HTTPS configuration

From Lingoport Wiki
Jump to: navigation, search

HTTPS configuration is often achieved via a reverse proxy hosted on the Linux system. Instructions to do so using Apache are as follows for CentOS / RHEL:

1. Install Apache and mod_ssl (https support for apache)

sudo yum install httpd
sudo yum install mod_ssl

2. Configure SELinux to allow Apache network connections

sudo setsebool -P httpd_can_network_connect true

3. Set an apache timeout by modifying or appending the line:

TimeOut 600

to /etc/httpd/conf/httpd.conf

4. Add http (not s) config file with the following content (edit as appropriate):

vi /etc/httpd/conf.d/lingoport-apps.conf
<VirtualHost *:80>

    # ServerName SERVER_URL_REPLACE_ME   # example: myserver.lingoport.io

    AllowEncodedSlashes NoDecode
    ProxyPreserveHost On
    ProxyRequests Off

    # Default command center config - hosted on port 8083 under url path '/command-center/'
    ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon
    ProxyPassReverse /command-center/ http://localhost:8083/command-center/

    # Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path.
    # Adjust this if a different fallback mechanism is preferred.
    ProxyPass / http://localhost:8083/
    ProxyPassReverse / http://localhost:8083/

    # Force HTTPS only (Requires ssl config enabled) 
    #Header edit Location ^http://(.*)$ https://$1
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

5. Restart Apache to apply the settings

sudo systemctl restart httpd

6. Acquire a certificate. Please follow your organization's instructions to do so. You should have a private key, and acquire both a certificate and a certificate chain. Some orgs may provide the certificate in the same file as the chain. Please request .pem style certificates, or convert the certificates to .pem.

7. Place the certificate and private key on a secure location on your system. Standard location is /etc/pki/tls/, with the certificate under /etc/pki/tls/certs/ and the associated private key under /etc/pki/tls/private/

8. Add Apache config to utilize the certificate:

vi /etc/httpd/conf.d/lingoport-apps-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName SERVER_URL_REPLACE_ME   # example: myserver.lingoport.io
    DocumentRoot /var/www/html

    AllowEncodedSlashes NoDecode
    ProxyPreserveHost On
    ProxyRequests Off

    # Default command center config - hosted on port 8083 under url path '/command-center/'
    ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon
    ProxyPassReverse /command-center/ http://localhost:8083/command-center/

    # Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path.
    # Adjust this if a different fallback mechanism is preferred.
    ProxyPass / http://localhost:8083/
    ProxyPassReverse / http://localhost:8083/


# SSL Settings. These may be placed in other config files instead, but are left here for convenience. 
SSLEngine on

# BEGIN Possible security settings - based on LetsEncrypt recommendations as of Feb 2023.
# ---
# Please adjust to your own organization's guidelines!
SSLHonorCipherOrder     off
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
# ---
# END Possible security settings


# Reference the certificates:
SSLCertificateFile /etc/pki/tls/certs/<yourserver.yourorg.com>.pem
SSLCertificateKeyFile /etc/pki/tls/private/<yourserversprivatekey>.pem

# Not necessary if the certificate file includes a chain as well. See [[apache doc|https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile]] 
SSLCertificateChainFile /etc/letsencrypt/live/dockerdev1.lingoport.io/chain.pem

</VirtualHost>
</IfModule>

9. Optionally enforce a redirect to https by uncommenting and filling out the following section in /etc/httpd/conf.d/lingoport-apps.conf

Before:

   # Force HTTPS only (Requires ssl config enabled) 
   #Header edit Location ^http://(.*)$ https://$1
   #RewriteEngine on
   #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME
   #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

After:

   # Force HTTPS only (Requires ssl config enabled) 
   Header edit Location ^http://(.*)$ https://$1
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =example.somecorp.com
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


10. Restart Apache to apply the settings

   sudo systemctl restart httpd

11. Set up Apache to start automatically after a reboot.

   sudo systemctl enable httpd

To continue on Command Center installation, please go to: