SSL and 80/443 ports

HTTP (80) and HTTPS (443) ports

Overview

In the TCP/IP protocol suite, ports ranging from 1 to 1024 are classified as “privileged ports” due to a strict security measure enforced in UNIX/Linux operating systems. This rule dictates that only processes executing with “root” privileges can bind to these ports.

EnginFrame, adhering to security best practices, is designed to prevent running the EnginFrame Server with “root” privileges, enhancing the overall security posture of the system.

Despite this restriction, there exist multiple approaches to enable access to EnginFrame services on the widely used ports 80 and 443, which is commonly associated with web services. These methods allow EnginFrame to operate on the standard HTTP and HTTP ports without compromising the system’s security by running the server with elevated privileges.

To provide good security and performance, we recommend Nginx or Apache to create a proxy that will forward the traffic to EnginFrame.

The general steps

  • You can setup Nginx or Apache from any distro. These are common packages include in all most relevant distros (server or desktop versions). The usual name for Nginx package is “nginx” and for Apache, is “apache2” (Debian based linux distros) or “httpd” (RedHat based linux distros).
  • After that, you need to enable the AJP (Apache JServ Protocol) connector into EnginFrame, which will receive the traffic from Nginx or Apache.
  • Then, you need to create a virtualhost that will receive the user access and forward the traffic to EnginFrame. You can read more about what virtualhost is these references:

Note: You can use another http servers to do the same thing, but this tutorial will give an example with the two most used http servers.

Setup Apache or Nginx

For Debian based linux distros: sudo apt install apache2 or sudo apt install nginx

For RedHat based linux distros: sudo yum install httpd or sudo yum instal nginx

Enable AJP under EnginFrame backend

  • Edit the file /path/to/your/installation/tomcat/conf/server.xml
  • Uncomment the code below by removing the surrounding lines “<!– …” and “–>”. If there is a different code there, please use the code below.
    <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
  • Edit the file $EF_ROOT/conf/agent.conf and set this parameter:
    ef.download.server.url=http://127.0.0.1:8080/enginframe/download
    The port (8080 in this example) will have to match the Tomcat http port configured in tomcat/conf/server.xml. The IP address 127.0.0.1 will work if both EF Server and Agent run on same node; use the EF Server IP address otherwise.
  • Restart EnginFrame service:
    sudo systemctl stop enginframe
    sudo systemctl start enginframe

Nginx virtual host

Here is a Nginx virtualhost config file example to setup http and https listeners for your EnginFrame service. You need a nginx compiled with “nginx_ajp_module-master” module.

server {
    listen 80;
    server_name domainexample.com www.domainexample.com;

    # Redirect all HTTP requests to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name domainexample.com www.domainexample.com;

    # SSL configuration
    ssl_certificate /path/to/ssl/certificate.crt;
    ssl_certificate_key /path/to/ssl/private.key;

    # Proxy configuration
    location / {
        ajp_pass ${EF_AJP_CONNECTOR};
    }
    
    # Error log and access log
    error_log /var/log/nginx/domainexample.com_error.log;
    access_log /var/log/nginx/domainexample.com_access.log;
}

Notes:

  • Use localhost or 127.0.0.1 if the Nginx server is in the same server of EnginFrame or the right IP address if is not.
  • Save the config file under nginx config file folder (/etc/nginx/conf.d/ or /etc/nginx/sites-enabled/).
  • Configure the right SSL certs path
  • Test if the nginx config is right with “sudo nginx -t” and then restart the Nginx service: sudo systemctl restart nginx
  • Remove the line “proxy_http_version 1.1;” if your Apache Tomcat is configured with http2.

Apache virtual host

Here is a Apache virtualhost config file example to setup http and https listeners for your EnginFrame service. You need to setup the “mod_proxy_ajp” module for Apache.

<VirtualHost *:80 *:443>
    ServerName domainexample.com
    ServerAlias www.domainexample.com

    # SSL configuration
    SSLEngine on
    SSLCertificateFile /path/to/ssl/certificate.crt
    SSLCertificateKeyFile /path/to/ssl/private.key

    # Proxy configuration
    <Location "/enginframe">
        ProxyPass ajp://127.0.0.1:8009/enginframe flushpackets=on
        ProxyPassReverse ajp://127.0.0.1:8009/enginframe
    </Location>

    # Error log and access log
    ErrorLog ${APACHE_LOG_DIR}/domainexample.com_error.log
    CustomLog ${APACHE_LOG_DIR}/domainexample.com_access.log combined
</VirtualHost>

Notes:

  • Use localhost or 127.0.0.1 if the Apache server is in the same server of EnginFrame or the right IP address if is not.
  • Save the config file under Apache config file folder (/etc/apache2/conf.d/ or /etc/apache2/sites-enabled/ or /etc/httpd/conf.d or /etc/httpd/sites-enabled/).
  • Test the Apache config executing “sudo apachectl -t” and then restart the Apache service: sudo systemctl restart apache2 or sudo systemctl restart httpd

Issuing Lets Encrypt Free SSL cert for EnginFrame

Overview

Let’s Encrypt is a nonprofit certificate authority providing free, automated, and open TLS/SSL certificates to help secure websites. It is run by the Internet Security Research Group (ISRG) and aims to make HTTPS encryption accessible to everyone. By simplifying the process of obtaining and renewing certificates, Let’s Encrypt enhances internet security and privacy. The organization is supported by donations and sponsorships.

How to issue

We can issue SSL certs using ACME cliens like Certbot, acme.sh and Caddy. The port 80 must be free to issue (and eventually renew) the certificates. Those solutions will listen the 80 port to answer a Lets Encrypt challenge, which will confirm that you own the domain, and then create or renew the certificates.

To make the creation and renewal process easy and automatic, we will use as example the Certbot tool (ref: https://certbot.eff.org/instructions ). Certbot is free and can be installed via snap, so most of the Linux distros can run Certbot withut any complexity. Also, Certbot can Apache and Nginx plugins, so it can do Lets Encrypt challenge without have to stop Nginx or Apache to listen the 80 port.

So the general steps are:

  • Install snapd
  • Install certbot through snap
  • Execute certbot with desired plugin

Installing snapd

Just execute, for Debian based linux distros:

sudo apt update && sudo apt -y install snapd

For RedHat based linux distros:

sudo yum -y install snapd

Installing certbot

For any linux distro:

sudo snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Executing certbot

For any linux distro:

sudo certbot --apache or sudo certbot --nginx

The certbot already will install cronjobs to automatically renew your certificates. As a good practice, please check if the renewal process is working with the command:

sudo certbot renew --dry-run

If you do not have Apache or Nginx and want to manually issue the SSL, or do some script, you can run certbot as a standalone server to get the certificates (remember that 80 port must be free and open). Use the command below for that:

certbot certonly --standalone

If you already have a http server that is not Apache or Nginx, and you can not unbind the 80 port, you have the –webroot option:

sudo certbot certonly --webroot

Then you need to follow the certbot –webroot guide to issue the SSL (ref: https://eff-certbot.readthedocs.io/en/stable/using.html#webroot ).

HTTP2 support for EnginFrame

Overview

You need to enable HTTP2 in the EnginFrame Apache Tomcat. And you can also enable through proxy (Nginx or Apache) if you want to provide EnginFrame through 80 and 443 ports. But remember: if you want to provide full HTTP2 support, you need to enable HTTP2 in the Apache Tomcat and in your Apache or Nginx proxy.

Enabling in EnginFrame Apache Tomcat

Edit the file $EF_ROOT/conf/tomcat/conf/server.xml and uncomment the code below by removing the surrounding lines “<!– …” and “–>”.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true"
               maxParameterCount="1000"
               >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Important: Provide the correct path of he certificates for this code. Make sure the key permission is 640, the owner will be efadmin and the group efnobody.

Enabling in Nginx proxy

You can use the virtual hosts available in this same page (about 80/443 ports) as a base for your HTTP3 support.

Basically you need to append http2 like this:

listen 443 ssl http2;

Enabling in Apache proxy

You can use the virtual hosts available in this same page (about 80/443 ports) as a base for your HTTP2 support.

First, make sure that your Apache has the http2 module enabled with the command:

a2enmod http2

Then you need to add this line (inside of <VirtualHost>, but outside of any other tag):

Protocols h2 h2c http/1.1

You need to make http/1.1 available for users that can not run HTTP2 in their browsers.

HTTP3/QUIC support for EnginFrame

HTTP/3 offers several advantages over its predecessors, including:

  1. Faster Connection Establishment: Uses QUIC, reducing latency with quicker handshakes.
  2. Improved Performance: Multiplexing without head-of-line blocking enhances data transmission efficiency.
  3. Enhanced Security: Built-in encryption from the start ensures better security.
  4. Better Reliability: Connection migration supports smoother transitions across networks.
  5. Reduced Latency: Improved congestion control mechanisms decrease loading times.

These features collectively lead to a faster, more reliable, and secure web experience.

The EnginFrame Apache Tomcat does not support HTTP3, but you can still offer most of the benefits installing a proxy server very close to EnginFrame environment; This proxy will talk with HTTP2 with Apache Tomcat and HTTP3 with the users. If you setup the proxy very close to the Apache Tomcat (which means low latency and high throughput), and this proxy support HTTP3, then you will offer a much better experience to the EnginFrame user using HTTP3/QUIC.

There are some http servers like LiteSpeed, OpenLiteSpeed, HAProxy and Nginx that provide support to HTTP3. Apache does not support HTTP3. Here we will provide a HTTP3 example using Nginx, that is free and very powerful and popular http server.

Enabling in Nginx proxy

Ensure you have the necessary prerequisites:

  • Nginx built with the –with-http_v3_module and –with-quic configuration options
  • OpenSSL 1.1.1 or later.
  • Nginx 1.25 or later.

Important: As HTTP3 is very recent, we recommend to use the last Nginx stable version that is possible.

Nginx and HTTP3/QUIC reference: https://nginx.org/en/docs/quic.html

You can use the same virtualhost Nginx example about 80/443 ports in this same page. You need to add this new parameters:

listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
add_header Alt-Svc 'h3-23=":443"'; # HTTP/3 advertisement

With this config, you will maintain the HTTP2 compatibility and tell the user (with the new header) that HTTP3 is available to use.

Important: You need to allow the 443 UDP port to make HTTP3 available.