Overview
This section describes how to set up a secure HTTP server for your Bizagi processes, so that they can be accessed securely via the internet.
Automation Server supports access from both an intranet and an extra net with proper security measures, by using a reverse proxy architecture.
By following this guide you can implement a reverse proxy for your Bizagi project, using an Apache HTTP server and secure socket layer (SSL) encryption so that any device can access the Bizagi Work portal.
The following represents the considered set up:
This proxy server is set up so that access from Internet is redirected in a securer manner to your Bizagi server, while users in the intranet continue to access the Bizagi web application from the inside.
Using Apache HTTP Server
To use Apache HTTP Server, install it in your DMZ and configure it according to the sections below.
Installing Apache HTTP Server
To install Apache as the server to access Bizagi, follow these steps:
1. Download Apache HTTP Server. Find the latest available version according to your chosen server in the Apache HTTP Server official webpage.
2. Install the server. Notice that the prompted configuration parameters may be modified later. Your chosen path for the Apache HTTP Server will be addressed from now on as <APACHE_HOME>.
Secure and advanced configuration in Apache
To enable secure and advanced modules in Apache to provide reverse proxy access your Bizagi project, follow these steps:
1. Locate the Apache configuration file.
Edit the httpd.conf file located at <APACHE_HOME>\conf\ as described below.
This file may be edited too in Windows by accessing the option through Start -> All Programs -> Apache HTTP Server 2.2 -> Configure Apache Server -> Edit the Apache httpd.conf configuration file.
2. Enable the necessary proxy modules.
Remove the leading "#" character from these lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
To enable and use SSL, remove the "#" character from the following line:
LoadModule ssl_module modules/mod_ssl.so
For further and complete guide information about the Apache proxy module, refer to the official documentation.
|
To use it SSL, enable its port by including the following line, found under the listening options (optional): Listen 443
The default Listen option uses port 80, but 8080 is also often used.
|
3. Configure the reverse proxy settings.
Include the definition of the reverse proxy. Verify that you are using SSL.
If your Apache HTTP Server will not use a digital certificate and SSL was not enabled, include the following lines at the end of the file:
<VirtualHost [APACHE_IP]:[APACHE_PORT]>
ServerName [BIZAGI_SERVER]
# Proxy configuration
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /[YOUR_PROJECT]/jquery http://[BIZAGI_SERVER]/[YOUR_PROJECT]/jquery
ProxyPass /[YOUR_PROJECT]/Charts http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Charts
ProxyPass /[YOUR_PROJECT]/css http://[BIZAGI_SERVER]/[YOUR_PROJECT]/css
ProxyPass /[YOUR_PROJECT]/img http://[BIZAGI_SERVER]/[YOUR_PROJECT]/img
ProxyPass /[YOUR_PROJECT]/js http://[BIZAGI_SERVER]/[YOUR_PROJECT]/js
ProxyPass /[YOUR_PROJECT]/Localization http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Localization
ProxyPass /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]
ProxyPassReverse /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]
</VirtualHost>
For these lines, provide the appropriate values:
•[APACHE_IP]: The IP address to access your Apache service.
•[APACHE_PORT]: The HTTP port under which Apache service recive requests.
•[BIZAGI_SERVER]: The server which hosts your Bizagi project (on which Automation Server runs).
•[YOUR_PROJECT]: The virtual directory of your Bizagi project.
For instance, if your Bizagi project is named MyProject, the configuration for the file should be (assuming an Apache installation attending at port 80):
On the other hand, if your Apache HTTP Server will use a digital certificate and SSL was enabled, it is necessary to configure a virtual host by including the following lines:
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "<APACHE_HOME>/htdocs"
ServerName [BIZAGI_SERVER]
<Directory "<APACHE_HOME>/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
SSLRequireSSL
Order allow,deny
Allow from all
</Directory>
SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /[YOUR_PROJECT]/jquery http://[BIZAGI_SERVER]/[YOUR_PROJECT]/jquery
ProxyPass /[YOUR_PROJECT]/Charts http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Charts
ProxyPass /[YOUR_PROJECT]/css http://[BIZAGI_SERVER]/[YOUR_PROJECT]/css
ProxyPass /[YOUR_PROJECT]/img http://[BIZAGI_SERVER]/[YOUR_PROJECT]/img
ProxyPass /[YOUR_PROJECT]/js http://[BIZAGI_SERVER]/[YOUR_PROJECT]/js
ProxyPass /[YOUR_PROJECT]/Localization http://[BIZAGI_SERVER]/[YOUR_PROJECT]/Localization
ProxyPass /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]
ProxyPassReverse /[YOUR_PROJECT] http://[BIZAGI_SERVER]/[YOUR_PROJECT]
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "<LOCAL_PATH>/public.crt"
SSLCertificateKeyFile "<LOCAL_PATH>/ApachePrivateKey.key"
SSLCertificateChainFile "<LOCAL_PATH>/intermediate.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "[BIZAGI_SERVER]/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
In these lines, provide the appropriate values:
•<APACHE_HOME>: Apache's installation directory. This configuration file uses "/" (instead of "\") as the folder separation character.
•<LOCAL_PATH>: The local path in which the SSL certificate files are found.
•[APACHE_IP]: The IP address to access your Apache service.
•[APACHE_PORT]: The HTTP port under which Apache service recives requests.
•[BIZAGI_SERVER]: The server which hosts your Bizagi project (on which Automation Server runs).
•[YOUR_PROJECT]: The virtual directory of your Bizagi project.
View further the complete guide about the SSL directives.
Save the changes in this file and restart your Apache HTTP server.
At this point you are set to access your Bizagi project from the Internet through the Apache HTTP Server in a secure manner!
Important
In the configuration presented above, the Bizagi Work portalmust allows anonymous authentication.
This means, whether you are using integrated authentication (such as Windows) or Bizagi's local authentication, at the Bizagi Server (namely in the IIS, for the .NET edition), you need to enable anonymous authentication.
Checkpoint
To verify and access Apache's service type in your browser:
http://[APACHE_IP]:[APACHE_PORT]/[YOUR_PROJECT]
This request will redirect you to your configured Bizagi Work Portal.