Annotation of loncom/html/adm/help/tex/Domain_Configuration_SSL.tex, revision 1.1
1.1 ! raeburn 1: \label{Domain_Configuration_SSL}
! 2: There are two different contexts in which a LON-CAPA server may communicate
! 3: via SSL (Secure Sockets Layer):
! 4:
! 5: \begin{itemize}
! 6: \item Encrypted web pages served by Apache via port 443.
! 7: In this case, client requests will be for URLs beginning https://.
! 8: \item Encrypted internal communication between LON-CAPA servers via port 5663.
! 9:
! 10:
! 11: \textbf{Apache SSL}
! 12:
! 13:
! 14: In the case of Apache, the steps required depend on the Linux distro.
! 15: \begin{itemize}
! 16: \item CentOS/RedHat/Scientific Linux/Fedora:
! 17: \begin{quote}
! 18: \emph{yum install mod\_ssl}
! 19: \end{quote}
! 20: \item SuSE/SLES:
! 21: \begin{quote}
! 22: Check that ssl is included in the list of modules in the \emph{APACHE\_MODULES} string
! 23: in \emph{/etc/sysconfig/apache2}.
! 24: \end{quote}
! 25: \item Debian/Ubuntu LTS:
! 26: \begin{quote}
! 27: \emph{a2enmod ssl}
! 28: \end{quote}
! 29: \end{itemize}
! 30:
! 31:
! 32: For all distros you will need to install a key, generate a certificate signing
! 33: request with that key, and have the certificate signed. You will also want to
! 34: disable the passphrase prompt on web server restart by removing the password from
! 35: the copy of the key you use with Apache, e.g.,
! 36: \begin{quote}
! 37: \emph{openssl rsa -in server.key -out server.key.nopass}
! 38: \end{quote}
! 39: You will then put the the (nopass) key and certificate files in locations
! 40: accessible to Apache, and include information about the locations of those files
! 41: in a config file containing the following lines:
! 42: \begin{quote}
! 43: SSLCertificateFile <path to signed certificate>
! 44: \end{quote}
! 45: \begin{quote}
! 46: SSLCertificateKeyFile <path to key>
! 47: \end{quote}
! 48: replacing <path to ...> with the path to the location of the particular file.
! 49:
! 50:
! 51: Which Apache config file contains these entries depends on the distro:
! 52:
! 53: \begin{itemize}
! 54: \item CentOS/RedHat/Scientific Linux/Fedora:
! 55: \begin{quote}
! 56: /etc/httpd/conf.d/ssl.conf
! 57: \end{quote}
! 58: \item SuSE/SLES
! 59: \begin{quote}
! 60: /etc/apache2/vhosts.d/vhost-ssl.conf
! 61: \end{quote}
! 62: \begin{quote}
! 63: (copied from vhost-ssl.conf with
! 64: the entry for DocumentRoot changed to ``/home/httpd/html'').
! 65: \end{quote}
! 66: \item Debian/Ubuntu LTS
! 67: \begin{quote}
! 68: /etc/apache2/sites-available/000-default-ssl
! 69: \end{quote}
! 70: \end{itemize}
! 71:
! 72: If you want to use rewrite rules to ensure that all external web requests are
! 73: served using SSL, you should verify that mod\_rewrite is enabled:
! 74:
! 75: \begin{itemize}
! 76: \item CentOS/RedHat/Scientific Linux/Fedora
! 77: \begin{quote}
! 78: Verify that the following entry in /etc/httpd/conf/httpd.conf is not commented out:
! 79: \emph{LoadModule rewrite\_module modules/mod\_rewrite.so}
! 80: \end{quote}
! 81: \item SuSE/SLES
! 82: \begin{quote}
! 83: Check that \emph{rewrite} is included in the list of modules in the
! 84: \emph{APACHE\_MODULES} string in /etc/sysconfig/apache2.
! 85: \end{quote}
! 86: \item Debian/Ubuntu LTS
! 87: \begin{quote}
! 88: \emph{a2enmod rewrite}
! 89: \end{quote}
! 90: \end{itemize}
! 91:
! 92: You will also need to copy the rewrites/loncapa\_rewrite\_on.conf file to
! 93: loncapa\_rewrite.conf with the following commands:
! 94: \begin{itemize}
! 95: \item CentOS/RedHat/Scientific Linux/Fedora
! 96: \begin{quote}
! 97: \emph{cp /etc/httpd/conf/rewrites/loncapa\_rewrite.conf /etc/httpd/conf/loncapa\_rewrite.conf}
! 98: \end{quote}
! 99: \item SuSE/SLES/Debian/Ubuntu LTS
! 100: \begin{quote}
! 101: \emph{cp /etc/apache2/rewrites/loncapa\_rewrite\_on.conf /etc/apache2/loncapa\_rewrite.conf}
! 102: \end{quote}
! 103: \end{itemize}
! 104:
! 105: and then reload the web server:
! 106: \begin{itemize}
! 107: \item CentOS/RedHat/Scientific Linux/Fedora
! 108: \begin{quote}
! 109: \emph{cp /etc/init.d/httpd reload}
! 110: \end{quote}
! 111: \item SuSE/SLES/Debian/Ubuntu LTS
! 112: \begin{quote}
! 113: \emph{cp /etc/init.d/apache2 reload}
! 114: \end{quote}
! 115: \end{itemize}
! 116:
! 117: If you want to disable rewriting of external web requests to https://, copy
! 118: rewrites/loncapa\_rewrite\_off.conf to loncapa\_rewrite.conf and reload the web
! 119: server.
! 120:
! 121: You will need to open the server's Firewall to allow inbound traffic on port 443.
! 122: \begin{itemize}
! 123: \item CentOS/RedHat/Scientific Linux
! 124: \begin{quote}
! 125: \emph{/usr/bin/system-config-securitylevel-tui}
! 126: \end{quote}
! 127: \item Fedora
! 128: \begin{quote}
! 129: \emph{/usr/bin/system-config-firewall-tui}
! 130: \end{quote}
! 131: \item SuSE/SLES
! 132: \begin{quote}
! 133: yast -\> Security and Users -> Firewall
! 134: \end{quote}
! 135: \item Debian 6/Ubuntu LTS
! 136: \begin{quote}
! 137: \emph{ufw allow 443/tcp}
! 138: \end{quote}
! 139: \end{itemize}
! 140:
! 141: Note: changing firewall settings will cause iptables to reload, which means the
! 142: rules to allow connections from other LON-CAPA servers via port 5663 will need to
! 143: be re-established (if the LON-CAPA daemons were already running) by doing: \emph{/etc/init.d/loncontrol restart} as root.
! 144:
! 145: \textbf{Internal LON-CAPA SSL}
! 146:
! 147:
! 148: In the case of encrypted internal communication between LON-CAPA servers,
! 149: you will need command line access as either root or www and enter the following
! 150: commands:
! 151:
! 152: \begin{quote}
! 153: \emph{cd /home/httpd/lonCerts}
! 154: \end{quote}
! 155: \begin{quote}
! 156: \emph{sh request\_ssl\_key.sh}
! 157: \end{quote}
! 158:
! 159: \textbf{Important}: for the Common Name you should enter the lonHostID.
! 160: This is displayed on the log-in page (Server: ) and is also an entry in the
! 161: loncapa.conf file in /etc/httpd/conf (CentOS/RedHat/Scientific Linux/Fedora)
! 162: or /etc/apache2 (SuSE/SLES/Debian/Ubuntu LTS). An example would be msul1.
! 163:
! 164: By running \emph{request\_ssl\_key.sh} you will:
! 165: \begin{itemize}
! 166: \item Generate a private/public key pair.
! 167: \begin{quote}
! 168: The private key will be stored in /home/httpd/lonCerts/lonKey.pem
! 169: It will be set so that only www can read this file. (You will want to
! 170: make sure this file stays secret).
! 171: \end{quote}
! 172: \item Automatically send an e-mail to the LON-CAPA certificate authority.
! 173: containing your public key so LON-CAPA can sign it.
! 174: \end{itemize}
! 175:
! 176: Your certificate will be signed by the certificate authority and an e-mail
! 177: will be sent to the e-mail address you gave when prompted for one
! 178: when you ran request\_ssl\_key.sh.
! 179:
! 180: Save the email you receive to a file, remove the headers from it,
! 181: and run it (as the \emph{www} user).
! 182:
! 183: If it successfully completes you will have:
! 184:
! 185: \begin{itemize}
! 186: \item /home/httpd/lonCerts/lonhostcert.pem
! 187: \begin{quote}
! 188: (your signed public key)
! 189: \end{quote}
! 190: \item /home/httpd/lonCerts/loncapaCA.pem
! 191: \begin{quote}
! 192: (the public key of the Lon-CAPA certificate authority)
! 193: \end{quote}
! 194: \end{itemize}
! 195:
! 196: Now when you machine connects to another server in the LON-CAPA
! 197: network it will try to do so over an SSL connection.
! 198: You can verify this by doing:
! 199: \begin{quote}
! 200:
! 201: \emph{ps auxwww | grep lonc}
! 202:
! 203: \end{quote}
! 204:
! 205: You should see something like:
! 206: \begin{quote}
! 207: lonc: msul1 Connection count: 1 Retries remaining: 5 (ssl)
! 208: \end{quote}
! 209: where before you saw something like:
! 210: \begin{quote}
! 211: lonc: msul1 Connection count: 1 Retries remaining: 5 (insecure)
! 212: \end{quote}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>