|
|
| Line 1: |
Line 1: |
| = Installing SSL = | | = Installing SSL = |
| For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL.
| | In new MOR (starting from X14) and M2 installs, SSL with self-signed certificate is preconfigured (using external sever IP). |
| | If you have older MOR and M2 installations, and SSL was not configured previously, you can configure self-signed certificate by running the following script: |
| | /usr/src/mor/x14/gui/ssl_install.sh (/usr/src/m2/gui/ssk_install.sh for M2) |
|
| |
|
| yum -y install mod_ssl openssl
| |
|
| |
|
| Generate private key
| | By default redirection from http to https is not enabled by default. To enable it, please open file /etc/httpd/conf.d/mor_ssl.conf (m2_ssl.conf for M2) and uncomment last line: |
| openssl genrsa -out ca.key 2048
| | ServerName IP_ADDRESS |
| | # RedirectMatch permanent ^/$ https://IP_ADDRESS/billing/callc/login |
|
| |
|
| Generate CSR
| | And restart httpd service |
| openssl req -new -key ca.key -out ca.csr
| |
| | |
| Generate Self Signed Key
| |
| openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
| |
| | |
| Move the files to the correct locations
| |
| mv ca.crt /etc/pki/tls/certs
| |
| mv ca.key /etc/pki/tls/private/ca.key
| |
| mv ca.csr /etc/pki/tls/private/ca.csr
| |
| | |
| Then we need to update the Apache SSL configuration file ( /etc/httpd/conf.d/ssl.conf ). Change the paths to match where the Key file is stored. If you've used the method above it will be.
| |
| | |
| SSLCertificateFile /etc/pki/tls/certs/ca.crt
| |
| | |
| Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:
| |
| SSLCertificateKeyFile /etc/pki/tls/private/ca.key
| |
| | |
| Quit and save the file and then restart Apache
| |
| /etc/init.d/httpd restart
| |
| | |
| Source: http://shapeshed.com/journal/setting_up_mod_ssl_on_apache_centos_52/
| |
| | |
| Troubleshooting:
| |
| | |
| If you cannot access GUI, try following commands:
| |
| chown -R apache:apache /var/log/httpd
| |
| service httpd restart | | service httpd restart |
|
| |
|
| == Allow only https ==
| | If you have domain name, replace IP_ADDRESS with your domain name and regenerate certification files with new information with command bellow: |
| If you would like your users to be automatically redirected to secure connection (https), add the line to /etc/httpd/conf.d/mor.conf so it would look like: | | openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt |
| | | Enter information as requested, in common name section please enter your domain name. |
| <VirtualHost *:80> | |
| DocumentRoot /var/www/html | |
| <Directory /var/www/html>
| |
| Allow from all
| |
| </Directory>
| |
| RailsBaseURI /billing
| |
| <Directory /var/www/html/billing>
| |
| Options -MultiViews
| |
| </Directory>
| |
| RailsEnv production
| |
| Redirect permanent / https://www.example.com/ #Add this one. Put your hostname instead of www.example.com
| |
| </VirtualHost>
| |
| | |
| <br><br>
| |
| | |
| == Important notes ==
| |
| * When you disable http access and allow https only - please make sure that you change URL in various crontabs used by mor and located in /etc/cron.d/*
| |
| <br><br>
| |
| | |
| | |
| == ERROR: When directory structure is visible ==
| |
| | |
| That means incorrect configuration in /etc/httpd/conf.d/ssl.conf
| |
|
| |
|
| Make sure your file looks like this:
| |
|
| |
| <pre>
| |
| #
| |
| # This is the Apache server configuration file providing SSL support.
| |
| # It contains the configuration directives to instruct the server how to
| |
| # serve pages over an https connection. For detailing information about these
| |
| # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
| |
| #
| |
| # Do NOT simply read the instructions in here without understanding
| |
| # what they do. They're here only as hints or reminders. If you are unsure
| |
| # consult the online docs. You have been warned.
| |
| #
| |
|
| |
| LoadModule ssl_module modules/mod_ssl.so
| |
|
| |
| #
| |
| # When we also provide SSL we have to listen to the
| |
| # the HTTPS port in addition.
| |
| #
| |
| Listen 443
| |
|
| |
| ##
| |
| ## SSL Global Context
| |
| ##
| |
| ## All SSL configuration in this context applies both to
| |
| ## the main server and all SSL-enabled virtual hosts.
| |
| ##
| |
|
| |
| # Pass Phrase Dialog:
| |
| # Configure the pass phrase gathering process.
| |
| # The filtering dialog program (`builtin' is a internal
| |
| # terminal dialog) has to provide the pass phrase on stdout.
| |
| SSLPassPhraseDialog builtin
| |
|
| |
| # Inter-Process Session Cache:
| |
| # Configure the SSL Session Cache: First the mechanism
| |
| # to use and second the expiring timeout (in seconds).
| |
| SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
| |
| SSLSessionCacheTimeout 300
| |
|
| |
| # Semaphore:
| |
| # Configure the path to the mutual exclusion semaphore the
| |
| # SSL engine uses internally for inter-process synchronization.
| |
| SSLMutex default
| |
|
| |
| # Pseudo Random Number Generator (PRNG):
| |
| # Configure one or more sources to seed the PRNG of the
| |
| # SSL library. The seed data should be of good random quality.
| |
| # WARNING! On some platforms /dev/random blocks if not enough entropy
| |
| # is available. This means you then cannot use the /dev/random device
| |
| # because it would lead to very long connection times (as long as
| |
| # it requires to make more entropy available). But usually those
| |
| # platforms additionally provide a /dev/urandom device which doesn't
| |
| # block. So, if available, use this one instead. Read the mod_ssl User
| |
| # Manual for more details.
| |
| SSLRandomSeed startup file:/dev/urandom 256
| |
| SSLRandomSeed connect builtin
| |
| #SSLRandomSeed startup file:/dev/random 512
| |
| #SSLRandomSeed connect file:/dev/random 512
| |
| #SSLRandomSeed connect file:/dev/urandom 512
| |
|
| |
| #
| |
| # Use "SSLCryptoDevice" to enable any supported hardware
| |
| # accelerators. Use "openssl engine -v" to list supported
| |
| # engine names. NOTE: If you enable an accelerator and the
| |
| # server does not start, consult the error logs and ensure
| |
| # your accelerator is functioning properly.
| |
| #
| |
| SSLCryptoDevice builtin
| |
| #SSLCryptoDevice ubsec
| |
|
| |
| ##
| |
| ## SSL Virtual Host Context
| |
| ##
| |
|
| |
| <VirtualHost _default_:443>
| |
|
| |
| # General setup for the virtual host, inherited from global configuration
| |
| DocumentRoot "/var/www/html/billing" #ADD THIS
| |
| #ServerName www.example.com:443
| |
|
| |
| # Use separate log files for the SSL virtual host; note that LogLevel
| |
| # is not inherited from httpd.conf.
| |
| ErrorLog logs/ssl_error_log
| |
| TransferLog logs/ssl_access_log
| |
| LogLevel warn
| |
|
| |
| # SSL Engine Switch:
| |
| # Enable/Disable SSL for this virtual host.
| |
| SSLEngine on
| |
|
| |
| # SSL Protocol support:
| |
| # List the enable protocol levels with which clients will be able to
| |
| # connect. Disable SSLv2 access by default:
| |
| SSLProtocol all -SSLv2
| |
|
| |
| # SSL Cipher Suite:
| |
| # List the ciphers that the client is permitted to negotiate.
| |
| # See the mod_ssl documentation for a complete list.
| |
| SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
| |
|
| |
| # Server Certificate:
| |
| # Point SSLCertificateFile at a PEM encoded certificate. If
| |
| # the certificate is encrypted, then you will be prompted for a
| |
| # pass phrase. Note that a kill -HUP will prompt again. A new
| |
| # certificate can be generated using the genkey(1) command.
| |
| SSLCertificateFile /etc/pki/tls/certs/ca.crt
| |
|
| |
| # Server Private Key:
| |
| # If the key is not combined with the certificate, use this
| |
| # directive to point at the key file. Keep in mind that if
| |
| # you've both a RSA and a DSA private key you can configure
| |
| # both in parallel (to also allow the use of DSA ciphers, etc.)
| |
| SSLCertificateKeyFile /etc/pki/tls/private/ca.key
| |
|
| |
| # Server Certificate Chain:
| |
| # Point SSLCertificateChainFile at a file containing the
| |
| # concatenation of PEM encoded CA certificates which form the
| |
| # certificate chain for the server certificate. Alternatively
| |
| # the referenced file can be the same as SSLCertificateFile
| |
| # when the CA certificates are directly appended to the server
| |
| # certificate for convinience.
| |
| #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
| |
|
| |
| # Certificate Authority (CA):
| |
| # Set the CA certificate verification path where to find CA
| |
| # certificates for client authentication or alternatively one
| |
| # huge file containing all of them (file must be PEM encoded)
| |
| #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
| |
|
| |
| # Client Authentication (Type):
| |
| # Client certificate verification type and depth. Types are
| |
| # none, optional, require and optional_no_ca. Depth is a
| |
| # number which specifies how deeply to verify the certificate
| |
| # issuer chain before deciding the certificate is not valid.
| |
| #SSLVerifyClient require
| |
| #SSLVerifyDepth 10
| |
|
| |
| # Access Control:
| |
| # With SSLRequire you can do per-directory access control based
| |
| # on arbitrary complex boolean expressions containing server
| |
| # variable checks and other lookup directives. The syntax is a
| |
| # mixture between C and Perl. See the mod_ssl documentation
| |
| # for more details.
| |
| #<Location />
| |
| #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
| |
| # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
| |
| # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
| |
| # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
| |
| # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
| |
| # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
| |
| #</Location>
| |
|
| |
| # SSL Engine Options:
| |
| # Set various options for the SSL engine.
| |
| # o FakeBasicAuth:
| |
| # Translate the client X.509 into a Basic Authorisation. This means that
| |
| # the standard Auth/DBMAuth methods can be used for access control. The
| |
| # user name is the `one line' version of the client's X.509 certificate.
| |
| # Note that no password is obtained from the user. Every entry in the user
| |
| # file needs this password: `xxj31ZMTZzkVA'.
| |
| # o ExportCertData:
| |
| # This exports two additional environment variables: SSL_CLIENT_CERT and
| |
| # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
| |
| # server (always existing) and the client (only existing when client
| |
| # authentication is used). This can be used to import the certificates
| |
| # into CGI scripts.
| |
| # o StdEnvVars:
| |
| # This exports the standard SSL/TLS related `SSL_*' environment variables.
| |
| # Per default this exportation is switched off for performance reasons,
| |
| # because the extraction step is an expensive operation and is usually
| |
| # useless for serving static content. So one usually enables the
| |
| # exportation for CGI and SSI requests only.
| |
| # o StrictRequire:
| |
| # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
| |
| # under a "Satisfy any" situation, i.e. when it applies access is denied
| |
| # and no other module can change it.
| |
| # o OptRenegotiate:
| |
| # This enables optimized SSL connection renegotiation handling when SSL
| |
| # directives are used in per-directory context.
| |
| #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
| |
| <Files ~ "\.(cgi|shtml|phtml|php3?)$">
| |
| SSLOptions +StdEnvVars
| |
| </Files>
| |
| <Directory "/var/www/cgi-bin">
| |
| SSLOptions +StdEnvVars
| |
| </Directory>
| |
|
| |
| # SSL Protocol Adjustments:
| |
| # The safe and default but still SSL/TLS standard compliant shutdown
| |
| # approach is that mod_ssl sends the close notify alert but doesn't wait for
| |
| # the close notify alert from client. When you need a different shutdown
| |
| # approach you can use one of the following variables:
| |
| # o ssl-unclean-shutdown:
| |
| # This forces an unclean shutdown when the connection is closed, i.e. no
| |
| # SSL close notify alert is send or allowed to received. This violates
| |
| # the SSL/TLS standard but is needed for some brain-dead browsers. Use
| |
| # this when you receive I/O errors because of the standard approach where
| |
| # mod_ssl sends the close notify alert.
| |
| # o ssl-accurate-shutdown:
| |
| # This forces an accurate shutdown when the connection is closed, i.e. a
| |
| # SSL close notify alert is send and mod_ssl waits for the close notify
| |
| # alert of the client. This is 100% SSL/TLS standard compliant, but in
| |
| # practice often causes hanging connections with brain-dead browsers. Use
| |
| # this only for browsers where you know that their SSL implementation
| |
| # works correctly.
| |
| # Notice: Most problems of broken clients are also related to the HTTP
| |
| # keep-alive facility, so you usually additionally want to disable
| |
| # keep-alive for those clients, too. Use variable "nokeepalive" for this.
| |
| # Similarly, one has to force some clients to use HTTP/1.0 to workaround
| |
| # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
| |
| # "force-response-1.0" for this.
| |
| SetEnvIf User-Agent ".*MSIE.*" \
| |
| nokeepalive ssl-unclean-shutdown \
| |
| downgrade-1.0 force-response-1.0
| |
|
| |
| # Per-Server Logging:
| |
| # The home of a custom SSL log file. Use this when you want a
| |
| # compact non-error SSL logfile on a virtual host basis.
| |
| CustomLog logs/ssl_request_log \
| |
| "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
| |
|
| |
| DocumentRoot /var/www/html #ADD THIS
| |
| <Directory /var/www/html> #ADD THIS
| |
| Allow from all #ADD THIS
| |
| </Directory> #ADD THIS
| |
| RailsBaseURI /billing #ADD THIS
| |
| <Directory /var/www/html/billing> #ADD THIS
| |
| Options -MultiViews #ADD THIS
| |
| </Directory> #ADD THIS
| |
| ServerName my.domain.com #ADD THIS
| |
| RedirectMatch permanent ^/$ https://my.domain.com/billing/callc/login #ADD THIS change my.domain.com to proper domain
| |
|
| |
| </VirtualHost>
| |
|
| |
| </pre>
| |
|
| |
| If you are implementing SSL into MOR please remove m2.conf file
| |
|
| |
| rm -rf /etc/httpd/conf.d/m2.conf
| |
|
| |
| Restart Apache after changing this file.
| |
|
| |
| == ERROR: When service httpd fails to restart ==
| |
| service httpd restart
| |
| Stopping httpd: [ OK ]
| |
| Starting httpd: Syntax error on line 112 of /etc/httpd/conf.d/ssl.conf:
| |
| SSLCertificateKeyFile: file '/etc/pki/tls/private/ca.key' does not exist or is empty
| |
| [FAILED]
| |
| Check if SElinux is disabled.
| |
| To disable it, check this manual for disabling [[Selinux]]
| |
|
| |
|
| Once SSL setups is completed, ensure that hourly actions are able to access GUI internally:
| | == Cron Actions == |
| | If SSL redirection is enabled, ensure that hourly actions are able to access GUI internally: |
|
| |
|
| wget http://127.0.0.1/billing/callc/hourly_actions | | wget http://127.0.0.1/billing/callc/hourly_actions |
