This guide outlines configuration and administration options with respect to the Apache HTTP Server as shipped with Intershop Commerce Management. This document is addressed to system administrators or DevOps who configure and maintain Intershop Commerce Management instances.
Prior to Intershop version 7.7 the information provided in this document were part of the Administration and Configuration Guide that can be found in the Knowledge Base.
Intershop Commerce Management is shipped with the Apache HTTP Server. The basic configuration is done automatically with the deployment. It includes:
Other features supported by Intershop Commerce Management (SSL box support and load balancer support) are prepared but not enabled yet.
All relevant setup options are to be configured in advance via dedicated deployment script files, before actually executing the deployment. So be aware that if you modify the Intershop Commerce Management configuration after it is deployed, the next deployment will override all changes with the settings specified for your deployment.
|The Web Adapter is a plug-in to the Apache HTTP Server, which works as a reverse proxy and is responsible for:
|Mechanism to create valid Intershop Commerce Management URLs from readable, search engine-friendly URLs (see Concept - URL Handling (valid to 7.7)).
You should be familiar with the main concepts of the Intershop Commerce Management infrastructure. Refer to Overview - Infrastructure, Scaling and Performance.
Intershop Commerce Management requires SSL support. Basically, there are two ways to enable SSL support. One option is to encrypt/decrypt SSL communication within the Web server itself (internal SSL encryption), the other option is to use an external hardware unit (SSL box).
The Apache HTTP Server distributed with Intershop Commerce Management is prepared for internal SSL encryption. Internal SSL encryption is enabled in the default configuration. To complete the default configuration, you have to install your own certificates. To provide your own certificates, change the file httpd-ssl.conf (Windows: %IS_HOME%/httpd/conf/extras,Linux: /$IS_HOME/httpd/conf/extras) according to your needs. For additional information, refer to the Apache HTTP Server documentation.
To disable the SSL support for the Web server itself, find the line
LoadModule ssl_module modules/mod_ssl.so
in the httpd.conf file, comment it out using
# and restart the web server.
Intershop Commerce Management requires SSL support. If you disable internal SSL encryption in the Web server, you must use an SSL box instead.
You may chose to encrypt and decrypt SSL communication using an external hardware unit. In this case, the SSL box must be configured to send plain HTTP to a different Web server port than original HTTP requests. The Web server and the Intershop Commerce Management Web Adapter must be configured to recognize this port number and to use it internally as indicator for HTTPS.
The figure below illustrates this mechanism.
To enable the SSL box support with Intershop Commerce Management, make sure to configure the Web server and the Intershop Commerce Management Web Adapter as follows.
Listen directives and a virtual host for the new port. Refer to your web server documentation for details.
The Apache HTTP Server is configured to serve multiple ports in a single instance using multiple "Listen" directives. To make the Web Adapter recognize and forward the
X-IS-SERVER_PORT variable correctly, a virtual host must be configured for the additional port. Otherwise, the value of the port directive or its fallback
80 is used, regardless of the actual port of the incoming request. For the Apache HTTP Server this may look like
<VirtualHost *:80> </VirtualHost> <VirtualHost *:81> </VirtualHost>
Host header is used by the Intershop application server to construct absolute URLs. This is, all URLs in the storefront pages are based on this host header.
Trustworthy host headers only
Such a host header could be easily manipulated by someone between the user's browser and the web server ("man in the middle attack").
Therefore you have to:
Make sure only valid / trustworthy
Host headers are accepted by the web server.
Host header is present the default
Host header will be set by the virtual host configuration below.
It is also possible to limit access to the Intershop Web Adapter based on the requested host or to reject requests having invalid
... <VirtualHost *:80> ServerName www.example.com:80 RequestHeader set Host www.example.com:80 # only send requests matching this virtual host to the Intershop Web Adapter <LocationMatch .*> Header set Accept-Ranges "bytes" SetHandler iswebadapter </LocationMatch> </VirtualHost> <VirtualHost *:80> # default / fallback virtual host ServerName example.com:80 ServerAlias * RequestHeader set Host example.com:80 # do not send requests matching this virtual host to the Intershop Web Adapter <LocationMatch .*> SetHandler none </LocationMatch> </VirtualHost>
For each Web Adapter, configure the port for decrypted HTTPS and the original SSL port in the respective webadapter.properties file.
The application server does not need to be configured for this. It can rely on correct
X-IS-HOST headers for its operation.
Basically, there are two ways to enable SSL support for multiple DNS domains.
Intershop Commerce Management fully supports the configuration of more than one web server/Web Adapter instances within a cluster. To distribute requests between multiple Web Adapters, load balancer hardware must be installed.
The Web Adapter provides an easy fail-over mechanism that load balancers can use to check whether the Web Adapters are still in contact with their application servers. For this mechanism to work, the httpd-webadapter.conf file (Windows: <IS.INSTANCE.LOCAL>/local/webadapter/, Linux: /etc/opt/intershop/eserver#/local/webadapter/) includes the following setting:
As a part of the Continuous Integration approach the file paths have been adjusted starting with Intershop 7.4 CI (Windows: %IS_HOME%/local/webadapter/, Linux: $IS_HOME/local/webadapter/).
<LocationMatch /wastatistics> Require ip 127.0.0.1/32 </LocationMatch> <LocationMatch /wastatus> Require all denied </LocationMatch>
This adds the
wastatistics handler, enabling the Web Adapter to accept requests like http://<host>:<port>/INTERSHOP/wastatistics.
For testing purposes, you can open the access for everybody to test this
<LocationMatch /wastatistics> Allow from All </LocationMatch>
For additional information, refer to http://httpd.apache.org/docs/current/sections.html.
The Web server responds to such requests with either an HTTP response code "200 (OK)" displaying a single-line HTML page "Up" if this Web Adapter can contact an application server's configuration servlet, or an HTTP response code "500 (Internal Server Error)" displaying a HTML page "Down" if no configuration servlet could be contacted.
The response statuses can be configured using the Web Adapter configuration file.
Load balancers can be set up to send such requests periodically and thus, exclude unreachable or "Down" state Web Adapters from the normal request distribution. For more detailed information on those scenarios, refer to your load balancer documentation.