WebGUI
      Click here to register.
      
irc://irc.freenode.net#webgui

iPhoneGuy: WebGUI is a pile of crap.
rizen: If WebGUI is such a pile of crap, why do you use it?
iPhoneGuy: Because it's the best pile of crap out there.

If this is what people who hate us are saying, imagine what people who love us will say. Come join us on IRC.

Configuring WebGUI for SSL (HTTPS)

Generating Your Certificate

You will need a certificate for the domain. You can purchase one from a certificate authority or generate one yourself.

Follow the steps below to create a self-signed certificate:

  1. openssl genrsa -des3 -out server.key 1024
  2. openssl req -new -key server.key -out server.csr
  3. remove passphrase (optional)
    1. cp server.key server.key.org
    2. openssl rsa -in server.key.org -out server.key
  4. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  5. mkdir /data/domains/YOURSITE.COM/certs
  6. cp server.crt /data/domains/YOURSITE.COM/certs
  7. cp server.key /data/domains/YOURSITE.COM/certs
  8. disable SSLCACertificateFile if you are using a self-signed certificate

The above was based on this article. See this article for details about creating a CSR for a signed certificate.

Configuring Your Site for SSL

The 0.8.x release of the WRE has added SSL configuration settings to the modproxy template. Check your template (wre/etc) or use the modproxy template at wre/var/setupfiles/modproxy.template.

Once you have edited the template and created your certificate, restart the modproxy service (wreservice --restart modproxy). You should then be able to access your site over https (which runs on port 443 instead of port 80).

SSL in older wre versions

The following additional steps were required for 0.7.x versions of the wre:

Add the following to your modperl config file below the DocumentRoot line:

SetEnvIf SSLPROXY "1" \
                 SSLPROXY

Add the following below the </VirtualHost> line in your modproxy file:

# SSL
SSLSessionCache         dbm:/data/wre/prereqs/apache/logs/ssl_scache
SSLSessionCacheTimeout  300

Listen *:443
<VirtualHost *:443>

Copy and paste everything in your first VirtualHost block from ServerName down to DocumentRoot, then insert:

# let modperl know we're using SSL
RequestHeader add SSLPROXY "1"

Then copy and paste the rest of your VirtualHost block, then insert:

 # enable SSL
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /data/domains/moodswings.net.au/certs/www.moodswings.net.au.crt
    SSLCertificateKeyFile /data/domains/moodswings.net.au/certs/server.key
    SSLCACertificateFile /data/domains/moodswings.net.au/certs/gd_intermediate_bundle.crt
    SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

</VirtualHost>

Restart apache and check the logs for any errors!

Enabling Encrypted Logins

In the admin console under the Settings > User tab you can enable EncryptLogins. This will cause the webgui login form to post via https, which stops network sniffers from being able to read user credentials (without https they are sent in clear-text).

N.B. In WebGUI 7.3 the EncryptLogins hover-help incorrectly states that all pages post-login will be encrypted when in actual fact the user is redirected back to plain http after successful login. If you want to override this behaviour you can comment out line 630 in /data/WebGUI/lib/WebGUI/Auth.pm to disable the redirect, eg.

#$self->session->http->setRedirect($currentUrl);

As always you must restart for any code changes to come into effect.

Keywords: wre ssl https