Openfire configurations (Openfire + Spark + Webchat + Apache + Tomcat)

Hi,

Heres my setup.

  • Apache will have port 80 open with redirections and proxy pass to the applications below
    • Openfire is set to port 9090
    • Webchat which resides in tomcat is set to port 8080
  • Spark can be connected via the default 5222 port via externally

Problems are my webchat and openfire admin module.

It can be displayed but once i had submitted a form a click a link, it will redirect back to the original port which are 9090 and 8080.

Locally this wouldnt be a problem, but when trying to access these via the internet it will become a problem.

How do i set Openfire/Webchat to redirect back using the correct port?

I found a way for webchat by removing the port in the livejive.jsp but not sure if this is the right way to do it.

I am looking to do this preferably in a non hackish way.

Or, is the openfire admin module werent supposed to be accessed via internet? only to be used locally?

Thanks, and yes im a noob.

Have you considered using an Apache reverse proxy and proxypreservehost to create a way around your firewall? Typically that would work something like this:

of.example.com is your Openfire server.

web.example.com is your web server.

With a reverse proxy, proxy preserve host and a little rewrite magic, you could set things up so

http://web.example.com/ofadmin goes to http://of.example.com:9090/index.jsp

ProxyRequests off

ProxyPreserveHost on

ProxyPass /ofadmin http://of.example.com:9090/

ProxyPassReverse /ofadmin http://of.example.com:9090/

Of course you should probably at a minimum think about using HTTPS instead of HTTP for this kind of thing (openfire’s admin server listens HTTPS on port 9091). Doing that will take a little more finesse, and probably require installing a “real” trusted SSL cert on at least your web server (unless you have some kind of traffic management device you can offload SSL to).

In fact it’s probably NOT a good idea to expose your admin interface to the Internet at all, but that’s between you and your security guys.

While you’re at it you might also want to consider using a Connection Manager or squid proxy to provide an extra layer of defense on your (TLS protected) XMPP ports (you do have Client Connection Security set to “Required”, don’t you?).

1 Like

Hi,

Thank you so much for the help.

I’d rate you as the correct answer but I still need some clarification if you dont mind.

It seemed that i was missing these 3 lines from my previous settings :

ProxyRequests off

ProxyPreserveHost on

ProxyPassReverse /ofadmin http://of.example.com:9090/

That being said, this only worked if i used it for the /webchat (localhost/webchat) .

But when i used it exactly as you had mentioned above for the admin interface, i got Forbidden error,

which then i had also fixed by adding :

<Directory “C:/Program Files (x86)/Openfire”>

** Order allow,deny**

** Allow from all**

But it seems that the admin interface still couldnt load unless i had these setup instead

ProxyRequests off

ProxyPreserveHost on

ProxyPass /ofadmin http://of.example.com:9090/

ProxyPassReverse /ofadmin http://of.example.com:9090/

As you can see, i couldnt add the extra path to the url or apache would tell me there is no such file.

Another related question i need to ask regarding ProxyPasReverse (i did some reading from site but could quite grasp it), is that if i had these setup below it still works. I ask these because i am trying to understand the ProxyPass,ProxyReverse and how does it work with the OpenFire setup.

ProxyRequests off

ProxyPreserveHost on

ProxyPass / http://of.example.com:9090/

ProxyPassReverse / http://of.example.com:9090/

This works as it works for the /webchat url as well.

Again thank you for your help.

Peace!

First of all, my congratulations to you for getting this working on Windows at all. I am in awe. At the risk of getting in too far over my head I think I now understand why your ultimate solution worked. I should have tested to see if the admin app would accept something short of being rooted in “/”. My bad. What should work is:

ProxyRequests off

ProxyPreserveHost on

ProxyPass / http://of.example.com:9090

ProxyPassReverse / http://of.example.com:9090

Basically the first line passes traffic from users TO the openfire server, the second line passes it back FROM the openfire server to the users. The “ProxyRequests off” terminates any previous proxy statements so they don’t step on what you’re trying to implement. The “ProxyPreserveHost on” tells the server to hide the “real” url you are sending people to.

You could set up a separate Apache name virtual host, responding to a different site name, if the existing web server also needs to serve up additional content.

I would recommend securing the connection from users to the Apache server with SSL, something that I don’t think is offered out-of-the-box with Apache on Windows. Getting that to work is well beyond my expertise at this point.

By the way, the Apache Foundation doc are actually very good. Go here, http://httpd.apache.org/docs, and click on the version you’re looking for. There’s a search facility that lets you look up key terms. Configuring Apache is kind of a black art that has a steep learning curve, but well worth the effort.

1 Like

Again thanks very much.

Noted on the SSL.

Currently im just doing a minor proof of concept to see how does these thing works.

Of course on the real production environment I would either avoid having the admin interface being on the internet entirely or use SSL for it - as you had suggested.

I will now dive in to the black art!

Thank you