26
edits
Changes
From Amahi Wiki
no edit summary
heading =WARNING|
message = This is recommended only for advanced users, proceed with caution.}}
= HTTPS in Amahi 6 and earlier =
'''NOTE:''' This has not been tested with Amahi 7. Following this guidance is at your own risk and could break your HDA.
service httpd restart
* And that's all, you now have 128 bit encryption for AjaXplorer. Note that when you uninstall the app, you will need to manually remove the '''1026-ajaxplorerhttp.conf''' file you created.
= HTTPS for Amahi 7 apps =
These instructions are for advanced users that wish to set up https access to apps on Amahi 7 (Fedora 19). Use at your own risk.
== 1. Install prerequisite packages and set up certificates ==
As a root user, run:
<pre>yum install -y openssl mod_ssl
cd /etc/pki/tls/certs
make server.key</pre>
You should get prompts to enter and confirm a passphrase. Now we want to remove the passphrase from the private key:
<pre>openssl rsa -in server.key -out server.key </pre>
You'll be prompted to add the passphrase again to confirm. Now we make a certificate server request file
<pre>make server.csr</pre>
You'll now enter the information that will appear on the certificate request. Make sure that the "Common Name" matches your server domain.
Once you've entered these, you want to generate your private key:
<pre>openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650</pre>
You should get a message saying Signature ok, with the details for the certificate that you just entered, followed by "Getting private key".
==2. Configure your httpd install for ssl==
Still as root, edit /etc/httpd/conf.d/ssl.conf as follows:
<pre>#Line 59: uncomment
DocumentRoot "/var/www/html"
#Line 60: uncomment and specify server name (use your server name)
ServerName www.exampleserver.com:443
#Line 100: specify certificate
SSLCertificateFile /etc/pki/tls/certs/server.crt
#Line 107: specify certification key
SSLCertificateKeyFile /etc/pki/tls/certs/server.key</pre>
==3. Configure the web apps you want to make accessible by SSL==
Go to /etc/httpd/conf.d and edit the conf file for the app you want to move to ssl. For this example I will use owncloud. On my HDA the owncloud conf was 1005-owncould8.conf; the number may differ for you. Remember to back up the original in case you make an error.
<pre>cd /etc/httpd/conf.d
ls -l #check the filename of the relevant conf file.
cp 1005-owncloud8.conf 1006-owncloud8.conf.old
vi 1005-owncloud.conf</pre>
Edit your file to change the virtualhost to port 443, and turn on SSL encryption. Your files should look something like the following, with appropriate edits to suit your internal and external server names:
<pre><VirtualHost *:443>
ServerName owncloud8
ServerAlias owncloud8.home.com
ServerAlias owncloud8.exampleserver.com
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
DocumentRoot /var/hda/web-apps/owncloud8/html
<Directory "/var/hda/web-apps/owncloud8/html">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/hda/web-apps/owncloud8/logs/error_log
CustomLog /var/hda/web-apps/owncloud8/logs/access_log combined env=!dontlog
</VirtualHost></pre>
Now we need to redirect http requests to the new https instance. Create a new conf file for the redirect:
<pre>vi 1006-owncloud8http.conf (number may be different for you) and add this code (change the example server to match yours):
<VirtualHost *:80>
ServerName ajaxplorer
ServerAlias owncloud8.home.com
ServerAlias owncloud8.exampleserver.com
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
ExpiresDefault "access plus 10 years"
AddOutputFilterByType DEFLATE text/html text/plain text/xml
</VirtualHost></pre>
Now you need to restart apache:
<pre>systemctl restart httpd.service</pre>
==4. Test==
Direct a browser to the app link and you should now get a https link. Note that your browsers will all give a warning that the certificate is not trusted because it has not been issued by a proper authority. Once you've accepted the warning, you should have an https connection to your app.
==== See also ====
[[Access HDA over SSL]]
