Related Documents
Document Properties
Kbid
27F736
Last Modified
14-Feb-2020
Added to KB
20-Jul-2016
Public Access
Everyone
Status
Online
Doc Type
Guidelines, Concepts & Cookbooks
Product
  • ICM 7.7
  • ICM 7.8
  • ICM 7.9
  • ICM 7.10

Guide - Web Server Settings

1 Introduction

This guide outlines configuration and administration options with respect to the Apache HTTP Server as shipped with Intershop Commerce Management. This document is addressed to system administrators or DevOps who configure and maintain Intershop Commerce Management instances.

Info

Prior to Intershop version 7.7 the information provided in this document were part of the Administration and Configuration Guide that can be found in the Knowledge Base.

Intershop Commerce Management is shipped with the Apache HTTP Server. The basic configuration is done automatically with the deployment. It includes:

  • Intershop Commerce Management Web Adapter integration
  • Internal SSL encryption
  • URL mapping support

Other features supported by Intershop Commerce Management (SSL box support and load balancer support) are prepared but not enabled yet.

Note

All relevant setup options are to be configured in advance via dedicated deployment script files, before actually executing the deployment. So be aware that if you modify the Intershop Commerce Management configuration after it is deployed, the next deployment will override all changes with the settings specified for your deployment.

1.1 Glossary

ConceptDescription
Web AdapterThe Web Adapter is a plug-in to the Apache HTTP Server, which works as a reverse proxy and is responsible for:
URL mappingMechanism to create valid Intershop Commerce Management URLs from readable, search engine-friendly URLs (see Concept - URL Handling).

1.2 References

You should be familiar with the main concepts of the Intershop Commerce Management infrastructure. Refer to Overview - Infrastructure, Scaling and Performance.

2 SSL Support

Intershop Commerce Management requires SSL support. Basically, there are two ways to enable SSL support. One option is to encrypt/decrypt SSL communication within the Web server itself (internal SSL encryption), the other option is to use an external hardware unit (SSL box).

2.1 Internal SSL Encryption

The Apache HTTP Server distributed with Intershop Commerce Management is prepared for internal SSL encryption. Internal SSL encryption is enabled in the default configuration. To complete the default configuration, you have to install your own certificates. To provide your own certificates, change the file httpd-ssl.conf (Windows: %IS_HOME%/httpd/conf/extras,Linux: /$IS_HOME/httpd/conf/extras) according to your needs. For additional information, refer to the Apache HTTP Server documentation.

To disable the SSL support for the Web server itself, find the line

LoadModule ssl_module modules/mod_ssl.so

in the httpd.conf file, comment it out using # and restart the web server.

Note

Intershop Commerce Management requires SSL support. If you disable internal SSL encryption in the Web server, you must use an SSL box instead.

2.2 SSL Box Support

You may chose to encrypt and decrypt SSL communication using an external hardware unit. In this case, the SSL box must be configured to send plain HTTP to a different Web server port than original HTTP requests. The Web server and the Intershop Commerce Management Web Adapter must be configured to recognize this port number and to use it internally as indicator for HTTPS.

The figure below illustrates this mechanism.

SSL box support

To enable the SSL box support with Intershop Commerce Management, make sure to configure the Web server and the Intershop Commerce Management Web Adapter as follows.

2.2.1 Web Server

Create multiple Listen directives and a virtual host for the new port. Refer to your web server documentation for details.

See your operating system documentation for setting up multiple network interfaces and your web server documentation for configuring virtual hosts.

The Apache HTTP Server is configured to serve multiple ports in a single instance using multiple "Listen" directives. To make the Web Adapter recognize and forward the X-IS-SERVER_PORT variable correctly, a virtual host must be configured for the additional port. Otherwise, the value of the port directive or its fallback 80 is used, regardless of the actual port of the incoming request. For the Apache HTTP Server this may look like

<VirtualHost *:80>
</VirtualHost>

<VirtualHost *:81>
</VirtualHost>

2.2.1.1 Virtual Hosts

The Host header is used by the Intershop application server to construct absolute URLs. This is, all URLs in the storefront pages are based on this host header.

Trustworthy host headers only

Such a host header could be easily manipulated by someone between the user's browser and the web server ("man in the middle attack").


Therefore you have to:

  1. Make sure only valid / trustworthy Host headers are accepted by the web server.
    If no Host header is present the default Host header will be set by the virtual host configuration below.
    It is also possible to limit access to the Intershop Web Adapter based on the requested host or to reject requests having invalid Host headers.

    httpd-webadapter.conf
    ...
    <VirtualHost *:80>
      ServerName www.example.com:80
      RequestHeader set Host www.example.com:80
      # only send requests matching this virtual host to the Intershop Web Adapter
      <LocationMatch .*>
        Header set Accept-Ranges "bytes"
        SetHandler iswebadapter
      </LocationMatch>
     </VirtualHost>
    <VirtualHost *:80>
      # default / fallback virtual host
      ServerName example.com:80
      ServerAlias *
      RequestHeader set Host example.com:80
      # do not send requests matching this virtual host to the Intershop Web Adapter
      <LocationMatch .*>
        SetHandler none
     </LocationMatch>
    </VirtualHost>

2.2.2 Intershop Commerce Management Web Adapter

For each Web Adapter, configure the port for decrypted HTTPS and the original SSL port in the respective webadapter.properties file.

sslbox.webserver.port=81
sslbox.public.port=443

The application server does not need to be configured for this. It can rely on correct X-IS-SERVER_PORT_SECURE and X-IS-HOST headers for its operation.

3 SSL and Multiple DNS Domains

Basically, there are two ways to enable SSL support for multiple DNS domains.

  • IP based virtual hosts
    When serving multiple DNS domains from one Web server, you can set up a network interface (virtual or physical) for each domain and configure IP based virtual hosts. Each advertised DNS domain needs a dedicated SSL certificate.
  • Multiple Web servers
    Alternatively, you can set up a Web server for each DNS domain and provide it with the needed SSL certificate.

4 Fail-Over Support for Load Balancing

Intershop Commerce Management fully supports the configuration of more than one web server/Web Adapter instances within a cluster. To distribute requests between multiple Web Adapters, load balancer hardware must be installed.

The Web Adapter provides an easy fail-over mechanism that load balancers can use to check whether the Web Adapters are still in contact with their application servers. For this mechanism to work, the httpd-webadapter.conf file (Windows: <IS.INSTANCE.LOCAL>/local/webadapter/, Linux: /etc/opt/intershop/eserver#/local/webadapter/) includes the following setting:

As a part of the Continuous Integration approach the file paths have been adjusted starting with Intershop 7.4 CI (Windows: %IS_HOME%/local/webadapter/, Linux: $IS_HOME/local/webadapter/).

<LocationMatch /wastatistics>
  Require ip 127.0.0.1/32
</LocationMatch>
<LocationMatch /wastatus>
  Require all denied
</LocationMatch>

This adds the wastatistics handler, enabling the Web Adapter to accept requests like http://<host>:<port>/INTERSHOP/wastatistics.

For testing purposes, you can open the access for everybody to test this LocationMatch:

<LocationMatch /wastatistics>
  Allow from All
</LocationMatch>

For additional information, refer to http://httpd.apache.org/docs/current/sections.html.

The Web server responds to such requests with either an HTTP response code "200 (OK)" displaying a single-line HTML page "Up" if this Web Adapter can contact an application server's configuration servlet, or an HTTP response code "500 (Internal Server Error)" displaying a HTML page "Down" if no configuration servlet could be contacted.

The response statuses can be configured using the Web Adapter configuration file.

Load balancers can be set up to send such requests periodically and thus, exclude unreachable or "Down" state Web Adapters from the normal request distribution. For more detailed information on those scenarios, refer to your load balancer documentation.

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Tickets