Difference between revisions of "HTTPS configuration"

From Lingoport Wiki
Jump to: navigation, search
 
(2 intermediate revisions by one other user not shown)
Line 2: Line 2:
 
HTTPS configuration is often achieved via a reverse proxy hosted on the Linux system. Instructions to do so using Apache are as follows for CentOS / RHEL:
 
HTTPS configuration is often achieved via a reverse proxy hosted on the Linux system. Instructions to do so using Apache are as follows for CentOS / RHEL:
   
1. Install apache and mod_ssl (https support for apache)
+
1. Install Apache and mod_ssl (https support for apache)
   
 
sudo yum install httpd
 
sudo yum install httpd
 
sudo yum install mod_ssl
 
sudo yum install mod_ssl
   
2. Configure SELinux to allow apache network connections
+
2. Configure SELinux to allow Apache network connections
   
 
sudo setsebool -P httpd_can_network_connect true
 
sudo setsebool -P httpd_can_network_connect true
   
  +
3. Set an apache timeout by modifying or appending the line:
3. Add http (not s) config file with the following content (edit as appropriate):
 
  +
  +
<pre>
  +
TimeOut 600
  +
</pre>
  +
  +
to /etc/httpd/conf/httpd.conf
  +
  +
4. Add http (not s) config file with the following content (edit as appropriate):
   
 
vi /etc/httpd/conf.d/lingoport-apps.conf
 
vi /etc/httpd/conf.d/lingoport-apps.conf
Line 40: Line 48:
 
</VirtualHost>
 
</VirtualHost>
 
</pre>
 
</pre>
4. Restart apache to apply the settings
+
5. Restart Apache to apply the settings
   
sudo systemctl restart httpd
+
sudo systemctl restart httpd
   
5. Acquire a certificate. Please follow your organization's instructions to do so. You should have a private key, and acquire both a certificate and a certificate chain. Some orgs may provide the certificate in the same file as the chain. Please request .pem style certificates, or convert the certificates to .pem.
+
6. Acquire a certificate. Please follow your organization's instructions to do so. You should have a private key, and acquire both a certificate and a certificate chain. Some orgs may provide the certificate in the same file as the chain. Please request .pem style certificates, or convert the certificates to .pem.
   
6. Place the certificate and private key on a secure location on your system. Standard location is /etc/pki/tls/, with the certificate under /etc/pki/tls/certs/ and the associated private key under /etc/pki/tls/private/
+
7. Place the certificate and private key on a secure location on your system. Standard location is /etc/pki/tls/, with the certificate under /etc/pki/tls/certs/ and the associated private key under /etc/pki/tls/private/
   
7. Add apache config to utilize the certificate:
+
8. Add Apache config to utilize the certificate:
   
/etc/httpd/conf.d/lingoport-apps-ssl.conf
+
vi /etc/httpd/conf.d/lingoport-apps-ssl.conf
   
  +
<pre>
 
<IfModule mod_ssl.c>
 
<IfModule mod_ssl.c>
 
<VirtualHost *:443>
 
<VirtualHost *:443>
Line 100: Line 109:
 
</IfModule>
 
</IfModule>
   
  +
</pre>
8. Optionally enforce a redirect to https by uncommenting and filling out the following section in /etc/httpd/conf.d/lingoport-apps.conf
 
  +
9. Optionally enforce a redirect to https by uncommenting and filling out the following section in /etc/httpd/conf.d/lingoport-apps.conf
   
 
Before:
 
Before:
Line 119: Line 129:
   
   
9. Restart apache to apply the settings
+
10. Restart Apache to apply the settings
   
 
sudo systemctl restart httpd
 
sudo systemctl restart httpd
  +
  +
11. Set up Apache to start automatically after a reboot.
  +
  +
sudo systemctl enable httpd
   
 
To continue on Command Center installation, please go to:
 
To continue on Command Center installation, please go to:

Latest revision as of 18:22, 27 September 2023

HTTPS configuration is often achieved via a reverse proxy hosted on the Linux system. Instructions to do so using Apache are as follows for CentOS / RHEL:

1. Install Apache and mod_ssl (https support for apache)

sudo yum install httpd
sudo yum install mod_ssl

2. Configure SELinux to allow Apache network connections

sudo setsebool -P httpd_can_network_connect true

3. Set an apache timeout by modifying or appending the line:

TimeOut 600

to /etc/httpd/conf/httpd.conf

4. Add http (not s) config file with the following content (edit as appropriate):

vi /etc/httpd/conf.d/lingoport-apps.conf
<VirtualHost *:80>

    # ServerName SERVER_URL_REPLACE_ME   # example: myserver.lingoport.io

    AllowEncodedSlashes NoDecode
    ProxyPreserveHost On
    ProxyRequests Off

    # Default command center config - hosted on port 8083 under url path '/command-center/'
    ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon
    ProxyPassReverse /command-center/ http://localhost:8083/command-center/

    # Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path.
    # Adjust this if a different fallback mechanism is preferred.
    ProxyPass / http://localhost:8083/
    ProxyPassReverse / http://localhost:8083/

    # Force HTTPS only (Requires ssl config enabled) 
    #Header edit Location ^http://(.*)$ https://$1
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

5. Restart Apache to apply the settings

sudo systemctl restart httpd

6. Acquire a certificate. Please follow your organization's instructions to do so. You should have a private key, and acquire both a certificate and a certificate chain. Some orgs may provide the certificate in the same file as the chain. Please request .pem style certificates, or convert the certificates to .pem.

7. Place the certificate and private key on a secure location on your system. Standard location is /etc/pki/tls/, with the certificate under /etc/pki/tls/certs/ and the associated private key under /etc/pki/tls/private/

8. Add Apache config to utilize the certificate:

vi /etc/httpd/conf.d/lingoport-apps-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName SERVER_URL_REPLACE_ME   # example: myserver.lingoport.io
    DocumentRoot /var/www/html

    AllowEncodedSlashes NoDecode
    ProxyPreserveHost On
    ProxyRequests Off

    # Default command center config - hosted on port 8083 under url path '/command-center/'
    ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon
    ProxyPassReverse /command-center/ http://localhost:8083/command-center/

    # Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path.
    # Adjust this if a different fallback mechanism is preferred.
    ProxyPass / http://localhost:8083/
    ProxyPassReverse / http://localhost:8083/


# SSL Settings. These may be placed in other config files instead, but are left here for convenience. 
SSLEngine on

# BEGIN Possible security settings - based on LetsEncrypt recommendations as of Feb 2023.
# ---
# Please adjust to your own organization's guidelines!
SSLHonorCipherOrder     off
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
# ---
# END Possible security settings


# Reference the certificates:
SSLCertificateFile /etc/pki/tls/certs/<yourserver.yourorg.com>.pem
SSLCertificateKeyFile /etc/pki/tls/private/<yourserversprivatekey>.pem

# Not necessary if the certificate file includes a chain as well. See [[apache doc|https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile]] 
SSLCertificateChainFile /etc/letsencrypt/live/dockerdev1.lingoport.io/chain.pem

</VirtualHost>
</IfModule>

9. Optionally enforce a redirect to https by uncommenting and filling out the following section in /etc/httpd/conf.d/lingoport-apps.conf

Before:

   # Force HTTPS only (Requires ssl config enabled) 
   #Header edit Location ^http://(.*)$ https://$1
   #RewriteEngine on
   #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME
   #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

After:

   # Force HTTPS only (Requires ssl config enabled) 
   Header edit Location ^http://(.*)$ https://$1
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =example.somecorp.com
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


10. Restart Apache to apply the settings

   sudo systemctl restart httpd

11. Set up Apache to start automatically after a reboot.

   sudo systemctl enable httpd

To continue on Command Center installation, please go to: