There’s been a couple times where I’ve been forced to run application front ends with SSL and valid certificates. In the big and scary enterprise world this is easily overcome by throwing money at the problem and a late night or two for the OPS team.
It gets harder when the budget and skills are short or when the project is your own. Figuring out how and where the application wants you to put the certificates can be a chore and a colossal waste of time.
Enter the saviors Ubuntu, Apache and let’s encrypt.
The setup is as as follows:
A firewall with an available public IP.
Ubuntu server 16.04 (zeus.devzero.co.za) in it’s own DMZ behind the firewall with an Internal IP.
In a separate DMZ our applications servers, mittens.devzero.local and tinkerbell.devzero.local
Mittens and Tinkerbell are currently only listening on HTTP and are not reachable directly via the internet. We would like to connect to the webpages on them over HTTPS at the following urls: https://zeus.devzero.co.za/mittens and https://zeus.devzero.co.za/tinkerbell
So firstly install Apache and some dependencies
ubuntu@zeus:~$ sudo apt-get -y install apache2 build-essential libxml2-dev
Next up use a2enmod to activate the relevant mods.
Paste the following line of garbage
proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html ssl
ubuntu@zeus:~$ sudo a2enmod Your choices are: access_compat actions alias allowmethods asis auth_basic auth_digest auth_form authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authnz_fcgi authnz_ldap authz_core authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex buffer cache cache_disk cache_socache cgi cgid charset_lite data dav dav_fs dav_lock dbd deflate dialup dir dump_io echo env expires ext_filter file_cache filter headers heartbeat heartmonitor ident include info lbmethod_bybusyness lbmethod_byrequests lbmethod_bytraffic lbmethod_heartbeat ldap log_debug log_forensic lua macro mime mime_magic mpm_event mpm_prefork mpm_worker negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_express proxy_fcgi proxy_fdpass proxy_ftp proxy_html proxy_http proxy_scgi proxy_wstunnel ratelimit reflector remoteip reqtimeout request rewrite sed session session_cookie session_crypto session_dbd setenvif slotmem_plain slotmem_shm socache_dbm socache_memcache socache_shmcb speling ssl status substitute suexec unique_id userdir usertrack vhost_alias xml2enc Which module(s) do you want to enable (wildcards ok)? proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html ssl Module proxy already enabled Considering dependency proxy for proxy_ajp: Module proxy already enabled Module proxy_ajp already enabled Considering dependency proxy for proxy_http: Module proxy already enabled Module proxy_http already enabled Module rewrite already enabled Considering dependency filter for deflate: Module filter already enabled Module deflate already enabled Module headers already enabled Considering dependency proxy for proxy_balancer: Module proxy already enabled Considering dependency alias for proxy_balancer: Module alias already enabled Considering dependency slotmem_shm for proxy_balancer: Module slotmem_shm already enabled Module proxy_balancer already enabled Considering dependency proxy for proxy_connect: Module proxy already enabled Module proxy_connect already enabled Considering dependency proxy for proxy_html: Module proxy already enabled Module proxy_html already enabled
Next Up install certbot
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache
Next copy /etc/apache2/sites-enabled/000-default.conf to a new file called zeus.devzero.co.za.conf
ubuntu@zeus:~$ sudo cp /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/zeus.devzero.co.za.conf
Next open up this file in your favourite text editor and add the following line just under DocumentRoot, and then restart apache
ServerName zeus.company.com ubuntu@zeus:~$ sudo systemctl restart apache2
Now we can run certbot –apache. It’s a wizard that will walk you through securing the site. You can also run it in non interactive mode. Check out https://certbot.eff.org/#ubuntuxenial-apache for more info
ubuntu@zeus:~$ sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: zeus.devzero.co.za ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):1 Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for zeus.devzero.co.za Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem Created an SSL vhost at /etc/apache2/sites-enabled/zeus.devzero.co.za-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/zeus.devzero.co.za-le-ssl.conf Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/apache2/sites-enabled/zeus.devzero.co.za.conf to ssl vhost in /etc/apache2/sites-enabled/zeus.devzero.co.za-le-ssl.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://zeus.devzero.co.za You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=zeus.devzero.co.za ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/zeus.company.com/fullchain.pem. Your cert will expire on 2017-06-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now we can finally get to the reverse proxy. Remember we want to fetch the web content that’s on mittens.devzero.local via zeus.devzero.co.za and serve it back to the client requesting the information over SSL. We can do this easily by just adding a /mittens to the url
Add the following 3 lines for each ‘application’ to the file /etc/apache2/sites-enabled/zeus.devzero.co.za-le-ssl.conf
ProxyPass /mittens http://mittens.devzero.local:80/
ProxyPassReverse /mittens http://mittens.devzero.local:80/
ProxyPreserveHost On
ProxyPass /tinkerbell http://tinkerbell.devzero.local:80/
ProxyPassReverse /tinkerbell http://tinkerbell.devzero.local:80/
ProxyPreserveHost On
Now all that’s left to do is is visit the URL’s