Skip to main content
Version: Axidian CertiFlow 7.1

Apache HTTP Server

To run the Axidian CertiFlow server components on Linux, configure the Apache web server as a reverse proxy server.

  1. Install Apache.
  2. Install a TLS/SSL certificate.
  3. Configure the modules.
  4. Configure the Apache website.

Follow the instructions for the operating system of the workstation where you plan to install Apache.

Install Apache

Install the Apache web server using the following commands.

sudo yum install httpd
sudo systemctl enable httpd
sudo systemctl start httpd

Alternatively, install the Apache web server from source. For more information, see the Apache website.

Install a TLS/SSL certificate

How to issue a TLS/SSL certificate

Install a TLS/SSL certificate on the web server.

  1. Copy the certificate and private key files to the catalogs specified in the Apache configuration file.
    sudo mkdir /etc/ssl/private/
    sudo cp ./SSL.crt /etc/httpd/ssl/certs
    sudo cp ./SSL.key /etc/httpd/ssl/private
  2. Add the root CA certificate to the trusted certificates store on the workstation running Apache.
    sudo cp root-ca.crt /usr/local/share/ca-certificates/
    sudo update-ca-certificates -f
  3. Make the certificate trusted across the domain. For example, distribute it through Group Policies.

Install modules and edit configuration

  1. Install the mod_ssl module.

    sudo yum install -y mod_ssl

  2. Add the following directives to the httpd.conf configuration file (default location: /etc/httpd/conf/httpd.conf).

    Listen 3003
    LimitRequestLine 16384
    LimitRequestFieldSize 16384
    ServerName SERVER_FQDN
    Header append X-FRAME-OPTIONS "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"

    In this and the following sections, replace SERVER_FQDN with the hostname (FQDN) of your server.

Configure the Apache website

Configure Apache to accept web requests and proxy them to the Axidian CertiFlow service.

  1. Create the website configuration file /etc/httpd/conf.d/SERVER_FQDN.conf.

    sudo touch /etc/httpd/conf.d/SERVER_FQDN.conf

  2. Populate the file with the recommended content.

    caution

    The SSLCertificateFile and SSLCertificateKeyFile parameters contain the paths to the certificate and private key files created or imported in the previous steps. Verify the specified paths and filenames.

Recommended content for the SERVER_FQDN.conf file
<VirtualHost *:80>
   RewriteEngine On
   RewriteCond %{HTTPS} !=on
   RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}/$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
   Protocols h2 http/1.1
   SSLCertificateFile /etc/httpd/ssl/certs/SSL.crt
   SSLCertificateKeyFile /etc/httpd/ssl/private/SSL.key
   SSLCipherSuite @SECLEVEL=1:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

   ErrorLog logs/error.log
   CustomLog logs/access.log combined

   SSLEngine on
   SSLProtocol -all +TLSv1.2
   SSLHonorCipherOrder off
   SSLCompression off
   SSLSessionTickets on
   SSLUseStapling off
   SSLProxyEngine on
   SetEnv nokeepalive ssl-unclean-shutdown
   RequestHeader set X-Forwarded-Proto https
   Header always set Strict-Transport-Security "max-age=63072000"

   ProxyPreserveHost On

       ProxyPass /certiflow/mc http://localhost:5001/certiflow/mc
       ProxyPassReverse /certiflow/mc http://localhost:5001/certiflow/mc

       ProxyPass /certiflow/ss http://localhost:5002/certiflow/ss
       ProxyPassReverse /certiflow/ss http://localhost:5002/certiflow/ss

       ProxyPass /certiflow/rss http://localhost:5003/certiflow/rss
       ProxyPassReverse /certiflow/rss http://localhost:5003/certiflow/rss

       ProxyPass /certiflow/api http://localhost:5004/certiflow/api
       ProxyPassReverse /certiflow/api http://localhost:5004/certiflow/api

       ProxyPass /certiflow/credprovapi http://localhost:5005/certiflow/credprovapi
       ProxyPassReverse /certiflow/credprovapi http://localhost:5005/certiflow/credprovapi

       ProxyPass /certiflow/oidc http://localhost:5008/certiflow/oidc
       ProxyPassReverse /certiflow/oidc http://localhost:5008/certiflow/oidc

       ProxyPass /certiflow/wizard http://localhost:5009/certiflow/wizard
       ProxyPassReverse /certiflow/wizard http://localhost:5009/certiflow/wizard

       #ProxyPass /api http://localhost:5010/api
       #ProxyPassReverse /api http://localhost:5010/api

</VirtualHost>

<VirtualHost *:3003>
   protocols h2 http/1.1

   SSLCertificateFile /etc/httpd/ssl/certs/SSL.crt
   SSLCertificateKeyFile /etc/httpd/ssl/private/SSL.key
   SSLCipherSuite @SECLEVEL=1:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   SSLEngine on
   SSLProtocol -all +TLSv1.2
   SSLHonorCipherOrder off
   SSLCompression off
   SSLSessionTickets on
   SSLUseStapling off
   SSLProxyEngine on
   RequestHeader set X-Forwarded-Proto https
   Header always set Strict-Transport-Security "max-age=63072000"

       ProxyPass /agentregistrationapi http://localhost:5006/agentregistrationapi
       ProxyPassReverse /agentregistrationapi http://localhost:5006/agentregistrationapi

   <Location "/agentserviceapi">
       SSLVerifyClient optional_no_ca
       SSLOptions +ExportCertData
       RequestHeader unset x-ssl-client-cert
       RequestHeader set x-ssl-client-cert "expr=%{escape:%{SSL_CLIENT_CERT}}"
       #RequestHeader set x-ssl-client-cert "expr=%{escape:%{SSL_CLIENT_S_DN}}"

       ProxyPass http://localhost:5007/agentserviceapi
       ProxyPassReverse http://localhost:5007/agentserviceapi
   </Location>
</VirtualHost>

  1. Reload the configuration file.

    sudo httpd -t
    sudo systemctl restart httpd