HTTPS configuration

From Lingoport Wiki
Revision as of 18:49, 18 April 2023 by Olibouban (talk | contribs)
Jump to: navigation, search

HTTPS configuration is often achieved via a reverse proxy hosted on the Linux system. Instructions to do so using Apache are as follows for CentOS / RHEL:

1. Install apache and mod_ssl (https support for apache)

sudo yum install httpd

sudo yum install mod_ssl

2. Configure SELinux to allow apache network connections

sudo setsebool -P httpd_can_network_connect true

3. Add http (not s) config file with the following content (edit as appropriate):

/etc/httpd/conf.d/lingoport-apps.conf

<VirtualHost *:80>

   # ServerName SERVER_URL_REPLACE_ME   # example: myserver.lingoport.io
   AllowEncodedSlashes NoDecode
   ProxyPreserveHost On
   ProxyRequests Off
   # Default command center config - hosted on port 8083 under url path '/command-center/'
   ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon
   ProxyPassReverse /command-center/ http://localhost:8083/command-center/
   # Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path.
   # Adjust this if a different fallback mechanism is preferred.
   ProxyPass / http://localhost:8083/
   ProxyPassReverse / http://localhost:8083/
   # Force HTTPS only (Requires ssl config enabled) 
   #Header edit Location ^http://(.*)$ https://$1
   #RewriteEngine on
   #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME
   #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>


4. Restart apache to apply the settings

sudo systemctl restart httpd

5. Acquire a certificate. Please follow your organization's instructions to do so. You should have a private key, and acquire both a certificate and a certificate chain. Some orgs may provide the certificate in the same file as the chain. Please request .pem style certificates, or convert the certificates to .pem.

6. Place the certificate and private key on a secure location on your system. Standard location is /etc/pki/tls/, with the certificate under /etc/pki/tls/certs/ and the associated private key under /etc/pki/tls/private/

7. Add apache config to utilize the certificate:

/etc/httpd/conf.d/lingoport-apps-ssl.conf

<IfModule mod_ssl.c> <VirtualHost *:443>

   ServerName SERVER_URL_REPLACE_ME   # example: myserver.lingoport.io
   DocumentRoot /var/www/html
   AllowEncodedSlashes NoDecode
   ProxyPreserveHost On
   ProxyRequests Off
   # Default command center config - hosted on port 8083 under url path '/command-center/'
   ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon
   ProxyPassReverse /command-center/ http://localhost:8083/command-center/
   # Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path.
   # Adjust this if a different fallback mechanism is preferred.
   ProxyPass / http://localhost:8083/
   ProxyPassReverse / http://localhost:8083/


  1. SSL Settings. These may be placed in other config files instead, but are left here for convenience.

SSLEngine on

  1. BEGIN Possible security settings - based on LetsEncrypt recommendations as of Feb 2023.
  2. ---
  3. Please adjust to your own organization's guidelines!

SSLHonorCipherOrder off SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLOptions +StrictRequire

  1. Add vhost name to log entries:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

  1. ---
  2. END Possible security settings


  1. Reference the certificates:

SSLCertificateFile /etc/pki/tls/certs/<yourserver.yourorg.com>.pem SSLCertificateKeyFile /etc/pki/tls/private/<yourserversprivatekey>.pem

  1. Not necessary if the certificate file includes a chain as well. See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

SSLCertificateChainFile /etc/letsencrypt/live/dockerdev1.lingoport.io/chain.pem

</VirtualHost> </IfModule>

8. Optionally enforce a redirect to https by uncommenting and filling out the following section in /etc/httpd/conf.d/lingoport-apps.conf

Before:

   # Force HTTPS only (Requires ssl config enabled) 
   #Header edit Location ^http://(.*)$ https://$1
   #RewriteEngine on
   #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME
   #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

After:

   # Force HTTPS only (Requires ssl config enabled) 
   Header edit Location ^http://(.*)$ https://$1
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =example.somecorp.com
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


9. Restart apache to apply the settings

   sudo systemctl restart httpd