In a production environment, it is a best-practice to integrate a web server to handle static content. This reduces load on the application servers, which results in faster response times for users. For application security, many Appian installations also use SSL encryption at the web server layer or using a hardware SSL accelerator in front of the web server.
Due to the potential for negative impact on site performance applying SSL encryption/decryption at the application server level should be tested thoroughly before use in production.
The web server decides whether to handle a request or not based on the request URL's extension (or some other URL pattern). For instance, it is highly likely that we would want the web server to handle requests for JPG files (images), but not JSP files (dynamic pages). This is known as MIME-type filtering.
When the web server encounters a request that it can't handle itself, it passes the request to the application server, returning the application server response to the user. When a web server is configured in this manner, it is acting as a reverse-proxy. Apache and JBoss communicate using the AJP13 protocol.
Perform the steps below to configure an Apache HTTP 2.4 Server to selectively handle some requests and pass others to the application server. For this example, we use a JBoss application server on a Linux operating system, and assuming SSL configuration for Apache.
It's impractical to list all of the various configurations between the operating system, web server, and application server. Instead, this guide was created with the following assumptions:
mod_jkmodule (.so file), which can be found here: tomcat.apache.org has been moved into
mod_jkmodule is used to configure Apache as a reverse-proxy for an application server.
modk_jk.1.2.x.so. For this example we loaded 1.2.42.
server.key) should be moved to
443for HTTPS is being used.
Deviations from these assumptions can still yield a valid web server setup, but additional configuration steps may be required. Finally, JBoss' root installation path will hereinafter referred to as
<connector>element is defined in the
instance-idattribute in the
<subsystem xmls:"urn:jboss:domain:web:2.*">element should be set to a value that uniquely identifies this JBoss instance. Add an
instance-idattribute and set it to
node1. This id will be used to identify this application server to Apache workers.
standalone.xmlfile would need modified with a unique
instance-id. For example,
<socket-binding>element is defined in the
8009. Apache must send requests to JBoss using the correct port number.
httpd.conf is the primary configuration file for Apache. All of the configurations steps below will be done by updating or adding settings to the
httpd.conffile, update the pre-loaded modules with the
Apache comes with several modules pre-loaded that are either enabled or disabled by default. Ensure that your
httpd.conf file has the follow modules enables, by removing the
# symbol before the
Specific worker properties are configured using the
JKWorkerProperty directive. Workers will execute servlets on behalf of the web server.
Even though we're only connecting to a single app server, we're setting load balance properties now for ease of configuration later
For application security, many installations opt to use encryption at the web server layer or using an SSL accelerator hardware device in front of the web server. Configuration settings for this option will vary, depending on your environment. This information is provided as an example of one possible configuration. The SSL module (
mod_ssl) comes pre-installed with Apache 2.4.
httpd.conf, verify that the LoadModule directive:
LoadModule ssl_module modules/mod_ssl.sois not commented out.
mod_jkto use the SSL information:
nosniffsetting for the for the
X-Content-Type-Optionsresponse header is user, omit
SetEnvIf REQUEST_URI "\.gif$" no-jk
This configuration example does not use the
JKMount directive to tell Apache explicitly what to pass on the application server. Instead, it lists only those extensions which the web server should handle with exceptions noted with
!no-jk. Everything else will be passed on to the application server. This method of configuring
mod_jk for Apache is simpler and will require fewer changes between upgrades.
Add the following properties to
httpd.conf (updating the Directory tag with your directory path as needed) to aggressively cache unchanging static content and to prevent certain dynamic paths from being cached:
Since the web server will be handling requests for static resources and forwarding all other requests to the application server, you need to copy over the static files that ship with Appian.
<APACHE HOME>create a the following folder structure
www/suite. This will be the home for static web content read by the web server.
If the web server is on a separate machine than the application server, a common configuration, these files will need to be copied to that location on the other machine.
Once Apache has been enabled, all requests are sent directly to the web server. The
SERVER_AND_PORT property must be configured to the value of the web server hostname and port.
custom.propertiesconfiguration file in the following location:
SCHEMEproperty is set to the following:
SERVER_AND_PORTproperty is set to the following:
Start (or restart) Apache and check that results in a web server that is listening on port
443, with HTTPS enabled.
In the configurations above, only one application server is being used. If you want to configure two or more application servers for failover and load balancing, add a definition corresponding to each application server ensuring that the AJP port is different for each server based on the following example:
balanced_workers property now lists
node2. Ensure that the
ajp13 port number for each application server running matches the whats in that application server's
standalone.xml file. This was verified previously in the configue JBoss section when checking the
If the multiple application servers are running on the same machine, the port numbers will have to be adjusted appropriately.
It is generally a good idea to redirect all the non-HTTPS traffic on port
80 through the HTTPS port. To do so, add the following lines to the
For improved performance, add (or change if already present) the following properties to the
deflate module, or
Append the following lines to the
httpd.conf file, which enables the compression for all JS, CSS, HTML and plain text files:
DeflateCompressionLevelspecifies the level of compression used. The higher the value, the better the compression.
To learn more about DeflateCompressionLevel, checkout the Apache documentation regarding
If you need a certificate and key for HTTPs, follow these steps to generate on. These steps are using an OpenSSL package installed locally to generate a certificate. For enterprise installations, obtaining a digitally signed certification should be obtained through different means.
/bindirectory in your OpenSSL directory.
<OPENSSL_INSTALL>\bin\conf>openssl req -config openssl.cnf -new -out server.csr.
Common Nameto be used on the certificate, be sure to enter your domain name. Otherwise, browsers issue security warnings to your users.
privkey.pem) and a signing request (
<OPENSSL_INSTALL>\bin\conf>openssl rsa -in privkey.pem -out server.key
server.crtby entering the following command:
<OPENSSL_INSTALL>\bin\conf>openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365.
server.crt) and key (
server.key) key files can now be used by Apache.