You may want to add HTTPS and/or authentication to your Morphon T-o-M without having to configure this in your (Java) application server. It is possible to shield off the T-o-M by putting an Apache server in between the client trying to use T-o-M and the application server running T-o-M. This is called an Apache front-proxy. In this case Apache will accept connections from the client, optionally authenticating them, and will then pass the HTTP traffic on to the T-o-M running inside the application server.
In this configuration guide we are assuming that you are running an Apache version 2. Note that you will need to have the following modules available and enabled in your Apache installation:
In order to be able to run the front-proxy you will have to make sure that Apache is not trying to listen on the same IP-address/Port combination as your application server. Typically, you bind your application server to localhost:8080 and will then have your Apache front-proxy run on an external IP address, listening on port 80 or port 443 (in the case of HTTPS). Any combination is fine however, as long as the front-proxy and application server don't overlap.
A front-proxy configuration is as simple as setting up a VirtualHost in Apache. The base of the VirtualHost should look like this:
Listen example-tom.morphon.com:80
<VirtualHost example-tom.morphon.com:80>
ServerName example-tom.morphon.com
<Proxy http://localhost:8080/*>
Order Allow,Deny
Allow From All
</Proxy>
ProxyPassReverse /morphon-tom/ http://localhost:8080/morphon-tom/
ProxyPass /morphon-tom/ http://localhost:8080/morphon-tom/
</VirtualHost>
The above assumes that the application server has deployed the Morphon T-o-M on http://localhost:8080/morphon-tom/. The client however will contact http://example-tom.morphon.com/morphon-tom/. Note that you can also do URL rewriting, and make T-o-M available on http://example-tom.morphon.com/ by changing the ProxyPassReverse and ProxyPass directives.
Using the standard Apache access controls it is possible to shield off your T-o-M installation from unwanted clients. For example:
Listen example-tom.morphon.com:80
<VirtualHost example-tom.morphon.com:80>
ServerName example-tom.morphon.com
<Proxy http://localhost:8080/*>
Order Allow,Deny
Allow From All
AuthName "Example Morphon T-o-M"
AuthType Basic
AuthUserFile /etc/apache2/passwords/example-tom.morphon.com-htpasswd
require valid-user
</Proxy>
ProxyPassReverse /morphon-tom/ http://localhost:8080/morphon-tom/
ProxyPass /morphon-tom/ http://localhost:8080/morphon-tom/
</VirtualHost>
The above will first request a username and password using standard HTTP basic authentication, before allowing connections to the T-o-M on the application server.
For more information on the possibilities of the various available options (such as restricting access based on client IP address), look at the documentation for the Apache authentication modules here.
Enabling HTTPS support is as easy as making the VirtualHost SSL aware. For example:
Listen example-tom.morphon.com:443
<VirtualHost example-tom.morphon.com:443>
ServerName example-tom.morphon.com
SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/example-tom.morphon.com.pem
SSLCertificateKeyFile /etc/apache/ssl.key/example-tom.morphon.com.pem
<Proxy http://localhost:8080/*>
Order Allow,Deny
Allow From All
</Proxy>
ProxyPassReverse /morphon-tom/ http://localhost:8080/morphon-tom/
ProxyPass /morphon-tom/ http://localhost:8080/morphon-tom/
</VirtualHost>
Note that the VirtualHost now listens on port 443 and that the SSLEngine, SSLCertificateFile and SSLCertificateKeyFile directives were added. For more information on these, see the mod_ssl documentation.
Note that adding support for client certificate checks is also possible using mod_ssl. This will combine the usage of HTTPS with the apache access control modules. Look at the documentation for the SSLOptions directive for more information on this FakeBasicAuth option.