INSTALL SSL ON HAPROXY CENTOS 7 OR UBUNTU 14.04 FOR MOODLE

ON HAPROXY3 Server

Note: Haproxy3 is the name of the server haproxy

first install openssl

$ sudo yum install openssl
$ sudo yum install openssl-devel pcre-devel

allow ssl port 443

$ sudo firewall-cmd –permanent –add-port=443/tcp
$ sudo firewall-cmd —reload
$ sudo iptables -L

go to certification folder

$ cd /etc/pki/tls/certs/

create the key file and csr file

$ sudo openssl genrsa -out server.key 2048
$ sudo openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [XX]:BLABLA
State or Province Name (full name) []:BLABLA
Locality Name (eg, city) [Default City]:BLABLA
Organization Name (eg, company) [Default Company Ltd]:BLABLA
Organizational Unit Name (eg, section) []:BLABLA
Common Name (eg, your name or your server's hostname) []:moodle.example.edu
Email Address []:admin@example.edu
Please enter the following 'extra' attributes
 to be sent with your certificate request
A challenge password []:
An optional company name []:

now verify the car file

$ openssl req -text -noout -verify -in server.csr

verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodle.na.edu/emailAddress=msen@na.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:9f:b4:bb:35:f2:44:03:70:b2:98:18:42:94:
e5:46:58:31:a7:6e:f5:ef:9a:9b:0c:80:79:ce:eb:
................................
................................
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
98:1d:75:d4:bc:d5:d9:7a:2e:48:65:e2:ea:0d:87:29:30:7c:
7a:a8:5e:f1:88:af:d4:61:de:a2:7f:a6:15:a7:a9:a0:41:28:
.................................

after this step, you can sign the key by yourself or you can buy one signed for example from godaddy. We chose the 2nd method

I gave the above server.csr content to my manager, he bought the crt and bundle file from godaddy which renamed to moodle.crt and moodle_bundle.crt afterwards and moved to haproxy3 server under /etc/pki/tls/certs/   Actually we didn’t do anything with moodle_bundler.crt but only with moodle.crt

let’s generate and point moodle.pem file in haproxy config along with the previous retrieved moodle.crt file and self generated server.key file

$ sudo bash -c ‘cat moodle.crt server.key > moodle.pem’

 

CONFIGURE HAPROXY FOR SSL

$ sudo vi /etc/haproxy/haproxy.cfg

add this under global section

global
# max per-process number of SSL connections
maxsslconn 10000
# set 2048 bits for Diffie-Hellman
key tune.ssl.default-dh-param 2048

add this under fronted section

frontend main
# specify port and certs
bind *:443 ssl crt /etc/pki/tls/certs/moodle.pem
# adds the https header to the end of the incoming request
reqadd X-Forwarded-Proto:\ https
# a security policy to prevent against downgrade attacks
rspadd Strict-Transport-Security:\ max-age=31536000

restart haproxy

$ sudo systemctl restart haproxy

see haproxy configs

$ haproxy -vv

Note: the final haproxy config looks like this

$ sudo vi /etc/haproxy/haproxy.cfg

global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2

# max per-process number of SSL connections
maxsslconn 2000
# set 2048 bits for Diffie-Hellman key
tune.ssl.default-dh-param 2048
#disable SSLv3 because it is not secure anymore
#ssl-default-bind-options no-sslv3
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2000

#---------------------------------------------------------------------
#HAProxy statistics backend
#---------------------------------------------------------------------
listen haproxy3-monitoring *:8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 2s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth msen:Memo3480$
stats admin if TRUE

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
mode http
# specify port and certs
bind *:443 ssl crt /etc/pki/tls/certs/moodle.pem
# adds the https header to the end of the incoming request
reqadd X-Forwarded-Proto:\ https
# a security policy to prevent against downgrade attacks
rspadd Strict-Transport-Security:\ max-age=31536000
option http-server-close
option forwardfor
default_backend webapp-main

# round robin balancing between the various backends
#---------------------------------------------------------------------
backend webapp-main
mode http
# uncomment this later if you want to redirect only as https
redirect scheme https if !{ ssl_fc }
balance roundrobin
server web1 10.10.1.21:80 maxconn 250 check
server web2 10.10.1.22:80 maxconn 250 check

in moodle config enable ssproxy on all web servers

$ sudo vi /usr/share/nginx/html/config.php
$CFG->sslproxy = true;

check through curl

$ curl -k -L -I https://moodle.na.edu

MOODLE SECURITY CONFIGURATION

Site Administration-> Security -> HTTP security

enable the followings:

Use HTTPS for logins
Secure cookies only
Only http cookies

sign the key is self-signing, this step is just to show how to sign

sign the key and output to server.crt file
$ sudo openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt

copy content of crt and key into pem file
$ sudo bash -c ‘cat server.crt server.key > server.bundle.pem’

you should have 3 files: key, csr and pem file
$ ls -l
lrwxrwxrwx. 1 root root 49 Sep 24 20:11 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Sep 24 20:11 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Jun 29 07:47 make-dummy-cert
-rw-r–r–. 1 root root 2388 Jun 29 07:47 Makefile
-rwxr-xr-x. 1 root root 829 Jun 29 07:47 renew-dummy-cert
-rw-r–r–. 1 root root 3001 Oct 18 23:56 server.bundle.pem
-rw-r–r–. 1 root root 1326 Oct 18 23:50 server.crt
-rw-r–r–. 1 root root 1066 Oct 18 23:49 server.csr
-rw-r–r–. 1 root root 1675 Oct 18 23:47 server.key

=========== end of sign the key is self-signing, this step is just to show how to sign==========

Advertisements

One thought on “INSTALL SSL ON HAPROXY CENTOS 7 OR UBUNTU 14.04 FOR MOODLE

  1. Pingback: NAU MOODLE CLUSTER | snapdev

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s