Sample SSL configuration file for apache

[brainfunked]

Scope

This configuration enables two scenarios:

1. https delivery for both the API and the UI on an IP address on the host.
2. Automatic redirect for all http requests to https, for both the API and the UI.

Pre-requisites:

• mod_ssl package installed and the default configurations left unmodified.
• The default SSL certificate and key paths are used, this certificate would be a self-signed certificate.
• System administrator/tendrl-ansible needs to make adjustments to the configuration files after enabling them in apache to properly enable SSL:
  • Replace %ssl_virtualhost_ip% with the correct IP of the host.
  • Adjust the ServerName directive to reflect the FQDN that apache would serve requests over.

Limitations

This configuration file avoids modification to any of the configuration files installed by system packages. As such, this configuration file can only serve the scenarios where the requests are served over a specific IP. If this is undesirable, the VirtualHost for _default_:443 needs to be commented out in /etc/httpd/conf.d/ssl.conf (which is installed by the mod_ssl package) and the %ssl_virtualhost_ip% in both these files needs to be changed to _default_.

However, I have NOT tested this configuration.

Please refer to the apache wiki for more details.

Deployment Notes

@TimothyAsir The RPM package for tendrl-api must NOT install the apache.vhost-ssl.sample file with a .conf extension under /etc/httpd/conf.d. Copying it over as /etc/httpd/conf.d/tendrl-ssl.conf.sample should be fine. The file will not work without manual modifications. It is safe to deploy the apache.vhost.sample file as it is currently done, since it does not consider the SSL deployment as the default.

@mbukatov tendrl-ansible would need to implement the configuration steps listed in the Deployment Instructions section below.

Deployment Instructions

https support over a specific IP with no redirect

Deploy apache.vhost-ssl.sample as /etc/httpd/conf.d/tendrl-ssl.conf. If the RPM installs it correctly, copy (NOT move) the /etc/httpd/conf.d/tendrl-ssl.conf.sample file without the .sample extension. Make the following changes to this file:

• Replace %ssl_virtualhost_ip% with the correct IP.
• Adjust ServerName.

Thereafter, check if the configuration is valid using apachectl -t and reload httpd using systemctl reload httpd.service.

Automatic redirect of all http urls to https

After following the steps to enable https, as listed above, update the apache.vhost.sample file (which would already have been deployed by the tendrl-api RPM as /etc/httpd/conf.d/tendrl.conf) as follows:

• Replace %ssl_virtualhost_ip% with the IP used in the SSL configuration file.
• Un-comment the line which has the Redirect rule.
• Comment out the lines which have the DocumentRoot, ProxyPass and ProxyPassReverse directives.

Thereafter, check if the configuration is valid using apachectl -t and reload httpd using systemctl reload httpd.service.

Further Actions Required

@nthomas-redhat once this configuration has been tested, the deployment instructions below (or maybe, most of this document, apart from this section) need to be documented officially.

@TimothyAsir the RPM spec file needs to be updated to copy over the apache.vhost-ssl.sample file to /etc/httpd/conf.d/tendrl-ssl.conf.sample.

@mbukatov the deployment instructions need to be automated. This may require the administrator to provide some configuration details such as the IP address and FQDN of the host (although, it is possible to automate this to a degree) and possibly the proper SSL certificate and key to be copied over.

[nthomas-redhat]

I have verified and this works fine.

@TimothyAsir , Make appropriate changes in spec files and send a PR
@mbukatov , Please take care of this in tendrl-ansible. This is required sep-15 milestone.

[nthomas-redhat]

@anivargi , Please go ahead and merge this

[mbukatov]

This may require the administrator to provide some configuration details such as the IP address and FQDN of the host

Is it ok to use ip address where etcd is configured to listen? So far we were using the same public ip address for everything as a default, so I'm thinking about reusing it here as well (with an option to redefine via variable if needed), but would like to verify this idea.

I need to experiment a bit with ansible variables such as ansible_fqdn and ansible_hostname to check if I can use them here.

The default SSL certificate and key paths are used, this certificate would be a self-signed certificate.

What do you mean by this? Ah, you mean that localhost cert created when mod_ssl is rpm package installed will be used.

Also I see that in apache.vhost-ssl.sample there are:

/etc/pki/tls/certs/localhost.crt
/etc/pki/tls/private/localhost.key

What component is responsible with generating these? If you need tendrl-ansible to do this, could you provide more details how exactly those certs are expected to be generated?

During 2017-09-12 dev meeting, Nishanth pointed out that this localhost cert is created during installation of mod_ssl package and we are going to use it by default, unless specified otherwise.