Reverse Proxying Apache Lenya

Introduction
Configuration in publication.xconf
Apache Webserver setup / Rewrite Rules
- Rules for the authoring server
- Rules for the live server

Introduction

The Lenya LinkRewritingTransformer enables a flexible way of proxy configuration. It is possible to define different proxies for each pair of area (authoring and live), and encryption (not encrypted or SSL). The Lenya part of the proxy configuration is done in $PUBLICATION/config/publication.xconf If you specify your proxy setup in that file, the LinkRewritingTransformer will rewrite links in your publication to match these settings.

Configuration in publication.xconf

The publication.xconf of the default publication has proxying disabled by default:

 
<publication>
  <languages>
    <language default="true">en</language>
    <language>de</language>
  </languages>
  <path-mapper>org.apache.lenya.cms.publication.DefaultDocumentIdToPathMapper</path-mapper>
  <document-builder>org.apache.lenya.cms.publication.DefaultDocumentBuilder</document-builder>
  <breadcrumb-prefix/>

  <!--
  <proxy area="live" ssl="true" url="https://www.host.com/ssl/default"/>
  <proxy area="live" ssl="false" url="http://www.host.com/default"/>
  <proxy area="authoring" ssl="true" url="https://www.host.com/lenya/default/authoring"/>
  <proxy area="authoring" ssl="false" url="http://www.host.com/lenya/default/authoring"/>
  -->
</publication>

A possible configuration for two servers (an authoring server and a live server) may look like:

 
<publication>
  <languages>
    <language default="true">de</language>
    <language>en</language>
  </languages>
  <path-mapper>org.apache.lenya.cms.publication.DefaultDocumentIdToPathMapper</path-mapper>
  <document-builder>org.apache.lenya.cms.publication.DefaultDocumentBuilder</document-builder>
  <breadcrumb-prefix>University of Zurich</breadcrumb-prefix>

  <proxy url="https://cms.live.ch/lenya/sandbox" ssl="true" area="live"/>
  <proxy url="http://cms.sandbox.live.ch/lenya" ssl="false" area="live"/>
  <proxy url="https://cms.authoring.ch/lenya/sandbox/authoring" ssl="true" area="authoring"/>
  <proxy url="http://cms.authoring.ch/lenya/sandbox/authoring" ssl="false" area="authoring"/>
</publication>

There is an ssl enabled authoring server (cms.authoring.ch) and the URL you get is e.g. http://cms.authoring.com/lenya/sandbox/authoring/index.html.
There is an ssl enabled live server with (cms.live.ch and cms.sandbox.live.ch) and the URL you get on the live side is e.g. http://cms.sandbox.live.ch/lenya/index.html

Note: Up to now, session is only working if you add /lenya after your domain because the cookie which is sent to the client stores the web application context. Therefore the browser did not send back the cookie if you request a page like http://cms.sandbox.live.ch/index.html. This is also mentioned on the Cocoon Wiki page on proxying. With Apache 2.1 a recently introduced proxy directive for translating the cookie path ProxyPassReverseCookiePath will be available, which will allow you to get the cookie path translated by Apache with ProxyPassReverseCookiePath /lenya / so that the cookie is always sent back to the server. As of today even the trunk version of Apache httpd does not have this feature. If you still want to use it with Apache 2.0 you will have to apply a patch http://issues.apache.org/bugzilla/show_bug.cgi?id=10722 and rebuild the Apache modules mod_proxy and mod_http_proxy. The patch should work with Apache 2.0.49+ (I use it with 2.0.52 without any problems).

As an alternative to patching Apache, you could install Lenya within the ROOT context, because then the CookiePath will contain "/" instead of "/lenya" and it will work with the common mod_proxy settings. Note that you'll have to adjust the proxy rules to get rid of "/lenya" in this case. If you run Jetty, which runs Lenya in the ROOT context, you'll have to remove the "/lenya" parts as well. Another solution might be to use Squid. The configuration of the Apache web server that goes with this configuration is described next.

Apache Webserver setup / Rewrite Rules

Before you start, make sure you have mod_proxy and mod_rewrite setup correctly.

Rules for the authoring server

This sample configuration uses cms.authoring.ch as the host name.

redirects logins to SSL
assumes Tomcat, with Lenya running under /lenya (for Jetty, remove /lenya from the configuration)
runs the authoring server over port 80
publications are all mounted under cms.client.com/yourpub
you can use this setup for your live server if you do not want to mount your publication in a virtualhost. Just replace authoring with live, and put the proxy / rewrite directives in a <Location> rule


<VirtualHost cms.authoring.ch:80>
    ....

    #All Content should be served by tomcat (i.e. lenya)
    ProxyRequests    Off
    RewriteEngine    On
    RewriteLog       /var/log/apache2/cms.authoring.rewrite.log
    RewriteLogLevel  0
    RewriteRule      ^/([^/\.]+)$  $1/   [R]
    RewriteRule       ^/([^/\.]+)/$ http://cms.authoring.ch/lenya/$1/authoring/index.html [R,L]

    RewriteCond      %{QUERY_STRING} lenya\.usecase=login(.*)
    RewriteRule      ^/(.*)   https://%{SERVER_NAME}/$1 [R,L]

    RewriteRule      ^/(.*)   http://cms.authoring.ch:8080/$1  [P,L]
    ProxyPassReverse / http://cms.authoring.ch:8080/


</VirtualHost>

<VirtualHost cms.authoring.ch:443>
   ....
    RewriteEngine On

    RewriteRule      ^/([^/\.]+)$  $1/   [R]
    RewriteRule       ^/([^/\.]+)/$ http://cms.authoring.ch/lenya/$1/authoring/index.html [R,L]

    RewriteRule      ^/(.*)   http://%{SERVER_NAME}:8080/$1  [P,L]
    ProxyPassReverse / http://cms.authoring.ch:8080/
</VirtualHost>

Rules for the live server

This sample configuration uses cms.sandbox.live.ch as the host name.

each publication is mounted as a separate virtualhost
assumes Tomcat, with Lenya running under /lenya (for Jetty, remove /lenya from the configuration)
The publication in this sample is named sandbox
Files within the directory static and files with the extension php are not redirected to Lenya.
Certificate is issued for www.client.com


<VirtualHost cms.sandbox.live.ch:80>
    .... 
 
    ProxyRequests Off
    RewriteEngine On
    RewriteLog       "/var/log/apache2/cms.sandbox.rewrite.log"
    RewriteLogLevel  1

    RewriteRule       ^/$ /lenya/index.html [R]
    RewriteRule      ^/[^(lenya)](.*) /lenya$0  [R]
    RewriteRule      ^/static/?(.*)  $0 [L]
    RewriteRule      ^/(.*)\.php  $0 [L]

    # Not carefully tested yet -> login should use https
    #RewriteCond      %{QUERY_STRING} lenya\.usecase=login(.*)
    #RewriteRule      ^/lenya/(.*)/live/(.*)$   https://cms.live.ch/$1/$2 [R,L]

    RewriteRule      ^/lenya/[^/]+/live/(.*)$ /lenya/$1 [R,L]

    RewriteRule      ^/(.*\.css$) http://cms.live.ch:8080/$1  [L]
    RewriteRule      ^/(.*/authoring/.*) http://cms.live.ch:8080/$1  [L]
    RewriteRule      ^/lenya/(.*) http://cms.live.ch:8080/lenya/sandbox/live/$1  [P]

    ProxyPassReverse  / http://cms.live.ch:8080/

</VirtualHost>
 
<VirtualHost cms.live.ch:443>
      ......
       
    ProxyRequests Off
    RewriteEngine On

# RewriteRules for css and images
     RewriteRule      ^/lenya/sandbox/(.*)/images/(.*)$ http://cms.live.ch:8080/lenya/sandbox/$1/images/$2 [L]
     RewriteRule      ^/(.*\.css$) http://cms.live.ch:8080/$1  [L]

     RewriteRule      ^/(lenya/[^/]+)/(.*)$   http://cms.live.ch:8080/$1/live/$2  [P,L]

     ProxyPassReverse / http://cms.live.ch:8080/
</VirtualHost>