ELOG

Forum Config Examples Contributions Vulnerabilities

Contributions to ELOG

Not logged in

Back | Find | Login | Help

Message ID: 21 Entry time: Tue Feb 20 18:20:40 2007

Author:	Val Schmidt
Author Email:	vschmidt@ldeo.columbia.edu
Category:	Documentation
Subject:	Secure elog with SSL under Apache2 on Ubuntu
Status:	Stable
Last Revision:

The steps for configuration under Apache2 are a bit different. Below I've included a quick list of instructions for Ubuntu. One nice thing about this method, is that only https requests to https://your.url/elog are redirected (not all https connections to your url) so you can have other services running under ssl:

My Setup:
Ubuntu 6.10 (Edgy):
Linux tide1 2.6.17-11-generic #2 SMP Thu Feb 1 19:52:28 UTC 2007 i686 GNU/Linux

Packages:

ii  apache2                                    2.0.55-4ubuntu4                      next generation, scalable, extendable web se
ii  apache2-common                             2.0.55-4ubuntu4                      next generation, scalable, extendable web se
ii  apache2-mpm-worker                         2.0.55-4ubuntu4                      high speed threaded model for Apache2
ii  apache2-utils                              2.0.55-4ubuntu4                      utility programs for webservers 
ii  elog                                       2.6.1+r1642-1                        Logbook system to manage notes through a Web

---

To setup ssl in apache2 for elog I started here:
This min-howto was kindly provided in a forum. I reproduced it here without permission.

A Mini-Howto for apache2: 

apt-get install apache2
apache2-ssl-certificate
(and answer the questions)

Now, enable ssl:
a2enmod ssl

configure ssl:
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl 
"/etc/apache2/sites-enabled/ssl" should look like this:

NameVirtualHost *:443
<VirtualHost *:443>
(... configure the directories too...)
and "/etc/apache2/sites-enabled/default" should look like this:

NameVirtualHost *:80
<VirtualHost *:80>
(... configure the directories too...)
In /etc/apache2/ports.conf, add Listen 443

In the middle of /etc/apache2/sites-available/ssl file, insert this two lines:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

Hope it helps :)

This method, without configuraiton of any of the <Directory> directives in /etc/apache2/sites-available/ssl, makes everything in /var/www https accessible. This may not be desirable. Configure the directives as you see fit.

To get SSL forwarding going for elog, in /etc/apache2/sites-available/ssl, I added the following:

 
ServerName tide1.unh.edu

        ProxyRequests Off
        ProxyPreserveHost On

        <Location /elog/>
                Order allow,deny
                allow from all

                ProxyPass  http://tide1.unh.edu:8080/
                ProxyPassReverse  http://tide1.unh.edu:8080/
                SSLRequireSSL
        </Location>

Once this is in place one must restart apache with
sudo /etc/init.d/apache2 force-reload

In /etc/elog.conf I added:

URL=https://tide1.unh.edu/elog

and restarted elog as above.

Finally, I removed the firewall entry that allowed connections to port 8080 for non-secure elog.

Items of note:
The "apache2-ssl-certificate" created a certificate that seems to expire in 30 days. This obviously not ideal. More details about how to create certificates can be found at HERE. At some point in the future, we'll have to figure this out and create a more appropriate certificate.

ELOG V3.1.5-fe60aaf