UPDATED!!!
ON HAPROXY3 Server
Note: Haproxy3 is the name of the server haproxy
first install openssl
$ sudo yum install openssl
$ sudo yum install openssl-devel pcre-devel
FIREWALL
allow ssl port 443
$ sudo firewall-cmd --permanent --add-port=443/tcp
$ sudo firewall-cmd —reload
$ sudo iptables -L
go to certification folder
$ cd /etc/pki/tls/certs/
create the key file and csr file
$ sudo openssl genrsa -out server.key 2048
$ sudo openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [XX]:BLABLA State or Province Name (full name) []:BLABLA Locality Name (eg, city) [Default City]:BLABLA Organization Name (eg, company) [Default Company Ltd]:BLABLA Organizational Unit Name (eg, section) []:BLABLA Common Name (eg, your name or your server's hostname) []:moodle.example.edu Email Address []:admin@example.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
now verify the car file
$ openssl req -text -noout -verify -in server.csr
verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodle.na.edu/emailAddress=msen@na.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:9f:b4:bb:35:f2:44:03:70:b2:98:18:42:94: e5:46:58:31:a7:6e:f5:ef:9a:9b:0c:80:79:ce:eb: ................................ ................................ Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 98:1d:75:d4:bc:d5:d9:7a:2e:48:65:e2:ea:0d:87:29:30:7c: 7a:a8:5e:f1:88:af:d4:61:de:a2:7f:a6:15:a7:a9:a0:41:28: .................................
after this step, you can sign the key by yourself or you can buy signed one for example from godaddy. We chose the 2nd method
I gave the above server.csr content to my manager, he bought the crt and bundle file from godaddy which renamed to moodle.crt and moodle_bundle.crt afterwards and moved to haproxy3 server under /etc/pki/tls/certs/ Actually we didn’t do anything with moodle_bundler.crt but only with moodle.crt
let’s generate and point moodle.pem file in haproxy config along with the previous retrieved moodle.crt file and self generated server.key file
$ sudo bash -c 'cat moodle.crt server.key > moodle.pem'
CONFIGURE HAPROXY FOR SSL
$ sudo vi /etc/haproxy/haproxy.cfg
add this under global section
global # max per-process number of SSL connections maxsslconn 10000 # set 2048 bits for Diffie-Hellman key tune.ssl.default-dh-param 2048
add this under fronted section
frontend main # specify port and certs bind *:443 ssl crt /etc/pki/tls/certs/moodle.pem # adds the https header to the end of the incoming request reqadd X-Forwarded-Proto:\ https # a security policy to prevent against downgrade attacks rspadd Strict-Transport-Security:\ max-age=31536000
restart haproxy
$ sudo systemctl restart haproxy
see haproxy configs
$ haproxy -vv
Note: the final haproxy config looks like this
$ sudo vi /etc/haproxy/haproxy.cfg
global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 # max per-process number of SSL connections maxsslconn 2000 # set 2048 bits for Diffie-Hellman key tune.ssl.default-dh-param 2048 #disable SSLv3 because it is not secure anymore #ssl-default-bind-options no-sslv3 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 10000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will #use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 2000 #--------------------------------------------------------------------- #HAProxy statistics backend #--------------------------------------------------------------------- listen haproxy3-monitoring *:8080 mode http option forwardfor option httpclose stats enable stats show-legends stats refresh 2s stats uri /stats stats realm Haproxy\ Statistics stats auth msen:Memo3480$ stats admin if TRUE #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main bind *:80 mode http # specify port and certs bind *:443 ssl crt /etc/pki/tls/certs/moodle.pem # adds the https header to the end of the incoming request reqadd X-Forwarded-Proto:\ https # a security policy to prevent against downgrade attacks rspadd Strict-Transport-Security:\ max-age=31536000 option http-server-close option forwardfor default_backend webapp-main # round robin balancing between the various backends #--------------------------------------------------------------------- backend webapp-main mode http # uncomment this later if you want to redirect only as https redirect scheme https if !{ ssl_fc } balance roundrobin server web1 10.10.4.21:80 maxconn 250 check server web2 10.10.4.22:80 maxconn 250 check
in moodle config enable ssproxy on all web servers
$ sudo vi /usr/share/nginx/html/config.php
$CFG->sslproxy = true;
check through curl
$ curl -k -L -I https://moodle.na.edu
MOODLE SECURITY CONFIGURATION
Site Administration-> Security -> HTTP security
enable the followings:
Use HTTPS for logins Secure cookies only Only http cookies
SELF SIGNING THE KEY
This step is just to show how to sign the key by yourself. Do this steps only for development purposes.
sign the key and output to server.crt file
$ sudo openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
copy content of crt and key into pem file
$ sudo bash -c 'cat server.crt server.key > server.bundle.pem'
you should have 3 files: key, csr and pem file
$ ls -l
lrwxrwxrwx. 1 root root 49 Sep 24 20:11 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Sep 24 20:11 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rwxr-xr-x. 1 root root 610 Jun 29 07:47 make-dummy-cert -rw-r--r--. 1 root root 2388 Jun 29 07:47 Makefile -rwxr-xr-x. 1 root root 829 Jun 29 07:47 renew-dummy-cert -rw-r--r--. 1 root root 3001 Oct 18 23:56 server.bundle.pem -rw-r--r--. 1 root root 1326 Oct 18 23:50 server.crt -rw-r--r--. 1 root root 1066 Oct 18 23:49 server.csr -rw-r--r--. 1 root root 1675 Oct 18 23:47 server.key
One thought on “INSTALL SSL ON HAPROXY CENTOS 7 OR UBUNTU 14.04 FOR MOODLE”