Solving the SSL V3 / SHA-2 / TLS / MD5 / Poodle problem on Linux – Part 2 – Deploying Apache with Domino

Part 1 – What is the problem
Part 2 – ( This Post ) Installing a simple Linux Reverse Proxy on the same box ( 20 mins )
Part 3 – Converting your Domino SSL Certificate to work with Apache (30 mins )

The Fix

This fix is to add an Apache Server in front of Domino where Domino is running on a Linux box. All of the web serving functionality will be handled by Apache.

It should take about 20 minutes.

Note at the end of this step you will be using a self signed SSL certificate. Part 3 shows you how to convert your Domino SSL certificate for use with Apache but note that you will need a Windows XP machine ( no kidding ).

How it works

The domino web server will be changed to server only on port 8080 ( or similar ). Apache will listen for traffic on ports 80 and 443. When requests are received they are passed through to Domino in a transparent fashion.

The port 80 traffic is configured in /etc/httpf/conf/httpd.cong
The port 443 traffic is configured in /etc/httpd/conf.d/ssl.conf file

In the example below all traffic is redirected to SSL but you can change this if you want to use both port 80 and port 443

Step 1 – Change some Domino Settings

a) In the server document change the HTTP Port to 8080 or similar.

sererdocAv2

b) In the Notes.ini settings section of the configuration document make the following changes. Adding them here means that they are less likely to get forgotten at the next upgrade etc..

HTTPAllowDecodedUrlPercent = 1
HTTPEnableConnectorHeaders = 1     IMPORTANT – please see http://nevermind.dk/nevermind/blog.nsf/subject/security-hole-leaves-ibm-domino-server-wide-open—part-two 

If you need to use the above notes ini variable then you must also add

RequestHeader unset “$WSRU”

to the httpd.conf and ssl.conf files in Apache

 

 

serverdocb

c) Check if any internet documents are set to force HTTP traffic to SSL and add a note to the Key file name field to remind you what you have done when you later have a senior moment.

serverdocC

 

d) restart the HTTP task

in the Domino console issue > tell http restart

this will free up port 80 for Apache to use.

e) Check that Domino is running on port 8080

note there may be firewall rules that need to be adjusted

http://yourserver.com:8080

Step 2 – Install Apache

Using the server console ( I use putty as it makes it easy to paste )

a) Update your Linux

>yum update

b) install Apache

>yum install httpd

c) install the SSL functionality

>yum install mod_ssl openssl

d) make Apache run on startup

>chkconfig –levels 235 httpd on

e) start Apache

>service httpd start

f) test Apache

http://yourserver.com should show the Apache page below

https://yourserver.com should throw an SSL certificate error but then open

apache

apachessleerror

 

Step 3 – Configure Apache as a reverse proxy for Domino

Apache has a lot of functionality for Aliases so that you can manage multiple web domains on a single server. I have ignored this functionality for the most part to go for a very simple but effective scheme

The easiest way to copy and edit files on Linux is to use WinSCP

a) backup the default /etc/httpf/conf/httpd.cong file

apacheA

b) in the /etc/httpf/conf/httpd.conf file add the following 12 lines

2014-10-30_11-31-54

################
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes On
# these 2 lines preserve the IP address in domlog.nsf
# see http://www.leyon.at/blog/dx/getting-the-client-ip-in-an-ibm-domino-app-behind-a-reverse-proxy
SetEnvIf REMOTE_ADDR (.*) temp_remote_addr=$1
RequestHeader set “$WSRA” “%{temp_remote_addr}e”
# Include the 3 lines below if you want to always redirect to SSL
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NE,NC,R=301,L]
# Include the 2 lines below if you have disabled the 2 lines above
#RewriteEngine On
#RewriteRule ^/(.*) http://localhost:8080/$1 [NE,P]
################

The AllowEncoded slashes is needed for some XPages and QuickR functionality.

The RewriteCond %{SERVER_PORT} !^443$ and RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L] statement will redirect all non HTTPS traffic to HTTPS. If you do not want this to happen then comment out these lines and uncomment the next 2 lines.

The RewriteRule ^/(.*) http://localhost:8080/$1 [P] line will redirect all traffic to Domino on Port 8080. It is not required here if all traffic will be SSL as it is specified in the /etc/httpd/conf.d/ssl.conf file

Update : The NE attribute is explained in this post

c) backup the default /etc/httpd/conf.d/ssl.conf file

d) add the following 5 lines to the /etc/httpd/conf.d/ssl.conf file

2014-10-29_15-48-08

###################################
AllowEncodedSlashes On
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteEngine On
RewriteRule ^/(.*) http://localhost:8080/$1 [NE,P]
######################################

I was surprised that the AllowEncodedSlashes On needed to be stated again but it does as I found out when our Font Awesome functionality stopped working in XPages.

e) in /etc/httpd/conf.d/ssl.conf file disable the use of SSL V3

apached

f) restart Apache

>service httpd restart

g) test the server

http://myserver.com should redirect to https://myserver.com

the Domino content should be served up

h) test that the connection is TLS1.2 rather than SSL V3

apachee

Step 4 – Block users from accessing Domino via port 8080

blockusers

 

Conclusion

Your Domino http content is now being server via a modern web server that can use SHA-2 and TLS. It is still using the self signed SSL certificate but you can create a new one – all of the SSL providers have instructions for Apache or you can use Part 3 of the series to convert your existing SSL certificate to Apache.

11 Replies to “Solving the SSL V3 / SHA-2 / TLS / MD5 / Poodle problem on Linux – Part 2 – Deploying Apache with Domino”

  1. He Sean, yes SELinux can be a pain in the a**. Because by default it is there and it doesn’t bother me.
    But in some cases it can drive you crazy. But it is safe to turn it off on a dedicated CentOs Domino server environment?

  2. Hi

    I tried this solutions but it gives me an error on names.nsf, I think it’s because I use a redirect database.

    How can achieve this when using a redirect database ? In my case I have mail.example.com/redirect.nsf and when users login the url is mail.example.com/mail/user.nsf?OpenDatabase

    Thanks in advance

  3. Sean,
    thank you very much for your clear and structured guidelines.
    I applied your way of Apache reverse proxy on Centos 6.6 and experienced 2 issues:

    1) I forgot to disable “Require SSL connection” in Database properties. The result was only http error 302 and blocked access to the db with no clear message (neither in domlog.nsf nor in ssl error logs)
    2) When I open a db of type Disscussion – Notes @ Web, the MainFrameset web is OK for the view of documents, but when I crete a new document, the left column of the frameset is deformed, rewritten by the text: Http Status Code: 400
    Reason: Unknown or unsupported protocol version.

    Probably caused by my modifications of the frameset. Anyway, you comments and advices for point 2 would ne appreciated.

    Thank you once more,
    Hynek

  4. Hi Sean,

    I installed the proxy and it works great, one question, when i access my databases the main headers display but the content is insecure so we get a blank screen until we allow insecure content. This doesn’t happen when we run through the domino SSL?

    1. Hello @Chris & @Hynek
      I have just had this problem too 🙁

      It is “Mixed content” as you suggest – in my case an iFrame was requesting the http protocol rather than the https one.

      The protocol was derived in the code from facesContext.getExternalContext().getRequest(); but from the Domino servers perspective the request IS HTTP

      It is the browser that is stopping the request so it never gets submitted to the proxy firewall and thus there is never the chance to re-write the rules from http to https – bummer

      I have tried a few things but they all involve changing the application

      Relative URLs sound promising but there is also some negative feedback to this technique – https://yoast.com/relative-urls-issues/

      The other method is to have a configurable “base url” in the application that includes the protocol.

      Not great really

      Sean

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + 2 =