How do I configure Apache HTTPD and Liferay Portal to use SSL

Overview

This article outlines the steps for configuring Apache HTTPD and Liferay Portal with SSL.

This article should be used in conjunction with the following articles:

Configuration

Liferay Portal Properties

Add/update file "LIFERAY_HOME/portal-ext.properties" with the following properties :

  • company.security.auth.requires.https=true
  • web.server.protocol=https
  • session.enable.phishing.protection=false


Sample Configuration

Add/update the following properties in "portal-ext.properties" file :

##
## Company
##

    #company.default.name=Liferay
    company.default.name=My Site Name

    #
    # This sets the default web id. Omniadmin users must belong to the company
    # with this web id.
    #
    #company.default.web.id=liferay.com
    company.default.web.id=mysite.mydomain.com.au

    #
    # Set this to true to ensure users login with https. If this is set to true
    # and you want your HTTP session to contain your credentials after logging
    # in, then the property "session.enable.phishing.protection" must be set to
    # false or your credentials will only be available in the HTTPS session.
    #
    #company.security.auth.requires.https=false
    company.security.auth.requires.https=true


##
## Web Server
##

    #
    # Set the HTTP and HTTPs ports when running the portal in a J2EE server that
    # is sitting behind another web server like Apache. Set the values to -1 if
    # the portal is not running behind another web server like Apache.
    #
    #web.server.http.port=-1
    #web.server.https.port=-1

    #
    # Set the hostname that will be used when the portlet generates URLs.
    # Leaving this blank will mean the host is derived from the servlet
    # container.
    #
    #web.server.host=
    web.server.host=mysite.mydomain.com.au

    #
    # Set the preferred protocol.
    #
    #web.server.protocol=http
    web.server.protocol=https


##
## Session
##

    #
    # Set this to true to invalidate the session when a user logs into the
    # portal. This helps prevents phishing. Set this to false if you need the
    # guest user and the authenticated user to have the same session.
    #
    # Set this to false if the property "company.security.auth.requires.https"
    # is set to true and you want to maintain the same credentials across HTTP
    # and HTTPS sessions.
    #
    #session.enable.phishing.protection=true
    session.enable.phishing.protection=false


Apache HTTPD Configuration

Add/update file "/etc/httpd/conf/httpd.conf" :

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

 

References

0