Installing the SecureFlow Manager on the Apache 2 HTTP server
This article describes how to install the SecureFlow Manager (SFM) on Apache 2. It assumes you are building and deploying in a Unix environment. To build and deploy on Windows or another platform, adapt the instructions accordingly.
Installing the SFM on Apache 2 consists of using the GNU Build System to build the contents of the following two packages:
-
libunblufilter.tar.gz
comprises the core functionality of the SFM. -
mod_unblufilter.tar.gz
wrapslibunblufilter
and makes it available as an.so
file for deployment as a filter in the Apache instance.
Requirements
Required third-party libraries--json-c
and pcre
--are directly included as nested packages. There are no further requirements for third-party libraries.
You can verify that your system meets the requirements to build and run the SFM by running ./configure
once you’ve extracted the packages' source code.
Apache dependencies
Building mod_unblufilter
requires Apache 2 as well as the Apache 2-specific development assistance tool apxs
. See the README
file for details, especially concerning the required package name to include for your distribution.
At runtime, mod_unblufilter
requires the mod_filter
module. This is required for the sake of simplicity when it comes to configuring mod_unblufilter
as a filter in Apache 2 in the required filter chain position.
Usually the following additional modules are required to forward any requests to /unblu/
, that is, the Unblu server:
-
mod_proxy
-
mod_proxy_http
mod_unblufilter
dependencies
mod_unblufilter
depends directly on libunblufilter
, so you must build libunblufilter
first. In addition, mod_unblufilter
depends on the following packages:
-
curl-dev
(at build time) -
libexpat
(at runtime) -
uuid
(at build time) -
libidn
(libidn
at runtime,libidn-dev
at build time)
See the README
file of the mod_unblufilter
distribution package for more detailed information about dependencies as well as package names for each distribution.
Installing the SFM
Installing the SFM consists of two steps:
-
Building
libunblufilter
-
Building
mod_unblufilter
DEBUG
and RELEASE
versions
Both libunblufilter
and mod_unblufilter
can be built as DEBUG
or RELEASE
versions. The DEBUG
version isn’t optimized for speed, but its stack traces and core dumps are more reliable. DEBUG
builds may also have additional or slightly different diagnostic code enabled. However, both build types will include symbols by default.
You can build both versions:
-
In development and early test environments
DEBUG
builds are typically more appropriate. -
In later system integration or acceptance test environments, you should use
RELEASE
versions.
Production environments must only use RELEASE versions. Never use DEBUG versions in production. |
Building libunblufilter
The libunblufilter
package contains the full source code to build the main functionality of the SFM. It is based on autobuild tools.
libunblufilter
tar zxf libunblufilter-1.7.5.tar.gz
cd libunblufilter-1.7.5
mkdir build (1)
cd build
../configure <options> (2)
make
1 | Optional; if you don’t create a build directory, adapt the call to configure accordingly. |
2 | See below for a list of the options available. Run ../configure --help for further information. |
The module that results from running the commands above is located at libunblufilter-1.7.5/build/src/main/.libs/libunblufilter.so
.
To make the module available for further compilations, such as building mod_unblufilter
afterwards, it is recommended that you install the module:
libunblufilter
make install DESTDIR=/tmp/libunblufilter (1)
1 | DESTDIR is optional. It specifies the target directory. Use it if you don’t want libunblufilter installed to its default location, or if the output should be used for a packaged example.
|
The following build options are available:
-
--with-pic
is required to generate position-independent code (PIC). PIC code is used for the shared module, non-PIC for the static library.Libtool generally generates both PIC and non-PIC code.
-
--disable-shared
builds a static object. This means that when you build a module that depends onlibunblufilter
, the target is the static library and not the shared module. This is the recommended build configuration.Don’t include this option if you want to use
libunblufilter
as a shared module. -
--libdir:<dir>
specifies the library installation directory. If the build is x86_64 and/usr/local/lib64
exists, the default directory is/usr/local/lib64
. To override the default, specify a directory with this option.Specifying
--libdir
doesn’t affect the installation directory of theunblu_filter_api.h
header file, which defaults to/usr/local/include.
Specify a prefix withDESTDIR
if you want to change the installation directory for the header file:Listing 3. Buildinglibunblufilter
with--libdir
andDESTDIR
../../configure --with-pic --libdir=/usr/lib64 make install DESTDIR=/tmp/libunblufilter
This results in the following directory structure:
Listing 4. Directory structure using--libdir
andDESTDIR
/tmp/libunblufilter/usr ├── lib64 │ └── libunblufilter.so │ └── local └── include └── unblu_filter_api.h
-
--enable-debug
builds aDEBUG
version oflibunblufilter
.
Include libunblufilter
as a static library
The recommended way to build libunblufilter
is to include it as a static library in mod_unblufilter
. That way, there is no runtime dependency to libunblufilter.so
. Instead, mod_unblufilter
only depends on typical system libraries such as libc
.
Including mod_unblufilter
as a static library is only a recommendation, not a hard requirement. You can build and use the module as a shared object with little extra effort.
Building mod_unblufilter
To build mod_unblufilter
, run the following commands:
mod_unblufilter
tar zxf mod_unblufilter-1.0.0.tar.gz
cd mod_unblufilter-1.0.0
mkdir -p build/RELEASE (1)
cd build/RELEASE
../../configure --with-apxs=/usr/sbin/apxs (2)
make
make install DESTDIR=/tmp/mod_unblufilter (3)
1 | Optional; if you don’t create a build directory, adapt the call to configure accordingly. |
2 | The path to the apxs tool. Not required if apxs is in a standard directory or can be reached via $PATH . |
3 | By default, the installation target is the Apache 2 modules directory as determined by apxs . DESTDIR specifies a prefix to use before the modules directory. This is useful if you want to perform a staged installation.
In the example above, if the Apache 2 modules are located in |
make install doesn’t require root access if using DESTDIR with a target that is writable by the user executing the command. If no DESTDIR is specified, you need root access. |
To build the DEBUG
version of mod_unblufilter
, include the option --enable-debug
. The options available when building the debug version are the same as for the release version.
mod_unblufilter
mkdir -p build/DEBUG
cd build/DEBUG ../../configure --enable-debug --with-apxs=/usr/sbin/apxs
make
make install DESTDIR=/tmp/mod_unblufilter
Configuring the SFM
Once you’ve installed libunblufilter
and mod_unblufilter
, you have to configure Apache 2 to use it.
The following commented and annotated example configuration is self-contained. It includes all the configurations required to run Unblu via an Apache 2 server. In particular, it includes the configuration of a reverse proxy path for /unblu
requests, adding mod_unblufilter
using the mod_filter
Apache 2 module and the mod_unblufilter
configuration itself.
If you have multiple Unblu accounts running on the same Unblu server, you can use the Unblu directives within <VirtualHost>
blocks in the Apache configuration. In particular, setting the UnbluApiKey
differently in each block allows the SFM to distinguish between requests for different accounts.
The distributed mod_unblufilter
package contains a config
directory with a configuration example.
############################################################
# Configure reverse proxy to /unblu of Collaboration Server
<IfModule !mod_proxy.c> (1)
LoadModule proxy_module modules/mod_proxy.so
<IfModule !mod_proxy_http.c> LoadModule proxy_http_module modules/mod_proxy_http.so (2)
</IfModule>
</IfModule>
ProxyRequests Off (3)
<Proxy *>
Order deny,allow
Allow from all (4)
</Proxy>
ProxyPass /unblu/ http://unbluserver/unblu/ (5)
ProxyPassReverse /unblu/ http://unbluserver/unblu/ (6)
#############################################################
# Configure Unblu
LoadModule unblufilter_module modules/mod_unblufilter.so (7)
UnbluModule On
UnbluServerUrl http://unbluserver/ (8)
UnbluConfigOrigin local (9)
UnbluConfigDirectory /path/to/your/unblu.conf (10)
UnbluApiKey yourUnbluAPIKey (11)
UnbluCompatMode 6 (12)
#############################################################
# Advanced Unblu Configuration
# the following settings are defaults - uncomment and adapt them
#UnbluPublicPathPrefix /unblu (13)
#UnbluSystemPathPrefix /system (14)
#UnbluServerAdminBackend rest/filterBackend
#UnbluDefaultCharset ISO-8859-1 (15)
#UnbluConfigOrigin local
#UnbluConfigDirectory /etc/httpd/unblu/unblu.conf
#UnbluConfigExpiration 3600 (16)
#UnbluMaxResponseSizeResource 100kb
#UnbluMaxResponseSizeInjection 10kb
#############################################################
# Add the filter module to the filter chain
<IfModule !mod_filter.c>
LoadModule filter_module modules/mod_filter.so
</IfModule>
# The following lines require filter_module to be active
# See http://httpd.apache.org/docs/2.4/mod/mod_filter.html
# for details about filters
# FilterProvider Syntax:
# FilterProvider filter-name provider-name expression
# NOTE: do not change the provider-name (unblufilter) - it is hardcoded
# and connects this configuration to the filter module
#
FilterProvider chatfilter unblufilter "%{CONTENT_TYPE}=~ /.*/" (17)
# FilterChain Syntax:
# FilterChain [+=-@!]filter-name ...
# NOTE: The @ before the filter-name ensures that the filter is inserted at the
# first position
#
FilterChain @unblufilter (18)
#############################################################
1 | Load mod_proxy if it hasn’t already been loaded. |
2 | Load mod_proxy_http if it hasn’t already been loaded. |
3 | Set to Off to disable forward proxy capabilities. |
4 | Configure access control to proxy. |
5 | Proxy requests to /unblu . Replace https://unbluserver with the host name of the Unblu Collaboration Server. If running on a non-standard port, include the port. |
6 | Make sure response headers are adapted to have a transparent reverse proxy Unblu configuration. Replace https://unbluserver with the host name of the Unblu Collaboration Server. If running on a non-standard port, include the port. |
7 | Load mod_unblufilter . |
8 | The host name and path of the Unblu Collaboration Server, or a proxy by which the server can be reached. |
9 | Load the unblu.conf Unblu configuration file from a local or remote source. |
10 | The local path to your unblu.conf file.
|
11 | Your Unblu API key. |
12 | The compatibility mode for the Unblu server. Set to the major version of your Unblu installation, such as UnbluCompatMode 6 for Unblu 6. |
13 | If changed, the new value must have a leading slash. The remainder must match the configuration property com.unblu.identifier.publicPathPrefix in the Unblu Server. |
14 | If changed, the new value must have a leading slash. The remainder must match the configuration property com.unblu.identifier.systemPathPrefix in the Unblu Server. |
15 | The character set used if none is specified in an HTTP (text) response. |
16 | The time, in seconds, until the configuration file downloaded from the Unblu Server expires and has to be downloaded again. Ignored if UnbluConfigOrigin is set to local . |
17 | mod_filter -specific command to enable mod_unblufilter as a filter in Apache 2. |
18 | Specifies where in the filter chain Unblu is called. Unblu must be called before any URL transformations such as URL encryption or decryption. |