-
Notifications
You must be signed in to change notification settings - Fork 82
Enable HTTPS
Note: the key file should have a KeyPassword set by you.
- Generate key file:
openssl genrsa -des3 -out server.key 2048- Generate CSR file:
openssl req -new -key server.key -out server.csrHere's the information that you'll need to create the CSR.
- Country Name (2 letter code) [XX]:US
- State or Province Name (full name) []:California
- Locality Name (eg, city) [Default City]:Irvine
- Organization Name (eg, company) [Default Company Ltd]:University of California, Irvine
- Organizational Unit Name (eg, section) []:Donald Bren School of Information and Computer Sciences
- Common Name (eg, your name or your server's hostname) []: <=== ENTER THE DOMAIN NAME OF THE SERVER (e.g., cloudberry.ics.uci.edu)
- Email Address []:helpdesk@ics.uci.edu
Please enter the following 'extra' attributes to be sent with your certificate request
- A challenge password []: <=== LEAVE BLANK
- An optional company name []: <=== LEAVE BLANK
Send server.csr to UCI HelpDesk(helpdesk@ics.uci.edu), server.key is not needed to be sent. They will generate a signed certificate file. There are multiple formats for that certificate file, please use PEM format (if multiple files are available, use the first link in the download email for the following example), and here we name it server.crt.
Note: So far there are three files: server.key, server.csr, server.crt. Please note for the difference. You only need server.csr to obtain server.crt, and no longer needed it for following steps. For all following steps, you should be using server.crt
openssl pkcs12 -export -in server.crt -inkey server.key -out keystore.p12
Enter pass phrase for server.key: [password setup in step 1.1]
Enter Export Password: [new password for keystore.p12]
Verifying - Enter Export Password:Put keystore.p12 to /etc/httpd/cert/ or /etc/apache2/cert/.
sudo cp keystore.p12 /etc/httpd/cert/keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Importing keystore keystore.p12 to keystore.jks...
Enter destination keystore password: [new password for keystore.jks]
Re-enter new password:
Enter source keystore password: [password for keystore.p12 setup in step 1.4]Put keystore.jks to /etc/httpd/cert/ or /etc/apache2/cert/.
sudo cp keystore.jks /etc/httpd/cert/sudo keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts -deststoretype JKS
Enter destination keystore password: changeit (by default)
Enter source keystore password: [password for keystore.p12 setup in step 1.4]If 000-default-le-ssl.conf already exists under /etc/httpd/sites-available/ or /etc/apache2/sites-available/, ignore this step.
(1) Install mod_ssl module for Apache (if not installed yet).
sudo yum install mod_ssl openssl(2) Create 000-default-le-ssl.conf file and symbolic link if it does not exist under /etc/httpd/sites-available/ or /etc/apache2/sites-available/.
sudo echo "" > /etc/httpd/sites-available/000-default-le-ssl.conf
sudo ln -s /etc/httpd/sites-available/000-default-le-ssl.conf /etc/httpd/sites-enabled/000-default-le-ssl.confEdit /etc/httpd/sites-enabled/000-default-le-ssl.conf or /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName ochca.ics.uci.edu
SSLEngine on
SSLProxyEngine on
# -- Proxy settings go here --
ErrorLog "/etc/httpd/logs/error.log"
CustomLog "/etc/httpd/logs/access.log" combined
SSLCertificateFile /etc/httpd/cert/server.crt
SSLCertificateKeyFile /etc/httpd/cert/server.key
#SSLCertificateChainFile /etc/apache2/cert/server-chain.crt
</VirtualHost>
</IfModule>Copy the following to the # -- Proxy settings go here -- place within conf file /etc/httpd/sites-enabled/000-default-le-ssl.conf or /etc/apache2/sites-enabled/000-default-le-ssl.conf
# Production setting -Begin-
# The following settings are for PROD server,
# where the TwitterMap application URL is https://cloudberry.ics.uci.edu/apps/twittermap
# If you are configuring a standalone server with root domain pointing to the application directly,
# like the case in https://ochca.ics.uci.edu, then:
# (1) remove [Option-1] and [Option-2] proxies
# (2) uncomment [Option-3]. (The position of [Option-3] must be at the end because the ProxyPass matches requests in the order of the file. We need subdirectories' proxies are before the root proxy.)
ProxyPass /ws/ wss://cloudberry.ics.uci.edu:9001/ws/
ProxyPassReverse /ws/ wss://cloudberry.ics.uci.edu:9001/ws/
# [Option-1] proxy URL /apps/twittermap to 9001 application port
ProxyPass /apps/twittermap/ https://cloudberry.ics.uci.edu:9001/
ProxyPassReverse /apps/twittermap/ https://cloudberry.ics.uci.edu:9001/
# [Option-2] proxy URL /apps/twittermap to 9001 application port
ProxyPass /apps/twittermap https://cloudberry.ics.uci.edu:9001/
ProxyPassReverse /apps/twittermap https://cloudberry.ics.uci.edu:9001/
ProxyPass /apps/city/ https://cloudberry.ics.uci.edu:9001/city/
ProxyPassReverse /apps/city/ https://cloudberry.ics.uci.edu:9001/city/
ProxyPass /apps/cityPopulation/ https://cloudberry.ics.uci.edu:9001/cityPopulation/
ProxyPassReverse /apps/cityPopulation/ https://cloudberry.ics.uci.edu:9001/cityPopulation/
ProxyPass /assets/ https://cloudberry.ics.uci.edu:9001/assets/
ProxyPassReverse /assets/ https://cloudberry.ics.uci.edu:9001/assets/
ProxyPass /apps/assets/ https://cloudberry.ics.uci.edu:9001/assets/
ProxyPassReverse /apps/assets/ https://cloudberry.ics.uci.edu:9001/assets/
# [Option-3] proxy URL https://ochca.ics.uci.edu to https://ochca.ics.uci.edu:9001
# ProxyPass / https://ochca.ics.uci.edu:9001/
# ProxyPassReverse / https://ochca.ics.uci.edu:9001/
# Production setting -End-Edit /etc/httpd/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/000-default.conf, in <VirtualHost *:80>, add the following:
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]sudo systemctl restart httpd
Enter SSL pass phrase for ochca.ics.uci.edu:443 (RSA) : [password for keystore.jks setup in step 1.5]Edit twittermap.conf (default name application.conf).
cloudberry.register = "http://localhost:9000/admin/register" # talks to cloudberry's HTTP port, not going through Apache
cloudberry.host = "localhost"
cloudberry.port = "9000" # talks to cloudberry's HTTP port
cloudberry.ws = "ws://"
app.ws = "wss://"Note: cloudberry.host cannot be localhost, when using HTTPS talks to cloudberry
When starting TwitterMap, use command line variables to disable HTTP and enable HTTPS, with specifying the keystore (JKS) location and password.
nohup ./web-1.0-SNAPSHOT/bin/web -Dapplication.secret='changeit' \
-Dconfig.file=./twittermap.conf \
-Dhttp.port=disabled \
-Dhttps.port=9001 \
-Dhttps.keyStore=[/etc/httpd/cert/keystore.jks or /etc/apache2/cert/keystore.jks] \
-Dhttps.keyStorePassword=[password for keystore.jks setup in step 5]