Terminator

Linuxconf SSL

How to setup apache SSL to protect the linuxconf HTML interface.

Tested with apache/1.3.12-mod_ssl/2.6.4-linuxconf/1.18r6 (should work with older versions).

I recomend using a different port for linuxconf SSL, this makes it easy to setup since you don't have to define a new FQDN or certificate, you can use the same as the main server uses.

Howto

0. Requires:

apache with SSL enabled, proxy support, valid certificate.

1. Configure httpd.conf:

Listen 8098

<Virtualhost _default_:8098>
SSLEngine On
ProxyPass / http://localhost:98/
</Virtualhost>

2. Configure linuxconf to accept HTML requests from localhost

3. Linuxconf SSL will now open with https://yourhost:8098/

Options

Multiple hosts

If you have several hosts on a trusted network you can use one SSL host to remotly access the other hosts, by using different ports:

Listen 8098

<Virtualhost _default_:8098>
SSLEngine On
ProxyPass / http://localhost:98/
</Virtualhost>

Listen 9098

<Virtualhost _default_:9098>
SSLEngine On
ProxyPass / http://otherhost:98/
</Virtualhost>

HTMLplus

The optional htmlplus module works fine via SSL using this setup.

Notes

If you get an error when reloading apache try to use 'SSLEnable' instead of 'SSLEngine On'.

You can make self-signed SSL certificates with 'make certificate' from the apache source topdir.

Some additional configuration notes from Johannes Brodwall:
First, mod_proxy.c is not loaded by default (at least it wasn't in 
my configuration).  Since I don't know too much about apache, it 
was somewhat frustrating to get this to work.  These lines had to 
be uncommented:

LoadModule proxy_module       modules/libproxy.so
AddModule mod_proxy.c

With that in place, my server would still not start correctly, this 
time, it was the SSL certificates.  The following was needed inside 
the <VirtualHost> section:

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

FYI, here is the configuration needed to make the same setup work 
for SWAT:

Listen 8901 
<Virtualhost _default_:8901>
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://localhost:901/ 
</Virtualhost>

apache-1.3.19-5
Redhat 7.1 Linux 2.4.2-2

Wanted

Netscape will remember to trust your self-signed SSL certificate after your first confirmation, but Internet Explorer will not, and ask you for confirmation on every session. If anyone know how to make IE trust self-signed certificates permanently, please tell me how.

Contact

Send questions/comments to Stein Vråle <stein@terminator.net>.

Back