-
Notifications
You must be signed in to change notification settings - Fork 16
Secure Sockets Layer in Orka platform
SSL (Secure Sockets Layer) configuration in personal Orka server is done during the server's initialization.
First, the nginx configuration template file, which is modified to handle HTTPS requests, is copied to nginx configuration directory:
- name: Copy nginx.conf file
tags: postimage
template: src=nginx.j2 dest=./conf owner=orka_admin
- name: Rename nginx.j2 template to nginx.conf
tags: postimage
command: mv nginx.j2 nginx.conf chdir=./conf
Then, Ansible creates the SSL certificate with the following commands:
- name: Create directory ssl in /etc/nginx
sudo: yes
file: path=/etc/nginx/ssl state=directory
tags: postimage
- name: Create the SSL certificate
sudo: yes
command: openssl req -x509 -nodes -days {{certificate_key_lifetime}} -newkey rsa:{{key_rsa}} -sha256 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=GR/ST=Athens/L=Athens/O= /OU= /CN={{ ansible_ssh_host }}"
tags: postimage
The default values of the SSL certificate variables are in webserver group variables file. After nginx is restarted, it is configured as a HTTPS server.
The Orka user that opens the web graphical user interface in the browser for the first time after creating and starting the personal Orka server, should ignore the "Your connection is not secure" messages and add an exception for the SSL certificate.
For the Orka CLI communication with the personal Orka server, a property "verify_ssl" is added in .kamakirc orka section. Sample .kamakirc file:
[global]
default_cloud = ~okeanos
[cloud "~okeanos"]
url = https://accounts.okeanos.grnet.gr/identity/v2.0
token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[orka]
base_url = https://xx.xxx.xxx.xx
verify_ssl = false
#verify_ssl = <path/to/valid/crt/file>
If the property is set to no or false or even if the property is not set, keyword argument "verify" for requests python library is set to False. This means the SSL certificate is ignored and communication is not secured for orka CLI.
On the contrary, if verify_ssl is set to the path of the SSL certificate file in the local filesystem, then it will be used for secure Orka CLI requests. A user should download the SSL certificate file (/etc/nginx/ssl/nginx.crt) from the personal Orka server and add the certificate's local path to .kamakirc file.
####Mediawiki/Drupal
For drupal, the existing container must be deleted and a new one created with ports 443 and 80 binded:
docker rm --force drupal
docker run -d --name drupal --link db:mysql -p 80:80 -p 443:443 samos123/drupal
Common steps for Drupal/Mediawiki:
docker exec -ti <container_name> bash
mkdir -p /etc/apache2/ssl
mkdir -p /etc/apache2/logs
cd /etc/apache2/logs
touch access.log error.log
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt -subj "/C=GR/ST=Athens/L=Athens/O= /OU= /CN=localhost"
cd /etc/apache2/mods-available
cp ssl.conf ssl.load socache_shmcb.load ../mods-enabled/
cd ../sites-available/
cp 000-default.conf default-ssl.conf ../sites-enabled/
cd ../sites-enabled/
Open 000-default.conf and add/edit:
ErrorLog /etc/apache2/logs/error.log
CustomLog /etc/apache2/logs/access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Open default-ssl.conf and add/edit:
ErrorLog /etc/apache2/logs/error.log
CustomLog /etc/apache2/logs/access.log combined
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Close file, exit and restart container:
exit
docker <container_name> restart
###DSpace
The existing container must be deleted and a new one created with ports 443 and 80 binded:
docker rm -f dspace
docker run -d -p 8080:8080 -p 443:8443 --name dspace quantumobject/docker-dspace
Create the admin user for the dspace application:
docker exec -it dspace create-admin
permanently delete everything? [yes]
creating an initial administrator account
e-mail address: [a@b.gr]
first name: [John]
last name: [Doe]
password: [changeme]
docker exec -it dspace bash
Create the self-signed keystore:
/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool -genkey \
-alias tomcat \
-keyalg RSA \
-keysize 1024 \
-keystore /var/lib/tomcat8/conf/keystore \
-storepass e-science \
-validity 365 \
-dname 'CN=localhost, OU= , O= , L=Athens, S=Athens, C=GR'
Open /usr/share/tomcat8/bin/catalina.sh and add/edit:
#insert this at the beginning, after the comments
#to reduce time needed for tomcat to load
JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms1024m -Xmx1024m -XX:PermSize=256m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC"
Open /var/lib/tomcat8/conf/server.xml and edit to enable SSL:
<Connector port="8443"
SSLEnabled="true"
URIEncoding="UTF-8"
maxThreads="150" minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/var/lib/tomcat8/conf/keystore" keystorePass="e-science"
clientAuth="false" />
Permissions and owner on keystore file should be set properly:
chown root:tomcat8 /var/lib/tomcat8/conf/keystore
chmod 664 /var/lib/tomcat8/conf/keystore
Create the temp directory catalina:
mkdir /var/lib/tomcat8/temp
chown tomcat8:tomcat8 /var/lib/tomcat8/temp
Restart tomcat:
sv restart tomcat8
#####Enable http to https redirection for DSpace (optional):
docker exec -it dspace bash
Open /var/lib/tomcat8/conf/server.xml and edit:
<Connector port="8080"
enableLookups="false"
redirectPort="443" />
Open /var/lib/tomcat8/conf/web.xml and edit:
<!-- add these at the end, right before </web-app> -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Restart tomcat:
sv restart tomcat8
####Redmine
The existing container must be deleted and a new one created with ports 443 and 80 binded:
docker rm --force <id>
docker run --name=redmine_redmine_1 -d --link=redmine_postgresql_1:postgresql -p 80:80 -p 443:443 --env='REDMINE_PORT=443' --volume=/srv/docker/redmine/redmine:/home/redmine/data sameersbn/redmine:3.0.4
Connect to the newly created container:
docker exec -ti redmine_redmine_1 bash
cd /etc/nginx/
apt-get update
apt-get install nano
export TERM=xterm
Copy redmine file and name it redmine.conf:
cd sites-enabled/
cp redmine redmine.conf
Edit redmine.conf and replace appropriately:
server {
listen 0.0.0.0:80;
listen [::]:80;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
.......
.......
gzip off; # find and comment out
Edit /etc/nginx/nginx.conf:
gzip off; (find and replace)
Find line: include /etc/nginx/sites-enabled/*; and replace with:
include /etc/nginx/sites-enabled/redmine.conf;
Make directory ssl in /etc/nginx/ and create the SSL certificate and key with openssl:
cd /etc/nginx/
mkdir ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=GR/ST=Athens/L=Athens/O= /OU= /CN=localhost"
Exit and restart container:
exit
docker restart redmine_redmine_1