AWS EC2 | Open Route to Install Middleware Services Behind Apache
This page describes the procedure for opening and locking ports during a middleware services installation.
Middleware Service Installation
The way described does not pose a security threat primarily because you are at the installation phase of the middleware.
Opening Up to HTTP Traffic
If you enforce HTTPS from Apache onwards but are running middleware services in plain HTTP then you need to be quick about it.
Opening Up Route to Install Middleware Services Behind Apache
First install the middleware service with maximum lock down. When you think you have installed it and you have started the middleware be it Jira Issues Manager, Jenkins Continuous Integration Server, MediaWiki, Nexus Repository Manager, WordPress, Tomcat, BugTracker or dotProject you execute the steps below.
- Test the installation on the command line
- Go into Amazon AWS Console – find the Security Groups, Launch Wizard then Add a Rule
- Allow TCP to flow through port 8081
- Go to /etc/apache2/apache2.conf and allow plain HTTP to flow – then restart Apache
- now you can visit your middleware using your hostname
- Complete the web UI setup (email – administrator – and application URL)
Once the middleware services knows the application URL and you have told Apache through the default-ssl.conf file about the proxy request required you then reverse all the steps above to enforce HTTPS again and then delete the firewall rule for opening up the port.
Middleware Services – The Usual Suspects
The middleware services pattern involves proxying the web requests for middleware with an Apache Web Server. Usually HTTPS traffic flows to Apache and from there it switches to HTTP from and to the middleware service.
The middleware services usual suspects are the
- Jira Issues Manager
- Jenkins Continuous Integration Server
- Nexus Repository Manager
- Bugzilla or BugTracker
- dotProject or @Task
The pattern balances good security with timely installation, simple maintenance and a configuration complexity that is between simple and manageable.
To get excellent security, especially when other machine users cannot be trusted – you need to run the HTTPS right down to the middleware service itself.
This HTTPS all the way approach makes for a significantly longer install, maintenance headaches because certificates must be managed for each service. All this invites unprecedented levels of complexity that is only justified when a business case explicitly requires it.