Versions Compared

Old Version 201

changes.mady.by.user Unknown User (maris.galesloot@gxsoftware.com)

Saved on

compared with

New Version Current

changes.mady.by.user Matthew Wagner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName www.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/www.mywebsite.com_error.log
   CustomLog logs/www.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher 
    </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName edit.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/edit.mywebsite.com_error.log
   CustomLog logs/edit.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   <Directory "/vol/www/mywebsite/web-docs/wm/b/">
      ExpiresActive ON
      ExpiresDefault "now plus 10 minutes"
      Header set Cache-Control "max-age=600"
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/  RewriteRule ^/(.*)\.htm$ /web/
    $1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PPT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName www.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/www.mywebsite.com_error.log
   CustomLog logs/www.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^RewriteRule ^/(.*)\.htm$ /web/
      $1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
# Rewrite external requests to https
   <IfModule mod_rewrite.c>
      RewriteEngine On
      LogLevel emerg
      RewriteCond %{HTTPS} off
      RewriteCond %{REMOTE_HOST} !###\###\###\###$ (substitute the #s with the IP address of the backend server)
      RewriteCond %{REMOTE_HOST} !127\.0\.0\.1$
      RewriteCond %{REMOTE_HOST} !localhost$
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
      RewriteRule ^/wm.* - [L]
      RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName www.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/www.mywebsite.com_error.log
   CustomLog logs/www.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L]
 //xperiencentral versions </IfModule>
# Rewrite external r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher  
   </IfModule>
# Rewrite external requests to https
   <IfModule mod_rewrite.c>
      RewriteEngine On
      LogLevel emerg
      RewriteCond %{HTTPS} off
      RewriteCond %{REMOTE_HOST} !###\###\###\###$ (substitute the #s with the IP address of the frontend server)
      RewriteCond %{REMOTE_HOST} !127\.0\.0\.1$
      RewriteCond %{REMOTE_HOST} !localhost$
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
      RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:443>
   ServerName   <server name>
   ServerAdmin  <admin e-mail address>
   DocumentRoot  /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x
   ErrorLog      /vol/httpd/logs/errors-edit-ssl
   CustomLog     /vol//httpd/logs/access-edit-ssl combined

   #############
   # SSL
   SSLEngine On
   SSLProxyEngine On
   SSLProtocol +TLSv1
   ## See https://mozilla.github.io/server-side-tls/ssl-config-generator
   ## for information on other rules you should add here for the version
   ## of Apache you are using.


   SSLCertificateFile /vol/httpd/ssl/nolaa.crt
   SSLCertificateKeyFile /vol/httpd/ssl/nolaa.key

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   # CustomLog /vol/www/server/logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x>
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>

   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x/wm/b/toolbar/>
      ExpiresActive ON
      ExpiresDefault "now plus 10 minutes"
      Header set Cache-Control "max-age=600"
   </Directory>
   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x/wm/b/domapi/>
      ExpiresActive ON
      ExpiresDefault "now plus 10 minutes"
      Header set Cache-Control "max-age=600"
   </Directory>

   ProxyPass         /web/ ajp://localhost:19200/web/ttl=600
   ProxyPassReverse  /web/ ajp://localhost:19200/web/
 
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteLogLevel 0
        RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PPT,L]
   < //xperiencentral versions r36 and higher  
   </IfModule>
   
   Alias /systemlogs /vol/webmanager/apache-tomcat-8.5.31/logs
      <Location /systemlogs>
         <IfModule mod_deflate.c>
            SetOutputFilter DEFLATE
         </IfModule>
         AuthUserFile /vol/httpd/htpasswd
         AuthName ""
         AuthType Basic

         Options +Indexes
         IndexOptions FancyIndexing

         Order Deny,Allow
         Allow from all
         Allow from localhost
         Allow from <IP address>
   </Location>

   ScriptAlias /cgi-bin "/vol/www/server/cgi-bin"
</VirtualHost>

</IfDefine>

...

Code Block
themeEclipse
<VirtualHost *:443>
   ServerName        <server name>
   ServerAdmin       <admin e-mail address>
   DocumentRoot      /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x
   ErrorLog          /vol/httpd/logs/errors-frontend-ssl
   CustomLog         /vol/httpd/logs/access-frontend-ssl combined

   #################
   # SSL

   SSLEngine On
   SSLProxyEngine On
   SSLProtocol +TLSv1
   ## See https://mozilla.github.io/server-side-tls/ssl-config-generator
   ## for information on other rules you should add here for the version
   ## of Apache you are using.

   SSLCipherSuite HIGH:MEDIUM

   SSLCertificateFile /vol/httpd/ssl/<certificate>.crt
   SSLCertificateKeyFile /vol/httpd/ssl/<certificate>.key

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

   ### CustomLog /vol/www/server/logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

#  Test: Recognize this VirtualHost
   Alias /systemlogs2 /vol/webmanager/apache-tomcat-8.5.31/logs
   <Location /systemlogs2>
      <IfModule mod_deflate.c>
         SetOutputFilter DEFLATE
      </IfModule>
      AuthUserFile /vol/httpd/htpasswd
      AuthName ""
      AuthType Basic

      Options +Indexes
      IndexOptions FancyIndexing
      Order Deny,Allow
      Allow from all
      Allow from localhost
      Allow from <IP address>
   </Location>

   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x>
      Options +FollowSymLinks +includesnoexec
        AllowOverride All
      Require all granted
   </Directory>

ProxyPass         /web/ajp://localhost:19200/web/ ttl=600
ProxyPassReverse  /web/ajp://localhost:19200/web/

   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteLogLevel 0

      # Give not found on /web/admin/* on frontend url.
      RewriteCond %{REQUEST_URI}^/web/admin
      RewriteRule ^/web/admin - [R=404]
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36  RewriteCond %{REQUEST_URI} !^/web/
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [P,L]
   </IfModule>
</VirtualHost>
and higher  

   </IfModule>
</VirtualHost>

The .htaccess File

The .htaccess file is needed to also set a CSP policy on static assets that are typically served from disk by Apache httpd. Configure the .htaccess file (if your deployment requires it). See https://httpd.apache.org/docs/2.4/howto/htaccess.html for complete information.

Remove Server Header Configuration

...

Note

If you want to include an additional rule to set the HttpOnly flag on cookies, make sure to exclude the X-CSRF-Token cookie from that rule because the anti-CSRF protection in XperienCentral is based on the fact that a browser does not allow JavaScript code to read from cookies from another domain and setting the HttpOnly flag disables access to the cookie from all JavaScript code.from cookies from another domain and setting the HttpOnly flag disables access to the cookie from all JavaScript code. For example:

# Set HttpOnly and Secure flag on all cookies except for X-CSRF-Token cookie (required for submitting any sort of form in R33 and higher).
Header edit Set-Cookie ^((?!X-CSRF-Token=).*)$ $1;HttpOnly;Secure env=object_is_secure


Backend Environment


Add the headers to the backend environment (internal edit environment of XperienCentral) (add in your .conf file):

...

Note

If you want to include an additional rule to set the HttpOnly flag on cookies, make sure to exclude the X-CSRF-Token cookie from that rule, because the anti-CSRF protection in XperienCentral is based on the fact that a browser does not allow Javascript code from reading cookies from another domain and setting the HttpOnly flag disables access to the cookie from all Javascript code. For example:

# Set HttpOnly and Secure flag on all cookies except for X-CSRF-Token cookie (required for submitting any sort of form in R33 and higher).
Header edit Set-Cookie ^((?!X-CSRF-Token=).*)$ $1;HttpOnly;Secure env=object_is_secure


Content-Security-Policy

In order to add extra security to the XperienCentral environment, it is necessary to add the Content-Security-Policy to the response headers. In the two virtual host (backend and frontend) lists previously mentioned, the header is already added. The value of the header is not a general value, but rather site specific. The value of the Content-Security-Header can be used, but it might block content from the client website be careful when implementing it. There will be a add-on for XperienCentral in the future where the header's value can be generated and altered within XperienCentral itself.

...

Oracle: jdbc:oracle:thin:@mydomain:1521:xe


Disable the Default Welcome Root Web (Undertow) Application

In standalone.xml, delete the following two lines in the jboss:domain:undertow  subsystem to disable the default welcome content:

...

Enable the AJP Connector


Code Block
themeEclipse
<server name="default-server">
	<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
	<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
	<ajp-listener name="ajp" socket-binding="ajp" scheme="http"/> 
</server>


Enable the wmadmin Login

In standalone.xml, add the XperienCentral security domain. This is necessary because the XperienCentral file jboss-web.xml references the XperienCentral security domain

...