Setting Bizagi for Secure Internet Access

<< Click to Display Table of Contents >>

Navigation:  Bizagi Engine > Bizagi system administration > Other infrastructure options >

Setting Bizagi for Secure Internet Access

Overview

This section describes how to set up a secure HTTP server for your Bizagi processes, so that they can be accessed securely via internet.

Bizagi Engine supports access from both an intranet and an extra net with proper security measures, by considering a reverse proxy architecture.

 

Throughout this guide you will be able to implement a reverse proxy for your Bizagi project, using an Apache HTTP server and secure socket layer (SSL) encryption so that any device access Bizagi Work portal.

 

The following represents the considered set up:

 

HA_proxy_system_architecture

 

Note that this proxy server is set up so that access from Internet is redirected in a securer manner to your Bizagi server, while users in the intranet will continue to access the Bizagi web application from the inside.

 

 

Using Apache HTTP Server

To use Apache HTTP Server, install it in your DMZ and configure it according to the sections below.

 

Installing Apache HTTP Server

In order to install Apache as the server to access Bizagi, follow these steps:

 

1. Download Apache HTTP Server. You may find the latest available version according to your chosen server in the Apache HTTP Server official webpage.

 

2. Install the server. Notice that the prompted configuration parameters may be later modified.  Your chosen path for the Apache HTTP Server will be addressed from now on as <APACHE_HOME>.

 

SettingBizagiInternet00_InstallingApache

 

 

Secure and advanced configuration in Apache

In order to enable secure and advanced modules in Apache so that the reverse proxy access your Bizagi project, follow these steps:

 

1. Locate the Apache configuration file.

To do this, edit the httpd.conf file located at <APACHE_HOME>\conf\ as described below.

 

This file may be edited too in Windows by accessing the option through Start -> All Programs -> Apache HTTP Server 2.2 -> Configure Apache Server -> Edit the Apache httpd.conf Configuration File.

 

SettingBizagiInternet01_EditApache

 

 

2. Enable the necessary proxy modules.

Do this by removing the leading "#" character from these lines:

 

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

 

 

If you wish to enable and use SSL, remove the "#" character from the following line too:          

LoadModule ssl_module modules/mod_ssl.so

 

 

SettingBizagiInternet02_Apache_ProxyModule

 

For further and complete guide information about Apache proxy module, refer to the official documentation.

 

note_pin

If you intend to use it SSL, then make sure you enable its port by including the following line, found under the listening options (optional):

Listen 443

 

Notice that the default Listen option uses port 80, but 8080 is also often used.

 

SettingBizagiInternet03_Apache_SSL

 

 

3. Configure the reverse proxy settings.

Include the definition of the reverse proxy. Ensure you consider if you are using SSL or not.

 

If your Apache HTTP Server will not use a digital certificate and SSL was not enabled, include the following lines at the end of the file:

 

<VirtualHost [APACHE_IP]:[APACHE_PORT]>

 ServerName [BIZAGI_SERVER]

 # Proxy configuration

 ProxyRequests Off

 ProxyPreserveHost On

 

 ProxyPass /[YOUR_PROJECT]/jquery http://[BIZAGI_SERVER]/[YOUR_PROJECT]/jquery

 ProxyPass /[YOUR_PROJECT]/Charts http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Charts

 ProxyPass /[YOUR_PROJECT]/css http://[BIZAGI_SERVER]/[YOUR_PROJECT]/css

 ProxyPass /[YOUR_PROJECT]/img http://[BIZAGI_SERVER]/[YOUR_PROJECT]/img

 ProxyPass /[YOUR_PROJECT]/js http://[BIZAGI_SERVER]/[YOUR_PROJECT]/js

 ProxyPass /[YOUR_PROJECT]/Localization http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Localization

 

 ProxyPass /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]

 ProxyPassReverse /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]

</VirtualHost>

 

For these lines, consider replacing the corresponding values:

[APACHE_IP]: The IP address to access your Apache service.

[APACHE_PORT]: The HTTP port under which Apache service attends requests.

[BIZAGI_SERVER]: The server which hosts your Bizagi project (on which Bizagi Engine runs).

[YOUR_PROJECT]: The virtual directory of your Bizagi project.

 

 

For instance, if your Bizagi project is named MyProject, then the configuration for the file should be (assuming an Apache installation attending at port 80):

 

ApacheFinal

 

 

On the other hand, if your Apache HTTP Server will use a digital certificate and SSL was enabled, it is necessary to configure a virtual host by including the following lines:

 

 

NameVirtualHost *:443

 

<VirtualHost *:443>

 

DocumentRoot "<APACHE_HOME>/htdocs"

ServerName [BIZAGI_SERVER]

 

 <Directory "<APACHE_HOME>/htdocs">

    Options Indexes FollowSymLinks MultiViews

    AllowOverride None

    SSLRequireSSL

    Order allow,deny

    Allow from all

</Directory>

 

 SSLProxyEngine on

 

 ProxyRequests Off

 ProxyPreserveHost On

 

 ProxyPass /[YOUR_PROJECT]/jquery http://[BIZAGI_SERVER]/[YOUR_PROJECT]/jquery

 ProxyPass /[YOUR_PROJECT]/Charts http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Charts

 ProxyPass /[YOUR_PROJECT]/css http://[BIZAGI_SERVER]/[YOUR_PROJECT]/css

 ProxyPass /[YOUR_PROJECT]/img http://[BIZAGI_SERVER]/[YOUR_PROJECT]/img

 ProxyPass /[YOUR_PROJECT]/js http://[BIZAGI_SERVER]/[YOUR_PROJECT]/js

 ProxyPass /[YOUR_PROJECT]/Localization http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Localization

 

 ProxyPass /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]

 ProxyPassReverse /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]

 

 SSLEngine on

 

 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 SSLCertificateFile "<LOCAL_PATH>/public.crt"

 SSLCertificateKeyFile "<LOCAL_PATH>/ApachePrivateKey.key"

 SSLCertificateChainFile "<LOCAL_PATH>/intermediate.crt"

 

<FilesMatch "\.(cgi|shtml|phtml|php)$">

    SSLOptions +StdEnvVars

</FilesMatch>

 

<Directory "[BIZAGI_SERVER]/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

BrowserMatch ".*MSIE.*" \

        nokeepalive ssl-unclean-shutdown \

        downgrade-1.0 force-response-1.0

</VirtualHost>

 

In these lines, consider replacing the corresponding values for the following:

<APACHE_HOME>: Apache's installation directory. Keep in mind that this configuration file uses "/" (instead of "\") as the folder separation character.

<LOCAL_PATH>: The local path in which the SSL certificate files are found.

[APACHE_IP]: The IP address to access your Apache service.

[APACHE_PORT]: The HTTP port under which Apache service attends requests.

[BIZAGI_SERVER]: The server which hosts your Bizagi project (on which Bizagi Engine runs).

[YOUR_PROJECT]: The virtual directory of your Bizagi project.

 

 

View further and complete guide about the SSL directives.

 

Save the changes in this file and restart your Apache HTTP server.

At this point you are set to access your Bizagi project from the Internet through the Apache HTTP Server in a secure manner!

 

 

Important

In the configuration presented above, it is necessary that Bizagi Work portal allows anonymous authentication.

This means, whether you are using integrated authentication (such as Windows) or Bizagi's local authentication, at the Bizagi Server (namely in the IIS, for the .NET edition), you will need to enable anonymous authentication.

 

 

 

Checkpoint

To verify and access Apache's service you may type in your browser:

http://[APACHE_IP]:[APACHE_PORT]/[YOUR_PROJECT]

 

This request will redirect you to your configured Bizagi Work Portal.