Enable SSL - HackMD

# Enable SSL * install Apache mod_ssl ``` sudo yum install mod_ssl ``` * Copy the PEM certificate, key, and CA Cert files to the server (`/etc/httpd/conf.d/certs/`) * add HTTPS config under `<VirtualHost *:443>` section to /etc/httpd/conf.d/revenue_accounting.conf (copied the config from a working SSL enabled server): ``` <VirtualHost *:443> ServerName client-env.wenergysoftware.com SSLEngine on SSLCertificateFile /etc/httpd/conf.d/certs/start2020_waterfieldenergysoftware_com.crt SSLCertificateKeyFile /etc/httpd/conf.d/certs/start2020_waterfieldenergysoftware_com.key SSLCACertificateFile /etc/httpd/conf.d/certs/DigiCertCA2020.crt SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite RSA:!EXP:!NULL:!DH:!RC4:+HIGH:-MEDIUM:-LOW <Location /resque> Order allow,deny Allow from 192.168.0.0/16 Allow from 127.0.0.1 </Location> <Location /ibmcognos> ProxyPass http://cognos-server/ibmcognos ProxyPassReverse http://cognos-server/ibmcognos SetEnv proxy-nokeepalive 1 RequestHeader unset Expect early </Location> RackBaseURI / RackEnv production #RewriteLog "/var/log/httpd/rewrite.log" #RewriteLogLevel 3 XSendFilePath /srv/www/apps/revenue_accounting/tmp/export XSendFilePath /srv/www/apps/revenue_accounting/files # !!! Be sure to point DocumentRoot to 'public'! DocumentRoot /srv/www/apps/revenue_accounting/public PassengerMinInstances 1 <Directory /srv/www/apps/revenue_accounting/public> # This relaxes Apache security settings. AllowOverride all # MultiViews must be turned off. Options -MultiViews +FollowSymLinks Require all granted </Directory> <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{QUERY_STRING} (.*gridserver=true.*) RewriteRule ^(.*)$ http://localhost:3000$1?%1 [P] RewriteCond %{QUERY_STRING} (.*traceserver=true.*) RewriteRule ^(.*)$ http://localhost:3001$1?%1 [P] </IfModule> <LocationMatch "^/static/.*-[0-9a-f]{32}\..*$"> Header unset ETag FileETag None # RFC says only cache for 1 year ExpiresActive On ExpiresDefault "access plus 1 year" </LocationMatch> <Location /lists> Header append Cache-Control "max-age=0, must-revalidate" </Location> </VirtualHost> ``` * * Update the paths for `SSLCertificateFile`, `SSLCertificateKeyFile`, and `SSLCACertificateFile` in the `revenue_accounting.conf` to match the copied certificate and key files * Update the `ServerName` setting to match the servers FQDN and the Cognos server address under the `<Location /ibmcognos>` section * If this is an On-Prem client, remove the `<Location /ibmcognos>` block * edit the revenue_accounting config file to enable https: In `/etc/revenue_accounting/config.yml` change `ssl: false` to `ssl: true` or just delete the `ssl: false` line * update the SAML configuration file (`/srv/www/apps/revenue_accounting/config/idp.yml`) to use the HTTPS URLs