Contents
| Inhalt | ||||||
|---|---|---|---|---|---|---|
|
Introduction
The configuration of Apache Karaf osgi-runner itself as well as the configuration of all installed OSGi bundles are in files in osgi-runner's etc directory.
...
The configuration file htpasswd.d/osgi-htpaswd specifies one or more karaf usersosgi-runner users in the domain osgi, like this snippet from the default configuration shows:
...
Optional: Configuring the embedded SSH Server
As mentioned Karaf , osgi-runner comes with an embedded SSH server.
...
Optional: Configuring the osgi-runner HTTP Port
Our Karaf osgi-runner package comes with an integrated HTTP server in the form of the Felix HTTP bundle, based on Jetty (which is unfortunate because it is not as configurable as one might wish). There is also a newer approach org.ops4j.pax.web, but for now we stick with Felix.
...
Therefore it is common practice to “hide” the application server (in our case Karafosgi-runner) behind a legacy Web server like Apache, IIS, nginx acting as a reverse proxy and to only pass-through known sub URLs.
...
There are two approaches to disallow remote access to Karafosgi-runner's HTTP engine, both can be used together:
osgi-runner should only listen on localhost (127.0.0.1), which is achieved by adding the setting org.apache.felix.http.host=127.0.0.1 to org.apache.felix.http.cfg, see also http://felix.apache.org/documentation/subprojects/apache-felix-http-service.html for more configuration options of the embedded HTTP server.
Alternatively, the local firewall should not allow remote access to osgi-runner's HTTP port.
...
If a Firewall is used (recommended) these are the common ports of our Karaf osgi-runner installations.
We usually open these ports to the network:
80, for a minimal web host redirecting to the https counterpart443, for a web host acting as reverse proxy to the MDA serverWindows:
3389, remote desktop, for maintenance of Windows hosts, restricted to trusted hosts or networks- Linux:
22, ssh, DOS-protected by fail2ban
We usually do not open these ports:
8080or8081or other, osgi-runner HTTP server port8101, Karaf osgi-runner SSH server port
Bundle PIDs
...
As most web apps, config-managers require the user to identify and authenticate himself.
In Karaf osgi-runner they usually authenticate against the embedded JAAS authentication engine, which by default provides an admin user karaf / karaf in the domain osgi.
Our configuration UIs support other configuration mechanisms, but when bootstrapping an installation only JAAS is available.
Therefore access to the web-based config-managers should be restricted using the mechanisms of either a firewall, or a legacy web server acting as reverse proxy in front of karafosgi-runner, or the config-managers' own configuration.
...