e0b2d9b8187009b4213cbd91b84e06560ea8d2af
wiki/info/security/ssl-support.md
| ... | ... | @@ -0,0 +1,75 @@ |
| 1 | +# Supporting HTTPS / SSL |
|
| 2 | + |
|
| 3 | +On sapsailing.com, we have a security certificate installed. For root users its key is visible at `/etc/pki/tls/private/star_sapsailing_com.key`. The certicicate is at `/etc/pki/tls/certs/star_sapsailing_com.crt`. The intermediate CA file from [https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2045](https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2045) is at `/etc/pki/tls/certs/server-chain.crt`. To enable SSL on a server, the module `mod_ssl` needs to be installed. Use ``yum install mod_ssl``. |
|
| 4 | + |
|
| 5 | +The `/etc/httpd/conf/httpd.conf` file must contain the following in order to ensure that the `ServerName` setting is respected for selecting the appropriate `VirtualHost` element: |
|
| 6 | + |
|
| 7 | +<pre> |
|
| 8 | + NameVirtualHost *:80 |
|
| 9 | + NameVirtualHost *:443 |
|
| 10 | +</pre> |
|
| 11 | + |
|
| 12 | +When this is done, the server can use the following sequence of directives inside a <VirtualHost> element: |
|
| 13 | + |
|
| 14 | +<pre> |
|
| 15 | + SSLEngine On |
|
| 16 | + SSLCertificateFile /etc/pki/tls/certs/star_sapsailing_com.crt |
|
| 17 | + SSLCertificateKeyFile /etc/pki/tls/private/star_sapsailing_com.key |
|
| 18 | + SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
|
| 19 | +</pre> |
|
| 20 | + |
|
| 21 | +We have this also in a macro called SSL that is defined in `/etc/httpd/conf.d/000-macros.conf` like this: |
|
| 22 | + |
|
| 23 | +``` |
|
| 24 | +<Macro SSL> |
|
| 25 | + SSLEngine On |
|
| 26 | + SSLCertificateFile /etc/pki/tls/certs/star_sapsailing_com.crt |
|
| 27 | + SSLCertificateKeyFile /etc/pki/tls/private/star_sapsailing_com.key |
|
| 28 | + SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
|
| 29 | +</Macro> |
|
| 30 | +``` |
|
| 31 | + |
|
| 32 | +It can then simply be used in any `VirtualHost` definition using `Use SSL`. |
|
| 33 | + |
|
| 34 | +A full-blown <VirtualHost> element in a rewrite macro in `000-macros.conf` then could look like this: |
|
| 35 | + |
|
| 36 | +``` |
|
| 37 | +<Macro Event-SSL $HOSTNAME $EVENTUUID $IP $PORT> |
|
| 38 | + <VirtualHost *:443> |
|
| 39 | + ServerName $HOSTNAME |
|
| 40 | + Use SSL |
|
| 41 | + Use Headers |
|
| 42 | + RewriteEngine on |
|
| 43 | + RewriteCond %{REQUEST_URI} "^(/)?$" |
|
| 44 | + RewriteRule ^(/)?$ "https://$HOSTNAME/gwt/Home.html?%{QUERY_STRING}#/event/:eventId=$EVENTUUID" [L,NE] |
|
| 45 | + Use Rewrite $IP $PORT |
|
| 46 | + </VirtualHost> |
|
| 47 | +</Macro> |
|
| 48 | +``` |
|
| 49 | + |
|
| 50 | +It can then be used inside the `001-events.conf` file like this |
|
| 51 | + |
|
| 52 | +``` |
|
| 53 | +Use Event-SSL ssltest.sapsailing.com "f8087b3c-c641-4fda-bf8d-0bc2abe09e40" 172.31.22.239 8888 |
|
| 54 | +``` |
|
| 55 | + |
|
| 56 | +Keep in mind that the certificate we have only is valid for `*.sapsailing.com` which does not include 2nd-level sub-domains such as a.b.sapsailing.com. |
|
| 57 | + |
|
| 58 | +To have a non-SSL `VirtualHost` redirect to the SSL counterpart, use a definition like this: |
|
| 59 | + |
|
| 60 | +``` |
|
| 61 | +<VirtualHost *:80> |
|
| 62 | + ServerName jobs.sapsailing.com |
|
| 63 | + RedirectPermanent / https://jobs.sapsailing.com/ |
|
| 64 | +</VirtualHost> |
|
| 65 | +``` |
|
| 66 | + |
|
| 67 | +## Elastic Load Balancer (ELB) with SSL / HTTPS |
|
| 68 | + |
|
| 69 | +Amazon EC2 supports uploading the private and public key as well as the certificate chain when adding an HTTPS listener to an ELB. However, this only seems to work properly in the us-east region. As the IAM module has global scope, however, the key uploaded will afterwards be available for ELB HTTPS listener creation in all zones. |
|
| 70 | + |
|
| 71 | +I've uploaded the *.sapsailing.com certificate today (2016-03-06) and named it `sapsailing.com`. |
|
| 72 | + |
|
| 73 | +When you add listeners, make sure they also have the certificate for *.sapsailing.com installed. Choose the `*-SSL` macro variants in your `/etc/httpd/conf.d/001-events.conf` configuration file (which is now the default being generated by the startup script in `/etc/init.d/sailing`). |
|
| 74 | + |
|
| 75 | +If your ELB uses a health check based on HTTP or HTTPS against `/index.html`, make sure that your instance responds to that, given an internal IP as the server name. This will usually require that your `001-events.conf` configuration file has as its first record an entry that does _not_ use the ELB DNS name as its server name. For example, you may add a `Use Plain-SSL` entry as the first entry with the hosts internal IP address as the host name. This entry should by default be generated into the `001-events.conf` file by the startup script in `/etc/init.d/sailing`, too. |
|
| ... | ... | \ No newline at end of file |
wiki/ssl-support.md
| ... | ... | @@ -1,75 +0,0 @@ |
| 1 | -# Supporting HTTPS / SSL |
|
| 2 | - |
|
| 3 | -On sapsailing.com, we have a security certificate installed. For root users its key is visible at `/etc/pki/tls/private/star_sapsailing_com.key`. The certicicate is at `/etc/pki/tls/certs/star_sapsailing_com.crt`. The intermediate CA file from [https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2045](https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2045) is at `/etc/pki/tls/certs/server-chain.crt`. To enable SSL on a server, the module `mod_ssl` needs to be installed. Use ``yum install mod_ssl``. |
|
| 4 | - |
|
| 5 | -The `/etc/httpd/conf/httpd.conf` file must contain the following in order to ensure that the `ServerName` setting is respected for selecting the appropriate `VirtualHost` element: |
|
| 6 | - |
|
| 7 | -<pre> |
|
| 8 | - NameVirtualHost *:80 |
|
| 9 | - NameVirtualHost *:443 |
|
| 10 | -</pre> |
|
| 11 | - |
|
| 12 | -When this is done, the server can use the following sequence of directives inside a <VirtualHost> element: |
|
| 13 | - |
|
| 14 | -<pre> |
|
| 15 | - SSLEngine On |
|
| 16 | - SSLCertificateFile /etc/pki/tls/certs/star_sapsailing_com.crt |
|
| 17 | - SSLCertificateKeyFile /etc/pki/tls/private/star_sapsailing_com.key |
|
| 18 | - SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
|
| 19 | -</pre> |
|
| 20 | - |
|
| 21 | -We have this also in a macro called SSL that is defined in `/etc/httpd/conf.d/000-macros.conf` like this: |
|
| 22 | - |
|
| 23 | -``` |
|
| 24 | -<Macro SSL> |
|
| 25 | - SSLEngine On |
|
| 26 | - SSLCertificateFile /etc/pki/tls/certs/star_sapsailing_com.crt |
|
| 27 | - SSLCertificateKeyFile /etc/pki/tls/private/star_sapsailing_com.key |
|
| 28 | - SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
|
| 29 | -</Macro> |
|
| 30 | -``` |
|
| 31 | - |
|
| 32 | -It can then simply be used in any `VirtualHost` definition using `Use SSL`. |
|
| 33 | - |
|
| 34 | -A full-blown <VirtualHost> element in a rewrite macro in `000-macros.conf` then could look like this: |
|
| 35 | - |
|
| 36 | -``` |
|
| 37 | -<Macro Event-SSL $HOSTNAME $EVENTUUID $IP $PORT> |
|
| 38 | - <VirtualHost *:443> |
|
| 39 | - ServerName $HOSTNAME |
|
| 40 | - Use SSL |
|
| 41 | - Use Headers |
|
| 42 | - RewriteEngine on |
|
| 43 | - RewriteCond %{REQUEST_URI} "^(/)?$" |
|
| 44 | - RewriteRule ^(/)?$ "https://$HOSTNAME/gwt/Home.html?%{QUERY_STRING}#/event/:eventId=$EVENTUUID" [L,NE] |
|
| 45 | - Use Rewrite $IP $PORT |
|
| 46 | - </VirtualHost> |
|
| 47 | -</Macro> |
|
| 48 | -``` |
|
| 49 | - |
|
| 50 | -It can then be used inside the `001-events.conf` file like this |
|
| 51 | - |
|
| 52 | -``` |
|
| 53 | -Use Event-SSL ssltest.sapsailing.com "f8087b3c-c641-4fda-bf8d-0bc2abe09e40" 172.31.22.239 8888 |
|
| 54 | -``` |
|
| 55 | - |
|
| 56 | -Keep in mind that the certificate we have only is valid for `*.sapsailing.com` which does not include 2nd-level sub-domains such as a.b.sapsailing.com. |
|
| 57 | - |
|
| 58 | -To have a non-SSL `VirtualHost` redirect to the SSL counterpart, use a definition like this: |
|
| 59 | - |
|
| 60 | -``` |
|
| 61 | -<VirtualHost *:80> |
|
| 62 | - ServerName jobs.sapsailing.com |
|
| 63 | - RedirectPermanent / https://jobs.sapsailing.com/ |
|
| 64 | -</VirtualHost> |
|
| 65 | -``` |
|
| 66 | - |
|
| 67 | -## Elastic Load Balancer (ELB) with SSL / HTTPS |
|
| 68 | - |
|
| 69 | -Amazon EC2 supports uploading the private and public key as well as the certificate chain when adding an HTTPS listener to an ELB. However, this only seems to work properly in the us-east region. As the IAM module has global scope, however, the key uploaded will afterwards be available for ELB HTTPS listener creation in all zones. |
|
| 70 | - |
|
| 71 | -I've uploaded the *.sapsailing.com certificate today (2016-03-06) and named it `sapsailing.com`. |
|
| 72 | - |
|
| 73 | -When you add listeners, make sure they also have the certificate for *.sapsailing.com installed. Choose the `*-SSL` macro variants in your `/etc/httpd/conf.d/001-events.conf` configuration file (which is now the default being generated by the startup script in `/etc/init.d/sailing`). |
|
| 74 | - |
|
| 75 | -If your ELB uses a health check based on HTTP or HTTPS against `/index.html`, make sure that your instance responds to that, given an internal IP as the server name. This will usually require that your `001-events.conf` configuration file has as its first record an entry that does _not_ use the ELB DNS name as its server name. For example, you may add a `Use Plain-SSL` entry as the first entry with the hosts internal IP address as the host name. This entry should by default be generated into the `001-events.conf` file by the startup script in `/etc/init.d/sailing`, too. |
|
| ... | ... | \ No newline at end of file |