HTTPS configuration
HTTPS configuration is often achieved via a reverse proxy hosted on the Linux system. Instructions to do so using Apache are as follows for CentOS / RHEL:
1. Install apache and mod_ssl (https support for apache)
sudo yum install httpd
sudo yum install mod_ssl
2. Configure SELinux to allow apache network connections
sudo setsebool -P httpd_can_network_connect true
3. Add http (not s) config file with the following content (edit as appropriate):
/etc/httpd/conf.d/lingoport-apps.conf
<VirtualHost *:80>
# ServerName SERVER_URL_REPLACE_ME # example: myserver.lingoport.io
AllowEncodedSlashes NoDecode ProxyPreserveHost On ProxyRequests Off
# Default command center config - hosted on port 8083 under url path '/command-center/' ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon ProxyPassReverse /command-center/ http://localhost:8083/command-center/
# Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path. # Adjust this if a different fallback mechanism is preferred. ProxyPass / http://localhost:8083/ ProxyPassReverse / http://localhost:8083/
# Force HTTPS only (Requires ssl config enabled) #Header edit Location ^http://(.*)$ https://$1 #RewriteEngine on #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
4. Restart apache to apply the settings
sudo systemctl restart httpd
5. Acquire a certificate. Please follow your organization's instructions to do so. You should have a private key, and acquire both a certificate and a certificate chain. Some orgs may provide the certificate in the same file as the chain. Please request .pem style certificates, or convert the certificates to .pem.
6. Place the certificate and private key on a secure location on your system. Standard location is /etc/pki/tls/, with the certificate under /etc/pki/tls/certs/ and the associated private key under /etc/pki/tls/private/
7. Add apache config to utilize the certificate:
/etc/httpd/conf.d/lingoport-apps-ssl.conf
<IfModule mod_ssl.c> <VirtualHost *:443>
ServerName SERVER_URL_REPLACE_ME # example: myserver.lingoport.io DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode ProxyPreserveHost On ProxyRequests Off
# Default command center config - hosted on port 8083 under url path '/command-center/' ProxyPass /command-center/ http://localhost:8083/command-center/ nocanon ProxyPassReverse /command-center/ http://localhost:8083/command-center/
# Default fallback config, redirect to port 8083 for urls without '/command-center/' as the starting path. # Adjust this if a different fallback mechanism is preferred. ProxyPass / http://localhost:8083/ ProxyPassReverse / http://localhost:8083/
- SSL Settings. These may be placed in other config files instead, but are left here for convenience.
SSLEngine on
- BEGIN Possible security settings - based on LetsEncrypt recommendations as of Feb 2023.
- ---
- Please adjust to your own organization's guidelines!
SSLHonorCipherOrder off SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLOptions +StrictRequire
- Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
- ---
- END Possible security settings
- Reference the certificates:
SSLCertificateFile /etc/pki/tls/certs/<yourserver.yourorg.com>.pem SSLCertificateKeyFile /etc/pki/tls/private/<yourserversprivatekey>.pem
- Not necessary if the certificate file includes a chain as well. See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
SSLCertificateChainFile /etc/letsencrypt/live/dockerdev1.lingoport.io/chain.pem
</VirtualHost> </IfModule>
8. Optionally enforce a redirect to https by uncommenting and filling out the following section in /etc/httpd/conf.d/lingoport-apps.conf
Before:
# Force HTTPS only (Requires ssl config enabled) #Header edit Location ^http://(.*)$ https://$1 #RewriteEngine on #RewriteCond %{SERVER_NAME} =SERVER_URL_REPLACE_ME #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
After:
# Force HTTPS only (Requires ssl config enabled) Header edit Location ^http://(.*)$ https://$1 RewriteEngine on RewriteCond %{SERVER_NAME} =example.somecorp.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
9. Restart apache to apply the settings
sudo systemctl restart httpd