Skip to content
This repository has been archived by the owner on May 11, 2019. It is now read-only.

Apache 2.2 Deployment

Jump to bottom
Bryan Worrell edited this page Mar 3, 2014 · 18 revisions

This page documents deploying YETI on an Apache 2.2. This page attempts to be complete and correct, but may have errors and omissions. If you see something that doesn't make sense, doesn't look right, or plain doesn't work, please feel free to send an email to taxii@mitre.org with a question or comment.

Please note that other deployment configurations may work. This is the one that we have verified.

This documentation assumes an operating system of RHEL 6.x, 64-bit (uname -a returns 2.6.32-358.11.1.el6.x86_64).

Requirements

Required Software Packages

These are required for YETI to run correctly

  1. Python 2.6 or 2.7 (3.x is not supported)
  2. Apache 2.2.x and mod_wsgi
  3. Django 1.5 (https://www.djangoproject.com/download/)
  4. libtaxii 1.1.101 or later (https://github.com/TAXIIProject/libtaxii/releases)
  5. libxml2 2.9.0 or later (http://www.xmlsoft.org/downloads.html)

Optional software packages

These are required for certain aspects of YETI to function properly.

HTTPS
  1. Apache mod_ssl yum install mod_ssl
MySQL

If you want YETI to use MySQL, you will need these software packages:

  1. MySQL-Server yum install mysql-server
  2. MySQL-Python yum install MySQL-python

Required Python libraries

  1. libtaxii 1.1.101 or higher (https://github.com/TAXIIProject/libtaxii/releases/)
  2. lxml latest version (http://lxml.de/index.html#download)

All the install commands:

This section lists all the install commands. You may have to run these as sudo, depending on your environment. This aims to be a comprehensive list, but may not be.

Note: If you are behind a proxy, you may need to set the proxy by issuing one (or both) of these commands: export http_proxy=http://proxy.example.com:80 and export https_proxy=http://proxy.example.com:80
Note: If you need to run via sudo and you want your userspace environment variables (like http_proxy) to be used, use the -E flag for sudo (e.g., sudo -E yum install XYZ)
Note: Some of these may be already installed on your system, depending on the distro.

  1. easy_install pip
  2. yum install git
  3. yum install python-devel
  4. yum install gcc
  5. yum install gcc-devel
  6. yum install libtool
  7. yum install libtool
  8. yum install libxml2
  9. yum install libxml2-devel
  10. yum install libxslt
  11. yum install libxslt-devel
  12. pip install libtaxii
  13. yum install httpd
  14. yum install mod_ssl
  15. yum install mod_wsgi
  16. yum install mysql-server
  17. pip install Django
  18. pip install lxml
  19. yum install mysql-server
  20. yum install MySQL-python
  21. git clone https://github.com/TAXIIProject/yeti.git (For the latest dev version)

Configuration

Apache configuration items. It is recommended to create a yeti.conf file in /etc/httpd/conf.d/ and place these values in it.

# Maximum size of the request body - set to the maximum limit you wish to allow. 0 allows any size.
LimitRequestBody 0

#WSGI Configs
WSGIApplicationGroup %{GLOBAL}
WSGISocketPrefix /var/run/wsgi

#Replace /data/yeti with the YETI path if it is different
WSGIDaemonProcess yeti python-path=/data/yeti
WSGIScriptAlias / /data/yeti/yeti/wsgi.py process-group=yeti application-group=%{GLOBAL}
Alias /static/ /data/yeti/yeti/static/

<Directory /data/yeti/yeti>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>

<VirtualHost _default_:443>
ServerName yourServerName

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private_nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

#Comment out these if YETI will not use client certificate validation
SSLVerifyClient require
SSLCACertificateFile /data/yeti/yeti/client_certs/all_certs.cer
SSLVerifyDepth 5
SSLOptions StdEnvVars

</VirtualHost>


#This is the recommended configuration for the admin interface
Listen 8443
<VirtualHost _default_:8443>
ServerName yourServerName

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private_nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

</VirtualHost>

Using Runserver to Configure YETI

Depending on how you will deploy YETI, you may need to configure some aspects of YETI before Apache will start. Most notably, Apache will complain if the SSLCACertificateFile is empty, but you need to use YETI to make the file not empty. The way around this is to run YETI with Django's runserver, configure the items you need, then start Apache.

SSL Client Certificates

Follow these instructions if you get the following error: SSLCACertificateFile: file '/data/yeti/yeti/client_certs/all_certs.cer' does not exist or is empty

  1. Start YETI using Django's runserver: python manage.py runserver 80 (or python manage.py runserver 0.0.0.0:80 if you need to connect remotely).
  2. Navigate to the http://hostname/admin/yeti/certificate/ URL.
  3. Enter a certificate.
  4. Done! You can stop Django's runserver and start Apache.
Clone this wiki locally