INSTALL SSL ON HAPROXY CENTOS 7 OR UBUNTU 14.04 FOR MOODLE

UPDATED!!!

ON HAPROXY3 Server

Note: Haproxy3 is the name of the server haproxy

first install openssl
$ sudo yum install openssl
$ sudo yum install openssl-devel pcre-devel

FIREWALL
allow ssl port 443
$ sudo firewall-cmd --permanent --add-port=443/tcp
$ sudo firewall-cmd —reload
$ sudo iptables -L

go to certification folder
$ cd /etc/pki/tls/certs/

create the key file and csr file
$ sudo openssl genrsa -out server.key 2048
$ sudo openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [XX]:BLABLA
State or Province Name (full name) []:BLABLA
Locality Name (eg, city) [Default City]:BLABLA
Organization Name (eg, company) [Default Company Ltd]:BLABLA
Organizational Unit Name (eg, section) []:BLABLA
Common Name (eg, your name or your server's hostname) []:moodle.example.edu
Email Address []:admin@example.edu
Please enter the following 'extra' attributes
 to be sent with your certificate request
A challenge password []:
An optional company name []:

now verify the car file
$ openssl req -text -noout -verify -in server.csr

verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodle.na.edu/emailAddress=msen@na.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:9f:b4:bb:35:f2:44:03:70:b2:98:18:42:94:
e5:46:58:31:a7:6e:f5:ef:9a:9b:0c:80:79:ce:eb:
................................
................................
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
98:1d:75:d4:bc:d5:d9:7a:2e:48:65:e2:ea:0d:87:29:30:7c:
7a:a8:5e:f1:88:af:d4:61:de:a2:7f:a6:15:a7:a9:a0:41:28:
.................................

after this step, you can sign the key by yourself or you can buy signed one for example from godaddy. We chose the 2nd method

I gave the above server.csr content to my manager, he bought the crt and bundle file from godaddy which renamed to moodle.crt and moodle_bundle.crt afterwards and moved to haproxy3 server under /etc/pki/tls/certs/   Actually we didn’t do anything with moodle_bundler.crt but only with moodle.crt

let’s generate and point moodle.pem file in haproxy config along with the previous retrieved moodle.crt file and self generated server.key file
$ sudo bash -c 'cat moodle.crt server.key > moodle.pem'


 

CONFIGURE HAPROXY FOR SSL

$ sudo vi /etc/haproxy/haproxy.cfg

add this under global section

global
# max per-process number of SSL connections
maxsslconn 10000
# set 2048 bits for Diffie-Hellman
key tune.ssl.default-dh-param 2048

add this under fronted section

frontend main
# specify port and certs
bind *:443 ssl crt /etc/pki/tls/certs/moodle.pem
# adds the https header to the end of the incoming request
reqadd X-Forwarded-Proto:\ https
# a security policy to prevent against downgrade attacks
rspadd Strict-Transport-Security:\ max-age=31536000

restart haproxy
$ sudo systemctl restart haproxy

see haproxy configs
$ haproxy -vv

Note: the final haproxy config looks like this
$ sudo vi /etc/haproxy/haproxy.cfg

global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2

# max per-process number of SSL connections
maxsslconn 2000
# set 2048 bits for Diffie-Hellman key
tune.ssl.default-dh-param 2048
#disable SSLv3 because it is not secure anymore
#ssl-default-bind-options no-sslv3
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2000

#---------------------------------------------------------------------
#HAProxy statistics backend
#---------------------------------------------------------------------
listen haproxy3-monitoring *:8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 2s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth msen:Memo3480$
stats admin if TRUE

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
mode http
# specify port and certs
bind *:443 ssl crt /etc/pki/tls/certs/moodle.pem
# adds the https header to the end of the incoming request
reqadd X-Forwarded-Proto:\ https
# a security policy to prevent against downgrade attacks
rspadd Strict-Transport-Security:\ max-age=31536000
option http-server-close
option forwardfor
default_backend webapp-main

# round robin balancing between the various backends
#---------------------------------------------------------------------
backend webapp-main
mode http
# uncomment this later if you want to redirect only as https
redirect scheme https if !{ ssl_fc }
balance roundrobin
server web1 10.10.4.21:80 maxconn 250 check
server web2 10.10.4.22:80 maxconn 250 check

in moodle config enable ssproxy on all web servers
$ sudo vi /usr/share/nginx/html/config.php

$CFG->sslproxy = true;

check through curl
$ curl -k -L -I https://moodle.na.edu


MOODLE SECURITY CONFIGURATION

Site Administration-> Security -> HTTP security

enable the followings:

Use HTTPS for logins
Secure cookies only
Only http cookies

SELF SIGNING THE KEY

This step is just to show how to sign the key by yourself. Do this steps only for development purposes.

sign the key and output to server.crt file
$ sudo openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt

copy content of crt and key into pem file
$ sudo bash -c 'cat server.crt server.key > server.bundle.pem'

you should have 3 files: key, csr and pem file
$ ls -l

lrwxrwxrwx. 1 root root 49 Sep 24 20:11 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Sep 24 20:11 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Jun 29 07:47 make-dummy-cert
-rw-r--r--. 1 root root 2388 Jun 29 07:47 Makefile
-rwxr-xr-x. 1 root root 829 Jun 29 07:47 renew-dummy-cert
-rw-r--r--. 1 root root 3001 Oct 18 23:56 server.bundle.pem
-rw-r--r--. 1 root root 1326 Oct 18 23:50 server.crt
-rw-r--r--. 1 root root 1066 Oct 18 23:49 server.csr
-rw-r--r--. 1 root root 1675 Oct 18 23:47 server.key
Advertisements

One thought on “INSTALL SSL ON HAPROXY CENTOS 7 OR UBUNTU 14.04 FOR MOODLE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s