-
Notifications
You must be signed in to change notification settings - Fork 19
Apache 2.2 Deployment
This page documents deploying YETI on an Apache 2.2. This page attempts to be complete and correct, but may have errors and omissions. If you see something that doesn't make sense, doesn't look right, or plain doesn't work, please feel free to send an email to taxii@mitre.org with a question or comment.
Please note that other deployment configurations may work. This is the one that we have verified.
This documentation assumes an operating system of RHEL 6.x, 64-bit (uname -a returns 2.6.32-358.11.1.el6.x86_64).
These are required for YETI to run correctly
- Python 2.6 or 2.7 (3.x is not supported)
- Apache 2.2.x and mod_wsgi
yum install httpd mod_wsgi - Django 1.4 (https://www.djangoproject.com/download/)
- libxml2 2.9.0 or later (http://www.xmlsoft.org/downloads.html)
These are required for certain aspects of YETI to function properly.
- Apache mod_ssl
yum install mod_ssl
If you want YETI to use MySQL, you will need these software packages:
- MySQL-Server
yum install mysql-server - MySQL-Python
yum install MySQL-python
- libtaxii 1.0.105 or higher (https://github.com/TAXIIProject/libtaxii/releases/)
- lxml latest version (http://lxml.de/index.html#download)
Apache configuration items. It is recommended to create a yeti.conf file in /etc/httpd/conf.d/ and place these values in it.
# Maximum size of the request body - set to the maximum limit you wish to allow. 0 allows any size.
LimitRequestBody 0
#WSGI Configs
WSGIApplicationGroup %{GLOBAL}
WSGISocketPrefix /var/run/wsgi
#Replace /data/yeti with the YETI path if it is different
WSGIDaemonProcess yeti python-path=/data/yeti
WSGIScriptAlias / /data/yeti/yeti/wsgi.py process-group=yeti application-group=%{GLOBAL}
Alias /static/ /data/yeti/yeti/static/
<Directory /data/yeti/yeti>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
<VirtualHost _default_:443>
ServerName yourServerName
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private_nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
#Comment out these if YETI will not use client certificate validation
SSLVerifyClient require
SSLCACertificateFile /data/yeti/yeti/client_certs/all_certs.cer
SSLVerifyDepth 5
SSLOptions StdEnvVars
</VirtualHost>
#This is the recommended configuration for the admin interface
Listen 8443
<VirtualHost _default_:8443>
ServerName yourServerName
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private_nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
</VirtualHost>
Depending on how you will deploy YETI, you may need to configure some aspects of YETI before Apache will start. Most notably, Apache will complain if the SSLCACertificateFile is empty, but you need to use YETI to make the file not empty. The way around this is to run YETI with Django's runserver, configure the items you need, then start Apache.
Follow these instructions if you get the following error: SSLCACertificateFile: file '/data/yeti/yeti/client_certs/all_certs.cer' does not exist or is empty
- Start YETI using Django's runserver:
python manage.py runserver 80(orpython manage.py runserver 0.0.0.0:80if you need to connect remotely). - Navigate to the
http://hostname/admin/yeti/certificate/URL. - Enter a certificate.
- Done! You can stop Django's runserver and start Apache.