gUSE grid and cloud science gateway Wiki

WS-PGRADE/gUSE grid and cloud science gateway framework

Brought to you by: akosbalasko, i-mi, zfarkas

Limit service availability

About

This page gives some guidelines for gUSE administrators on how to limit their deployment's services' availability. The goal is to make as few services available as possible.

Tomcat admin password

The default Tomcat administrator username and password is admin. You can change this by editing the apache-tomcat-*/conf/tomcat-users.xml file under your deployment. The change will take effect once you restart Apache Tomcat.

MySQL access

Restrict access to the MySQL databases used by gUSE (called guse and liferay when installed using the Install Wizard) as much as possible: grant access only from hosts where gUSE services are running.

Applying firewalls

Apply the drop input packet acceptance policy by default, enable connection tracking, and open up only ports really necessary (HTTP, 8080, Globus TCP port range, etc.).

Putting Tomcat behind a web server

By putting Apache Tomcat behind an HTTP server (e.g. Apache) not only enables you to easily configure SSL/TLS-based access to your services, but also enables to limit the set of publicly accessible gUSE services, and enables you to run gUSE through standard HTTP and HTTPS ports.

For this, do the followings:

enable the proxy_ajp Apache module (a2enmod proxy_ajp),
disable Apache Tomcat connector listening on port 8080. For this, edit Apache Tomcat's server.xml file, and remove (or comment out) the Connector tag bind to port 8080,

create a new site in Apache, that will proxy requests to Apache Tomcat's AJP. An example site setup is as follows (for HTTPS):

<virtualhost *:443="">
ServerName myportal.org
ServerAlias myportal.org
ServerAdmin admin@myportal.org
ServerSignature on</virtualhost>

ErrorLog /var/log/apache2/myportal.org/error.log
CustomLog /var/log/apache2/myportal.org/access.log combined

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

DocumentRoot /var/www/
<Directory />
        Options FollowSymLinks
        AllowOverride None
</Directory>
<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
</Directory>

SSLEngine on
SSLCertificateFile    /etc/ssl/certs/myportal.org.pem
SSLCertificateKeyFile /etc/ssl/private/myportal.org.key
SSLCertificateChainFile /etc/ssl/certs/myportal.org.chain.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

RedirectMatch   permanent       ^/$     /liferay-portal-6.1.0

ProxyPass       /liferay-portal-6.1.0   ajp://myportal.org:8009/liferay-portal-6.1.0
ProxyPass       /wspgrade               ajp://myportal.org:8009/wspgrade
ProxyPass       /wfs                    ajp://myportal.org:8009/wfs
ProxyPass       /submitter              ajp://myportal.org:8009/submitter

<Proxy *>
        Order allow,deny
        Allow from all
</Proxy>

Finally, enable the new site in Apache using a2ensite.

As you can see, the following webapps must be proxied:

liferay-portal-6.1.0: for Liferay
wspgrade: for the portlets
wfs: for the Graph Editor (Note: if you are operating a portal where users are not intented to use the Graph Editor, you can skip the wfs webapp)
submitter: for some plugins of the DCI Bridge

The other webapps (information, storage, wfi, ...) are used only internally, so it is not necessary to make them publicly available.