search

SUSE / DeepSea

A collection of Salt files for deploying, managing and automating Ceph.
GNU General Public License v3.0
160 stars 75 forks source link

deepsea should configure apache for SSL to ensure secure openattic access #653

Open Martin-Weiss opened 7 years ago

Martin-Weiss commented 7 years ago

To ensure openattic is reachable via SSL we should enable SSL for the apache instance on the openattic host:

  1. Add SSL certificates in case they do not exist to /etc/ssl/servercerts as servercert.pem and serverkey.pem (in case the yast ca was created during SLES installation - these files might exist, already)

  2. Add SSL to APACHE_SERVER_FLAGS="" in /etc/sysconfig/apache2 (APACHE_SERVER_FLAGS="SSL")

  3. Create /etc/apache2/vhosts.d/vhost-ssl.conf with such a content:

<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost _default_:443>
        DocumentRoot "/srv/www/htdocs"
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
        SSLEngine on
        SSLCertificateFile /etc/ssl/servercerts/servercert.pem
        SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
        CustomLog /var/log/apache2/ssl_request_log   ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>

Restart apache2 in case the SSL flag was added or the certificate was added / replaced or the vhost-ssl.conf was created / adjusted.

neilashbysenior commented 6 years ago

@Martin-Weiss Hi Martin, I had to also make changes to pg_hba.conf and postgresql.conf in order to get Openattic to work properly with SSL. Did you have to do this? I ran stage 4 again and it doesn't appear to have overwritten the changes I made of Apache or Postgres outside of Deepsea, which is good.