The patch should work with Apache 2.0.49+ (I use it with 2.0.52 without any
problems).
As an alternative to patching Apache, you could install Lenya within the ROOT context, because then the CookiePath will contain "/" instead of "/lenya" and it will work with the common mod_proxy settings. Note that you'll have to adjust the proxy rules to get rid of "/lenya" in this case. If you run Jetty, which runs Lenya in the ROOT context, you'll have to remove the "/lenya" parts as well. Another solution might be to use Squid. The configuration of the Apache web server that goes with this configuration is described next.
Apache Webserver setup / Rewrite Rules
Before you start, make sure you have mod_proxy
and mod_rewrite
setup correctly.
Rules for the authoring server
This sample configuration uses cms.authoring.ch
as the host name.
- redirects logins to SSL
- assumes Tomcat, with Lenya running under /lenya (for Jetty, remove /lenya from the configuration)
- runs the authoring server over port 80
- publications are all mounted under cms.client.com/yourpub
- you can use this setup for your live server if you do not want to mount your publication in a virtualhost. Just replace authoring with live, and put the proxy / rewrite directives in a <Location> rule
<VirtualHost cms.authoring.ch:80> .... #All Content should be served by tomcat (i.e. lenya) ProxyRequests Off RewriteEngine On RewriteLog /var/log/apache2/cms.authoring.rewrite.log RewriteLogLevel 0 RewriteRule ^/([^/\.]+)$ $1/ [R] RewriteRule ^/([^/\.]+)/$ http://cms.authoring.ch/lenya/$1/authoring/index.html [R,L] RewriteCond %{QUERY_STRING} lenya\.usecase=login(.*) RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] RewriteRule ^/(.*) http://cms.authoring.ch:8080/$1 [P,L] ProxyPassReverse / http://cms.authoring.ch:8080/ </VirtualHost> <VirtualHost cms.authoring.ch:443> .... RewriteEngine On RewriteRule ^/([^/\.]+)$ $1/ [R] RewriteRule ^/([^/\.]+)/$ http://cms.authoring.ch/lenya/$1/authoring/index.html [R,L] RewriteRule ^/(.*) http://%{SERVER_NAME}:8080/$1 [P,L] ProxyPassReverse / http://cms.authoring.ch:8080/ </VirtualHost>
Rules for the live server
This sample configuration uses cms.sandbox.live.ch
as the host name.
- each publication is mounted as a separate virtualhost
- assumes Tomcat, with Lenya running under /lenya (for Jetty, remove /lenya from the configuration)
- The publication in this sample is named sandbox
- Files within the directory static and files with the extension php are not redirected to Lenya.
- Certificate is issued for www.client.com
<VirtualHost cms.sandbox.live.ch:80> .... ProxyRequests Off RewriteEngine On RewriteLog "/var/log/apache2/cms.sandbox.rewrite.log" RewriteLogLevel 1 RewriteRule ^/$ /lenya/index.html [R] RewriteRule ^/[^(lenya)](.*) /lenya$0 [R] RewriteRule ^/static/?(.*) $0 [L] RewriteRule ^/(.*)\.php $0 [L] # Not carefully tested yet -> login should use https #RewriteCond %{QUERY_STRING} lenya\.usecase=login(.*) #RewriteRule ^/lenya/(.*)/live/(.*)$ https://cms.live.ch/$1/$2 [R,L] RewriteRule ^/lenya/[^/]+/live/(.*)$ /lenya/$1 [R,L] RewriteRule ^/(.*\.css$) http://cms.live.ch:8080/$1 [L] RewriteRule ^/(.*/authoring/.*) http://cms.live.ch:8080/$1 [L] RewriteRule ^/lenya/(.*) http://cms.live.ch:8080/lenya/sandbox/live/$1 [P] ProxyPassReverse / http://cms.live.ch:8080/ </VirtualHost> <VirtualHost cms.live.ch:443> ...... ProxyRequests Off RewriteEngine On # RewriteRules for css and images RewriteRule ^/lenya/sandbox/(.*)/images/(.*)$ http://cms.live.ch:8080/lenya/sandbox/$1/images/$2 [L] RewriteRule ^/(.*\.css$) http://cms.live.ch:8080/$1 [L] RewriteRule ^/(lenya/[^/]+)/(.*)$ http://cms.live.ch:8080/$1/live/$2 [P,L] ProxyPassReverse / http://cms.live.ch:8080/ </VirtualHost>