[GeoNode-users] Example GeoNode Proxy Set Up With Virtual Machines

Jones, Peter plj2 at wustl.edu
Fri May 18 15:10:46 PDT 2018


Here is an update with our edited configuration as of May 18, 2018:

* This configuration is just for testing and only includes variables that I edited or conspicuously left unchanged.  I've added Let's Encrypt certificates.  https://letsencrypt.org *

We have 1 Physical Machine with 2 Virtual Machines.
The Physical Machine controls the firewall and sends traffic to virtual machine 1.
Virtual Machine 1 runs Apache and directs relevant requests to Virtual Machine 2.  Let's Encrypt certificates are here, and are renewed here.
Virtual Machine 2 is our new instance of GeoNode with SSL.  We use https in the virtual bridge to avoid interception by other virtual machines.  The certificates on Machine #1 must be copied here... this can be done manually or with an rsync called from  cron.

##############  BEGIN Physical Machine #########################
CentOS
outside ip address 111.112.113.114
qemu libvirt
virtual bridge ip address 192.168.122.1

iptables sends port 80 and 443 to Virtual Machine 1

##BEGIN EXCERPT  Physical Machine /etc/sysconfig/iptables
-A PREROUTING -d 111.112.113.114/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.123:80
-A PREROUTING -d 111.112.113.114/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.123:443
-A PREROUTING -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.123:80
-A PREROUTING -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.123:443
##END EXCERPT  Physical Machine /etc/sysconfig/iptables

##BEGIN EXCERPT Physical Machine /etc/host
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.122.123 primarynameofvirtualhost1certificate.com
##END EXCERPT Physical Machine /etc/host

#######BEGIN Virtual Machine #1 #####
CentOS
ip address 192.168.122.123
Virtual Machine 1 Controls Apache instance to the outside world.
Routes traffic to Virtual Machine #2

##BEGIN EXCERPT  Virtual Machine #1 /etc/hosts
192.168.122.234 testmap.foo.bar.com
##END EXCERPT    Virtual Machine #1 /etc/hosts

##BEGIN EXCERPT /etc/httpd/conf/httpd.conf

##The below is for certbot
Alias /.well-known "/var/www/letsencrypt/.well-known"
 <Location />
    RewriteEngine On
    RewriteCond %{HTTPS} off
        RewriteCond %{REQUEST_URI} !.well-known
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
         Order allow,deny
     Allow from all


        RewriteEngine On
        RewriteCond %{SERVER_PORT} !443
        RewriteCond %{REQUEST_URI} !.well-known
        RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/$1 [R=301,L]
 </Location>


# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

##END EXCERPT /etc/httpd/conf/httpd.conf

##BEGIN EXCERPT    Virtual Machine #1 /etc/httpd/conf.d/z.geonode.foo.bar.com.conf
<VirtualHost  *:443>

    ServerName testmap.foo.bar.com

    ErrorLog logs/geonode_error_log
    TransferLog logs/geonode_access_log
    LogLevel warn

        SSLEngine on
    SSLProxyEngine on
    SSLProtocol all -SSLv2

    SSLProxyCheckPeerName off
    SSLProxyCheckPeerCN off


SSLCertificateFile /etc/letsencrypt/live/www.primarynameofvirtualhost1certificate.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.primarynameofvirtualhost1certificate.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.primarynameofvirtualhost1certificate.com/fullchain.pem


        ProxyPass / https://testmap.foo.bar.com/
    ProxyPassReverse / https://testmap.foo.bar.com/


        ProxyPass / http://testmap.foo.bar.com/
    ProxyPassReverse / http://testmap.foo.bar.com/

        SetEnvIf Request_URI .*admin/.* denyadmin
<Location />
          <Limit GET POST PUT>
        Order deny,allow
        deny from env=denyadmin

        Allow from 127.0.0.1
        Allow from 128.252.18.53


       Allow from 192.168.122.127

</Limit>
</Location>


        <Directory proxy:>
          Order Deny,Allow
          Allow from all
      </Directory>

</VirtualHost>



<VirtualHost  *:80>
            ServerName testmap.foo.bar.com
         <Location />
    RewriteEngine On
    RewriteCond %{HTTPS} off
        RewriteCond %{REQUEST_URI} !.well-known
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
         Order allow,deny
     Allow from all


        RewriteEngine On
        RewriteCond %{SERVER_PORT} !443
        RewriteCond %{REQUEST_URI} !.well-known
        RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/$1 [R=301,L]
 </Location>

#    Redirect permanent / https://testmap.foo.bar.com/


</VirtualHost>

##END EXCERPT    Virtual Machine #1 /etc/httpd/conf.d/z.geonode.foo.bar.com.conf


##BEGIN EXCERPT Virtual Machine #1 crontab
36 2 * * 5  /usr/bin/certbot --dry-run  renew --rsa-key-size 4096 --webroot -w /var/www/letsencrypt --post-hook "/bin/systemctl restart  httpd.service"  >/dev/null 2>&1
##END EXCERPT Virtual Machine #1 crontab

#######END Virtual Machine #1 #####

###### BEGIN Virtual Machine #2 #####
A standard GeoNode installation with Ubuntu LTS
ip address 192.168.122.234

Used GeoNode Quick Installation Instructions here:
http://docs.geonode.org/en/master/tutorials/install_and_admin/quick_install.html
Used GeoNode SSL Instructions Here:
http://docs.geonode.org/en/master/tutorials/advanced/geonode_production/ssl.html

##BEGIN EXCERPT    Virtual Machine #2  /etc/hosts
127.0.0.1  testmap.foo.bar.com localhost
127.0.1.1       anameicallthevirtualmachine2
# The following lines are desirable for IPv6 capable hosts
::1     testmap.foo.bar.com localhost ip6-localhost ip6-loopback
##BEGIN EXCERPT    Virtual Machine #2  /etc/hosts

##BEGIN EXCERPT    Virtual Machine #2  /etc/apache2/sites-available/geonode.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    Servername localhost
        ServerAlias 127.0.0.1
        ServerAlias 192.168.122.234
        ServerAlias testmap.foo.bar.com


          #STANDARD GEONODE TAGS HERE#

    <Proxy *>
      Order allow,deny
      Allow from all
    </Proxy>

    ProxyPreserveHost On
    ProxyPass /geoserver http://localhost:8080/geoserver
    ProxyPassReverse /geoserver http://localhost:8080/geoserver
    SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.primarynameofvirtualhost1certificate.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.primarynameofvirtualhost1certificate.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.primarynameofvirtualhost1certificate.com/fullchain.pem

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

<VirtualHost  *:80>
    Redirect permanent / https://testmap.foo.bar.com/
</VirtualHost>

##END  EXCERPT    Virtual Machine #2  /etc/apache2/sites-available/geonode.conf

##BEGIN  EXCERPT    Virtual Machine #2  /etc/tomcat8/server.xml
<Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    URIEncoding="UTF-8"
    scheme="https"
    proxyName="testmap.foo.bar.com"
    proxyPort="443"
/>

##END  EXCERPT    Virtual Machine #2  /etc/tomcat8/server.xml


##BEGIN  EXCERPT    Virtual Machine #2   /etc/geonode/local_settings.py
SITEURL = 'https://testmap.foo.bar.com/'

PROXY_ALLOWED_HOSTS = ['127.0.0.1','192.168.122.234','testmap.foo.bar.com','localhost', '::1']

#ALLOWED_HOSTS = [urlparse(SITEURL).hostname] if os.getenv('ALLOWED_HOSTS') is None \
#    else re.split(r' *[,|:|;] *', os.getenv('ALLOWED_HOSTS'))
ALLOWED_HOSTS = ['127.0.0.1','192.168.122.234', 'testmap.foo.bar.com','localhost', '::1']

DATABASE_HOST = 'localhost'

GEOSERVER_LOCATION = os.getenv(
    'GEOSERVER_LOCATION', 'http://localhost:8080/geoserver/'
)


    'default': {
        'BACKEND': 'geonode.geoserver',
        'LOCATION': GEOSERVER_LOCATION,



##END  EXCERPT    Virtual Machine #2   /etc/geonode/local_settings.py

##BEGIN  EXCERPT    Virtual Machine #2   /usr/share/geoserver/WEB-INF/web.xml
        <context-param>
                <param-name>GEONODE_BASE_URL</param-name>
                <param-value>https://testmap.foo.bar.com/</param-value>
        </context-param>

##END  EXCERPT    Virtual Machine #2   /usr/share/geoserver/WEB-INF/web.xml

##BEGIN  EXCERPT    Virtual Machine #2   /usr/share/geoserver/data/global.xml
 <proxyBaseUrl>https://testmap.foo.bar.com/geoserver</proxyBaseUrl>

##END  EXCERPT    Virtual Machine #2   /usr/share/geoserver/data/global.xml


###### END Virtual Machine #2 #####

############## END Physical Machine #########################


Peter Jones

Programmer II, Department of Psychiatry
Washington University School of Medicine in St. Louis
660 South Euclid Avenue, Box 8134
St. Louis, MO 63130

e-mail: PLJ2 at WUSTL.EDU | pronouns: he/him/his

________________________________________
De : geonode-users <geonode-users-bounces at lists.osgeo.org> de la part de Jones, Peter <plj2 at wustl.edu>
Envoyé : mercredi 18 avril 2018 15:51:34
À : geonode-users at lists.osgeo.org
Objet : Re: [GeoNode-users] Example GeoNode Proxy Set Up With Virtual   Machines

Correction tomcat should have the domain name:

##BEGIN  EXCERPT    Virtual Machine #2  /etc/tomcat8/server.xml
proxyName="geonode.foo.bar.com"
##END  EXCERPT    Virtual Machine #2  /etc/tomcat8/server.xml

Peter Jones

Programmer II, Department of Psychiatry
Washington University School of Medicine in St. Louis
660 South Euclid Avenue, Box 8134
St. Louis, MO 63130

e-mail: PLJ2 at WUSTL.EDU | pronouns: he/him/his

________________________________________
De : Jones, Peter
Envoyé : mercredi 18 avril 2018 11:37
À : geonode-users at lists.osgeo.org
Objet : Example GeoNode Proxy Set Up With Virtual Machines

Hello, Thank you for creating GeoNode. We’ve gotten an instance up and running, and I thought I’d send out a very brief summary of our configuration.  We made use of the GeoNode Quickstart and GeoNode SSL tutorials.
Peter

* This configuration is just for testing.  A production configuration would need verified SSL certificates from some trusted organization. *

We have 1 Physical Machine with 2 Virtual Machines.
The Physical Machine controls the firewall and sends traffic to virtual machine 1.
Virtual Machine 1 runs Apache and directs relevant requests to Virtual Machine 2.
Virtual Machine 2 is our new instance of GeoNode with SSL.  We use https in the virtual bridge to avoid interception by other virtual machines.

##############  BEGIN Physical Machine #########################
CentOS
outside ip address 111.112.113.114
qemu libvirt
virtual bridge ip address 192.168.122.1

iptables sends port 80 and 443 to Virtual Machine 1

##BEGIN EXCERPT  Physical Machine /etc/sysconfig/iptables
-A PREROUTING -d 111.112.113.114/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.123:80
-A PREROUTING -d 111.112.113.114/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.123:443
-A PREROUTING -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.123:80
-A PREROUTING -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.123:443
##END EXCERPT  Physical Machine /etc/sysconfig/iptables


#######BEGIN Virtual Machine #1 #####
CentOS
ip address 192.168.122.123
Virtual Machine 1 Controls Apache instance to the outside world.
Routes traffic to Virtual Machine #2

##BEGIN EXCERPT  Virtual Machine #1 /etc/hosts
192.168.122.234 geonode.foo.bar.com
##END EXCERPT    Virtual Machine #1 /etc/hosts

##BEGIN EXCERPT    Virtual Machine #1 /etc/httpd/conf.d/z.geonode.foo.bar.com.conf
<VirtualHost  *:443>
    ServerName geonode.foo.bar.com
    ErrorLog logs/geonode_error_log
    TransferLog logs/geonode_access_log
    LogLevel debug

        SSLEngine on
    SSLProxyEngine on
    SSLProtocol all -SSLv2

    SSLProxyCheckPeerName off
    SSLProxyCheckPeerCN off

       SSLCertificateFile /etc/pki/tls/certs/localhost.crt
       SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

        ProxyPass / https://geonode.foo.bar.com/
    ProxyPassReverse / https://geonode.foo.bar.com/

        ProxyPass / http://geonode.foo.bar.com/
    ProxyPassReverse / https://geonode.foo.bar.com/

        SetEnvIf Request_URI .*admin/.* denyadmin
<Location />
          <Limit GET POST PUT>
        Order deny,allow
        deny from env=denyadmin

Allow from 127.0.0.1
Allow from 128.252.246.0/255.255.255.0

</Limit>
</Location>


        <Directory proxy:>
          Order Deny,Allow
          Allow from all
      </Directory>

</VirtualHost>

<VirtualHost  *:80>
            ServerName geonode.foo.bar.com
    Redirect permanent / https://geonode.foo.bar.com/
</VirtualHost>
##END EXCERPT    Virtual Machine #1 /etc/httpd/conf.d/z.geonode.foo.bar.com.conf


#######END Virtual Machine #1 #####

###### BEGIN Virtual Machine #2 #####
A standard GeoNode installation with Ubuntu LTS
ip address 192.168.122.234

Used GeoNode Quick Installation Instructions here:
http://docs.geonode.org/en/master/tutorials/install_and_admin/quick_install.html
Used GeoNode SSL Instructions Here:
http://docs.geonode.org/en/master/tutorials/advanced/geonode_production/ssl.html

##BEGIN EXCERPT    Virtual Machine #2  /etc/hosts
127.0.0.1  geonode.foo.bar.com localhost
##BEGIN EXCERPT    Virtual Machine #2  /etc/hosts

##BEGIN EXCERPT    Virtual Machine #2  /etc/apache2/sites-available/geonode.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    Servername localhost
        ServerAlias 127.0.0.1
        ServerAlias 192.168.122.234
        ServerAlias geonode.foo.bar.com

          #STANDARD GEONODE TAGS HERE#

 ProxyPreserveHost On
    ProxyPass /geoserver http://localhost:8080/geoserver
    ProxyPassReverse /geoserver http://localhost:8080/geoserver
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/geonode.crt
    SSLCertificateKeyFile /etc/ssl/private/geonode.key
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
<VirtualHost  *:80>
    Redirect permanent / https://geonode.foo.bar.com/
</VirtualHost>

##END  EXCERPT    Virtual Machine #2  /etc/apache2/sites-available/geonode.conf

##BEGIN  EXCERPT    Virtual Machine #2  /etc/tomcat8/server.xml
proxyName="192.168.122.234"
##END  EXCERPT    Virtual Machine #2  /etc/tomcat8/server.xml

##BEGIN  EXCERPT    Virtual Machine #2   /etc/geonode/local_settings.py
SITEURL = 'https://geonode.foo.bar.com/'
PROXY_ALLOWED_HOSTS = ['127.0.0.1','192.168.122.234','geonode.foo.bar.com','localhost', '::1']
#ALLOWED_HOSTS = [urlparse(SITEURL).hostname] if os.getenv('ALLOWED_HOSTS') is None \
#    else re.split(r' *[,|:|;] *', os.getenv('ALLOWED_HOSTS'))
ALLOWED_HOSTS = ['127.0.0.1','192.168.122.234', 'geonode.foo.bar.com','localhost', '::1']
##END  EXCERPT    Virtual Machine #2   /etc/geonode/local_settings.py

##BEGIN  EXCERPT    Virtual Machine #2   /usr/share/geoserver/WEB-INF/web.xml
   <context-param>
                <param-name>GEONODE_BASE_URL</param-name>
                <param-value>https://localhost/</param-value>
        </context-param>
##END  EXCERPT    Virtual Machine #2   /usr/share/geoserver/WEB-INF/web.xml

##BEGIN  EXCERPT    Virtual Machine #2   /usr/share/geoserver/data/global.xml
<proxyBaseUrl>https://geonode.foo.bar.com/geoserver</proxyBaseUrl>
##END  EXCERPT    Virtual Machine #2   /usr/share/geoserver/data/global.xml


###### END Virtual Machine #2 #####

############## END Physical Machine #########################


Peter Jones

Programmer II, Department of Psychiatry
Washington University School of Medicine in St. Louis
660 South Euclid Avenue, Box 8134
St. Louis, MO 63130

e-mail: PLJ2 at WUSTL.EDU | pronouns: he/him/his


________________________________
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
_______________________________________________
geonode-users mailing list
geonode-users at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/geonode-users

________________________________
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.


More information about the geonode-users mailing list