Configure a GeneWeb server for HTTPS access

From GeneWeb
Jump to: navigation, search
150px-Geographylogo svg.png Language: English • français

It is possible to access your GeneWeb server in HTTPS mode by configuring properly your Apache server when in CGI mode, or by acessing the service through a secure tunnel such as stunnel.

The folloving tutorial has been tested on a GNU/Linux machine Ubuntu Server Edition Xenial Xerus 16.04 and a OVH VPS server (SMP Debian 3.2.68-1+deb7u5 x86_64 in january 2017. It is most likely valid for other Linux derivatives, but may require small adjustments (thanks for documenting those adjustments and updating this page). At this time (01/17) it is not usable under macOS.

Prerequisites

Geneweb must be installed in CGI mode behind an Apache server, or directly in service or daemon mode, listening on port 2317 (in our example). domaine or www.domaine are your domaine name, replaced by an IP address if no domain name is known.

Example:

http://www.domaine.fr/cgi-bin/geneweb.cgi

All commands in this tutorial are issued from a terminal window. nano will be the preferred etxt editor, but vi or any other editor of your choice can be used. Commands are executed in super-user root mode. This is achieved by typing sudo -s for Ubuntu or su root for Debian, followed by the super-user password. Alternatively, all commands can be prefixed with sudo. On the first occurence, or after a significant activity interruption, the super-user password will be requested.

sudo chmod +x /usr/local/sbin/le-renew

Installing Let's Encrypt certificates

To obtain certificates, you must first download and install git then letsencrypt.

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt --depth=1

("--depth=1" says not to download the full history").

Certificates are produced with the command:

/opt/letsencrypt/letsencrypt-auto --apache -d domaine.fr -d www.domaine.fr

or more simply:

/opt/letsencrypt/letsencrypt-auto

which will ask for additionnal parameters.

Once created, the certificates are stored in /etc/letsencrypt/live/.

A comment about hosted solutions

When your service is hosted, one should distinguish the name of the hosting server from the name of your service. The following has been verified with OVH but must have an equivalent with other hosting services.

Your site, known under the name monsite.fr is in fact hosted on a machine called vps123456.ovh.net.

You cannot obtain certificates for vps123456.ovh.net as you are not its "owner". In order to obtain certificates for monsite.fr, it is necessary that the right data be associated with its DNS record, in particular its IP address which must be that of vps123456.ovh.net.

To obtain the correct address, type:

ping vps123456.ovh.net

and fill this IP address in the A field of the DNS record for monsite.fr (Web/Domaines/Zone DNS in your client-corner at OVH).

Renewing certificates

Warning: certificates are valid for a period of 90 days. They must be renewed with the command:

/opt/letsencrypt/letsencrypt-auto --apache --renew-by-default -d domaine.fr -d www.domaine.fr

One can perform this task automatically using a script written by Erika Heidi: le-renew.sh The command below downloads and installs the script in the appropriate cron sequence.

curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew
chmod +x /usr/local/sbin/le-renew
crontab -e
0 6 * * 1 /usr/local/sbin/le-renew domaine.fr >> /var/log/le-renew.log

Each monday at 6:00, the validity of the certificate will be tested and renewed if necessary.

HTTPS for GeneWeb in CGI mode behind Apache server

Configure VirtualHosts for HTTPS access.

In /etc/apache2/sites-available, modify VirtualHost :

cd /etc/apache2/sites-available
nano domaine.fr 

Example:

<VirtualHost *:443>
   ...
      SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
      SSLHonorCipherOrder On
#     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
      SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
      SSLEngine on
      SSLCertificateFile /etc/letsencrypt/live/domaine.fr/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/domaine.fr/privkey.pem
   ...
</VirtualHost>

If you whish that all classical http requests transformed into https requests, configure appropriately the default VirtualHost:

cd /etc/apache2/sites-available
nano domaine.fr

Example:

<VirtualHost *:80>
...
      RewriteEngine on
      RewriteRule ^ https://domaine.fr%{REQUEST_URI} [L,QSA,R=permanent]
...
</VirtualHost>

In this configuration file, one should specify the name of the hosted virtual server (monsite.fr):

     ServerName monsite.fr
     ServerAlias www.monsite.fr

The benefit of this naming is that your domain name will appear in the URL displayed in your browser (better visibility, no publication of internal hosting machine name).

Many Apache configuration tutorials covering other specific environments can be found on the Web.

HTTPS for GeneWeb in daemon or service mode behind port 2317

Using GeneWeb in this mode requires encapsulation into a secure tunnel such as stunnel4.

Stunnel4 installation is achieved with:

apt-get install stunnel4

Edit the configuration template file to your own requirements /usr/share/doc/stunnel4/examples/stunnel.conf-sample:

cd /etc/stunnel
nano stunnel.conf

Example:

; **************************************************************************
; * Options générales                                                      *
; **************************************************************************
; Il est recommandé de changer les privilèges utilisateur et groupe
;setuid = stunnel4
;setgid = stunnel4
; un chroot pour un peu plus de sécurité
;chroot = /var/lib/stunnel4/
; Le fichier PID sera créé dans le chroot
;pid = /var/run/stunnel.pid
; Utile de mettre dans les logs pour suivre en cas de bug
foreground = yes
debug = info
output = /var/log/stunnel4/stunnel.log
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
; Enable support for the insecure SSLv3 protocol
options = NO_SSLv3
; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************
;include = /etc/stunnel/conf.d
; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************
[geneweb]
accept = 22317
connect = 2317
cert=/etc/letsencrypt/live/domaine.fr/fullchain.pem
key=/etc/letsencrypt/live/domaine.fr/privkey.pem

In the configuration file above, the following two parameters can be changed:

  • foreground = yes : stunnel stays active in the launch window. Debug messages appear in the launch window.
Commenting (;) this parameter launches stunnel in the background.
  • debug = info. Possible values are : emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7).
More or less detailed informations will be recorded in the log file.

Adjust user and group:

cd ..
chown -Rf stunnel4:stunnel4 stunnel/

Activate stunnel by editing ENABLED in file /etc/default/stunnel4:

nano /etc/default/stunnel4
ENABLED=1

Start and stop stunnel with commands:

/etc/init.d/stunnel4 stop
/etc/init.d/stunnel4 start

or:

/etc/init.d/stunnel4 restart

You may now connect to your service with any of the addresses below:

https://www.domaine.fr:22317
https://domaine.fr:22317
https://IP:22317

Firewall

If you are using a firewall such as IPTables or other, you must adjust its configuration. If you are self hosting the service at home, you must also redirect the appropriate IP ports of your box.

Example rules for IpTables :

/sbin/iptables -A INPUT  -p tcp --dport 22317 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT  -p tcp --sport 22317 -m state --state ESTABLISHED -j ACCEPT

Source