Open main menu

CDOT Wiki β

Changes

OPS345 Lab 5

1,047 bytes added, 02:36, 21 February 2022
Set up Apache to use your new keys
== Set up Apache to use your new keys ==
* Get Apache Do this part of the lab on your www.yourusername.ops345.ca machine only. No need to use touch the slaves you created in the key:assignment. ** Remember that your keys are tied to a domain, so make sure that the ServerName option in /etc/httpd/conf/httpd.conf ServerName asmith15is set to your full domain name www.yourusername.ops345.ca Apache can be configured to provide service over HTTPS relatively easily once you have the keys you need, but on Amazon Linux the SSL apache module is not installed by default, so install it now on your www server (give the machine a temporary elastic IP to allow yum to work, and release it after you're done):80 ** <source>yum install mod_ssl</source>** Both your private key and your certificate need to be on the server because Apache needs to use them both. Use scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43to copy them from your workstation to the server, and then copy them into the directories commonly used for this purpose:~** [root@www andrew[File:AWSCopyCertbotKeys.png|800px|border|center]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/** [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/** Configure Apache to use those keys by setting the following two parameters in /etc/httpd/conf.d/ssl.conf*** :<source>SSLCertificateFile /etc/pki/tls/certs/asmith15yourusername.ops345.ca.cert.pem*** SSLCertificateKeyFile /etc/pki/tls/private/asmith15yourusername.ops345.ca.key.pem</source>** restart Restart apache, and confirm that there are no errorsin /var/log/httpd/error_log* Configure your firewalls and port forwarder to handle HTTPS, which works over TCP port 443:** Add an iptables rule in the nat table on router.** Add a rule for HTTPS in the router's security group to allow access from anywhere.** Add a rule for HTTPS in www's security group to allow access from the router only. 
* Edit ops345sgprivate, add https
* Edit ops345sg, add https