Supporting HTTPS / SSL
On sapsailing.com, we have a security certificate installed. For root users its key is visible at /etc/pki/tls/private/star_sapsailing_com.key. The certicicate is at /etc/pki/tls/certs/star_sapsailing_com.crt. The intermediate CA file from https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2045 is at /etc/pki/tls/certs/server-chain.crt. To enable SSL on a server, the module mod_ssl needs to be installed. Use yum install mod_ssl.
The /etc/httpd/conf/httpd.conf file must contain the following in order to ensure that the ServerName setting is respected for selecting the appropriate VirtualHost element:
NameVirtualHost *:80
NameVirtualHost *:443
When this is done, the server can use the following sequence of directives inside a <VirtualHost> element:
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/star_sapsailing_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/star_sapsailing_com.key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
We have this also in a macro called SSL that is defined in /etc/httpd/conf.d/000-macros.conf like this:
<Macro SSL>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/star_sapsailing_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/star_sapsailing_com.key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
</Macro>It can then simply be used in any VirtualHost definition using Use SSL.
A full-blown <VirtualHost> element in a rewrite macro in 000-macros.conf then could look like this:
<Macro Event-SSL $HOSTNAME $EVENTUUID $IP $PORT>
<VirtualHost *:443>
ServerName $HOSTNAME
Use SSL
Use Headers
RewriteEngine on
RewriteCond %{REQUEST_URI} "^(/)?$"
RewriteRule ^(/)?$ "https://$HOSTNAME/gwt/Home.html?%{QUERY_STRING}#/event/:eventId=$EVENTUUID" [L,NE]
Use Rewrite $IP $PORT
</VirtualHost>
</Macro>It can then be used inside the 001-events.conf file like this
Use Event-SSL ssltest.sapsailing.com "f8087b3c-c641-4fda-bf8d-0bc2abe09e40" 172.31.22.239 8888Keep in mind that the certificate we have only is valid for *.sapsailing.com which does not include 2nd-level sub-domains such as a.b.sapsailing.com.
To have a non-SSL VirtualHost redirect to the SSL counterpart, use a definition like this:
<VirtualHost *:80>
ServerName jobs.sapsailing.com
RedirectPermanent / https://jobs.sapsailing.com/
</VirtualHost>Elastic Load Balancer (ELB) with SSL / HTTPS
Amazon EC2 supports uploading the private and public key as well as the certificate chain when adding an HTTPS listener to an ELB. However, this only seems to work properly in the us-east region. As the IAM module has global scope, however, the key uploaded will afterwards be available for ELB HTTPS listener creation in all zones.
I've uploaded the *.sapsailing.com certificate today (2016-03-06) and named it sapsailing.com.
When you add listeners, make sure they also have the certificate for *.sapsailing.com installed. Choose the *-SSL macro variants in your /etc/httpd/conf.d/001-events.conf configuration file (which is now the default being generated by the startup script in /etc/init.d/sailing).
If your ELB uses a health check based on HTTP or HTTPS against /index.html, make sure that your instance responds to that, given an internal IP as the server name. This will usually require that your 001-events.conf configuration file has as its first record an entry that does not use the ELB DNS name as its server name. For example, you may add a Use Plain-SSL entry as the first entry with the hosts internal IP address as the host name. This entry should by default be generated into the 001-events.conf file by the startup script in /etc/init.d/sailing, too.