 |
Configuring WebGUI for SSL (HTTPS)
SSL Certificates
In most cases, you need to purchase an SSL Certificate from a Certificate Authority to run your website over https.
If you want to enable SSL on a site without purchasing an SSL Certificate and you don't mind your users seeing a warning, you can use a self-signed certificate. This is most commonly used for development servers. For more information, see the article: turn on https with a self-signed ssl certificate
The WRE contains openssl, which you will use in the steps below to create your SSL certificate. Before running the following steps, use the WRE's setenvironment script to configure your shell environment, and check your paths via:
# which openssl
/data/wre/prereqs/bin/openssl
Step 1. Server Certificate Signing Request (server.csr)
When you purchase (or renew) a certificate from a Certificate Authority, you will be required to provide a server Certificate Signing Request (CSR). This file is used by the CA to generate your downloadable SSL certificate.
You can generate a CSR on your WRE server as follows:
- openssl genrsa -des3 -out server.key 2048 # enter a temporary password
- openssl req -new -key server.key -out server.csr
- openssl rsa -in server.key -out server.key # removes the temporary password
When asked, you should enter details relevant to your website. In particular, you should enter your site domain name (without the "www.") as the Common Name (CN).
After this process, you will end up with two files.
- server.csr
- server.key
You do not need to keep these files on your web server, but you will want to store them for future usage.
Step 2. Download Certificate from your CA
Details vary between Certificate Authorities, but in essence you need to:
- paste the contents of server.csr into a web form on your CA's website
- tell your CA to generate a downloadable version of your new SSL Certificate in Apache format
You should end up with a file called yoursite.com.crt, and possibly a second file (a CA Certificate File). For example, GoDaddy includes a second file called gs_bundle.crt.
Step 3. Apache Configuration
Now that you have your new SSL cert, copy the file(s) you downloaded from you CA onto your web server into a sensible location such as:
/data/domains/YOURSITE.COM/certs
Finally, uncomment the SSL-related lines in /data/wre/etc/yoursite.com.modproxy and restart modproxy. If Apache detects any errors, they will prevent modproxy from starting, and if you're lucky Apache will tell you exactly what is wrong.
Note that if you received a certificate bundle file (from GoDaddy, for instance), you will need to replace the SSLCACertificateFile configuration line with SSLCertificateChainFile.
Read below for additional information that may apply to your specific version of the WRE.
More Details on Configuring Your Site for SSL
The 0.8.x release of the WRE has added SSL configuration settings to the modproxy template. Check your template (wre/etc) or use the modproxy template at wre/var/setupfiles/modproxy.template.
Additionally, SSL needs to be enabled in the site configuration. Ensure that sslEnabled is set to 1.
Once you have edited the template and created your certificate, restart the web service (wreservice --restart web). You should then be able to access your site over https (which runs on port 443 instead of port 80).
SSL in older wre versions
The following additional steps were required for 0.7.x versions of the wre:
Add the following to your modperl config file below the DocumentRoot line:
SetEnvIf SSLPROXY "1" \
SSLPROXY
Add the following below the </VirtualHost> line in your modproxy file:
# SSL
SSLSessionCache dbm:/data/wre/prereqs/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
Listen *:443
<VirtualHost *:443>
Copy and paste everything in your first VirtualHost block from ServerName down to DocumentRoot, then insert:
# let modperl know we're using SSL
RequestHeader add SSLPROXY "1"
Then copy and paste the rest of your VirtualHost block, then insert:
# enable SSL
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /data/domains/YOURSITE.COM/certs/YOURSITE.COM.crt
SSLCertificateKeyFile /data/domains/YOURSITE.COM/certs/server.key
SSLCACertificateFile /data/domains/YOURSITE.COM/certs/gd_intermediate_bundle.crt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Restart apache and check the logs for any errors!
Enabling Encrypted Logins
In the admin console under the Settings > User tab you can enable EncryptLogins. This will cause the webgui login form to post via https, which stops network sniffers from being able to read user credentials (without https they are sent in clear-text).
N.B. In WebGUI 7.3 the EncryptLogins hover-help incorrectly states that all pages post-login will be encrypted when in actual fact the user is redirected back to plain http after successful login. If you want to override this behaviour you can comment out line 630 in /data/WebGUI/lib/WebGUI/Auth.pm to disable the redirect, eg.
#$self->session->http->setRedirect($currentUrl);
As always you must restart for any code changes to come into effect.
Tips for anyone struggling with this:
- Check your logs. Newer versions of WebGUI need a macro called "BackToSite" that wasn't in my existing site configs. Be sure you aren't seeing any similar errors in webgui.log.
- Look in /data/wre/var/setupfiles at the modproxy.template and modperl.template files. Be sure your site's configuration files are correct for the version of the WRE you are running. Mine weren't.
- In /data/wre/etc look in modproxy.conf and be sure you have the line "NameVirtualHost *:443". Again, I didn't.
After making these changes, I'm up and running! Thanks to perlDreamer, preaction, and Haarg for the help."