| 181 | ==== Virtual Hosting of the Discovery Service over http and https ==== |
| 182 | Paste, the Discovery application server runs over http but pages for Single Sign On require https for the secure transfer of user credentials. One way to achieve this is to run `paste` on a port hidden inside the firewall exposing it to the outside using Virtual Hosting e.g. with Apache. The service running on a particular port is exposed outside on 80 (http) and 443 (https): |
| 183 | |
| 184 | {{{ |
| 185 | http://localhost:8080 -> http://your-site-discovery-url |
| 186 | http://localhost:8080 -> https://your-site-discovery-url |
| 187 | }}} |
| 188 | Note that the same `your-site-discovery-url` is used in both cases. |
| 189 | |
| 190 | Example `.conf` file configurations for Apache2 are shown below for http and https proxies: |
| 191 | {{{ |
| 192 | ServerName localhost |
| 193 | NameVirtualHost *:80 |
| 194 | |
| 195 | <VirtualHost *:80> |
| 196 | DocumentRoot /var/www/html |
| 197 | ServerName localhost |
| 198 | |
| 199 | # NDG Discovery |
| 200 | ProxyPass / http://localhost:8080/ |
| 201 | ProxyPassReverse / http://localhost:8080/ |
| 202 | ProxyPreserveHost On |
| 203 | <Proxy *> |
| 204 | Order deny,allow |
| 205 | Allow from all |
| 206 | </Proxy> |
| 207 | </VirtualHost> |
| 208 | }}} |
| 209 | |
| 210 | https Virtual Host ... |
| 211 | |
| 212 | {{{ |
| 213 | ServerName localhost |
| 214 | NameVirtualHost *:443 |
| 215 | |
| 216 | <VirtualHost *:443> |
| 217 | DocumentRoot /var/www/secure |
| 218 | ServerName localhost |
| 219 | SSLEngine On |
| 220 | SSLCertificateFile /etc/apache2/ssl/crt/server.crt |
| 221 | SSLCertificateKeyFile /etc/apache2/ssl/key/server.key |
| 222 | SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
| 223 | |
| 224 | # NDG LoginService |
| 225 | ProxyPass / http://localhost:8080/ |
| 226 | ProxyPassReverse / http://localhost:8080/ |
| 227 | ProxyPreserveHost On |
| 228 | <Proxy *> |
| 229 | Order deny,allow |
| 230 | Allow from all |
| 231 | </Proxy> |
| 232 | </VirtualHost> |
| 233 | }}} |
| 234 | |
| 235 | Details may vary according to the version of Apache you use. Please check the relevant Apache documentation for correct settings. The example uses a redirect to `localhost`. To expose outside, use `your-site-discovery-url`. |
| 236 | |
| 237 | In the discovery config file, `/etc/ndg/ows_server/conf/ndgDiscovery.config`, the `server` field should be assigned `http://your-site-discovery-url` and `sslServer` to `https://your-site-discovery-url`: |
| 238 | {{{ |
| 239 | [DEFAULT] |
| 240 | # |
| 241 | # the following is the server on which this browse/discovery instance runs! |
| 242 | server: http://<your-site-discovery-url> |
| 243 | . |
| 244 | . |
| 245 | . |
| 246 | [NDG_SECURITY] |
| 247 | sslServer: https://<your-site-discovery-url> |
| 248 | }}} |
| 249 | |
| 250 | ==== WS-Security Settings ==== |