Reverse proxy (http and https)

Reverse proxy http

Public services, open from WAN

apt-get install apache2 

a2dismod actions auth_basic authn_file authz_groupfile authz_user 
a2enmod cache proxy proxy_http proxy_ajp 

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.ORI 
nano -w /etc/apache2/sites-available/default

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName fc2.to.cnr.it
        ErrorLog /var/log/apache2/error.log
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ProxyRequests Off
        ProxyPreserveHost On
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass /fedora/describe ajp://127.0.0.1:8009/fedora/describe
        ProxyPassReverse /fedora/describe ajp://127.0.0.1:8009/fedora/describe
        ProxyPass /fedora/risearch ajp://127.0.0.1:8009/fedora/risearch
        ProxyPassReverse /fedora/risearch ajp://127.0.0.1:8009/fedora/risearch
        ProxyPass /fedora/get ajp://127.0.0.1:8009/fedora/get
        ProxyPassReverse /fedora/get ajp://127.0.0.1:8009/fedora/get
        ProxyPass /fedora/services ajp://127.0.0.1:8009/fedora/services
        ProxyPassReverse /fedora/services ajp://127.0.0.1:8009/fedora/services
        ProxyPass /adore-djatoka ajp://127.0.0.1:8009/adore-djatoka
        ProxyPassReverse /adore-djatoka ajp://127.0.0.1:8009/adore-djatoka
</VirtualHost>

service apache2 restart

Reverse proxy https

SSL connection between back-end (repository) and front-end (drupal)

Certificate self-signed generation (1 year)

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.crt
chmod 400 /etc/ssl/private/apache.key

Configure and enable SSL virtualhost

cd /etc/apache2/
cp sites-available/default-ssl sites-available/default-ssl.ORI
nano -w sites-available/default-ssl

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName fc2.to.cnr.it

        ProxyRequests Off
        ProxyPreserveHost On
        <Proxy *>
                Order Deny,Allow
                Deny from all
# front-end IP
                Allow from 150.145.48.44 2a00:1620::44
        </Proxy>
        ProxyPass /fedora http://fc2.to.cnr.it:8080/fedora
        ProxyPassReverse /fedora http://fc2.to.cnr.it:8080/fedora

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/apache.crt
        SSLCertificateKeyFile /etc/ssl/private/apache.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
  </VirtualHost>
</IfModule>

a2enmod ssl
a2ensite default-ssl
service apache2 restart

You have to disable certificate validation in Islandora module:

nano -w /usr/share/v2p2.to.cnr.it/sites/all/modules/islandora/islandora/libraries/tuque/HttpConnection.php

  /**
   * FALSE to stop cURL from verifying the peer's certificate. (Default: TRUE)
   * @var type boolean
   */
  public $verifyPeer = FALSE;