search

gwu-libraries / sfm-ui

Social Feed Manager user interface application.
http://gwu-libraries.github.io/sfm-ui
MIT License
153 stars 25 forks source link

HTTPS #361

Closed lwrubel closed 7 years ago

lwrubel commented 8 years ago

SFM does not currently run with HTTPS

justinlittman commented 8 years ago

Consider https://letsencrypt.org/

justinlittman commented 8 years ago

Not entirely clear how long this will take, so erring on the side of major.

justinlittman commented 8 years ago

Need to handle 2 scenarios:

  1. Admin has own certificate and wants to use.
  2. Admin doesn't have a certificate and want to get one from from LetsEncrypt.

Since LetsEncrypt has rate limits, will want to have this be optional for dev environments.

lwrubel commented 7 years ago

LetsEncrypt does not issue to AWS or WRLC for various reasons. Instead, focus on first scenario: allow user to use their own certificate and add the path to the certificate into the dockerfile.

adityadharne commented 7 years ago

Steps to add SSL using an existing certificate

<VirtualHost *:443>
Alias /static/ /opt/sfm-static/
<Directory /opt/sfm-static>
      Require all granted
</Directory>

SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key

#For WSGI daemon mode:
#see http://code.google.com/p/modwsgi/wiki/QuickConfigurationGuide
#Using 1 process to force only one instance of APScheduler to be run.
#See https://github.com/gwu-libraries/sfm-ui/issues/79

WSGIDaemonProcess sfm processes=1 threads=30 python-path=/opt/sfm-ui/sfm
WSGIProcessGroup sfm

#For WSGI embedded mode:
#WSGIPythonPath /PATH/TO/sfm
#If using a virtualenv, uncomment and tweak next line (inc. python version):
#WSGIPythonPath /PATH/TO/YOUR/VENV/lib/python/2.X/site-packages

WSGIScriptAlias / /opt/sfm-ui/sfm/sfm/wsgi.py

<Directory /opt/sfm-ui/sfm/sfm>
    <Files wsgi.py>
        Require all granted
    </Files>
</Directory>
</VirtualHost>

Note: A similar block can be added for a non-ssl site using port 80 in the VirtualHost field

kerchner commented 7 years ago

@justinlittman the branch is ready for you to look at.

kerchner commented 7 years ago

Re-test after #532 is merged

justinlittman commented 7 years ago

Now that #532 is merged, @adityadharne can resume work as his schedule permits.

adityadharne commented 7 years ago

The HTTPS configuration does not stay persistent. The steps above work till the image is recreated - have to shell into the container every time to configure Apache after docker-compose up -d.

justinlittman commented 7 years ago

See https://github.com/gwu-libraries/sfm-ui/tree/t361-https

On hold pending https://github.com/pyca/cryptography/pull/3278

Make sure to pin versions in Dockerfile-ssl and to match in Dockerfile.

Also, need to account for intermediary certs.

kerchner commented 7 years ago

pyca/cryptography#3278 has now been fixed, @justinlittman to look into whether it's been released.

lwrubel commented 7 years ago

@adityadharne is going to investigate updates to LetsEncrypt that allow using it on AWS.

justinlittman commented 7 years ago

See https://github.com/gwu-libraries/SSL_HowTo

justinlittman commented 7 years ago

Justin Littman [10:59 AM] So just to be clear, I can just request from DIT? "If you're getting a proper certificate, send the csr file to a Certificate Authority (CA) and they will send back a certificate. At GWU, email it to ithelp@gwu.edu."

[10:59] And they will do this for wrlc.org domains as well?

Matthew Mihalik [11:00 AM] you'll need a GWU CNAME first

[11:01] We only issue SSL certs for GWU domains

Justin Littman [11:01 AM] Will WRLC issue for WRLC domains?

Matthew Mihalik [11:02 AM] They have to pay for them, what host are we doing? (edited)

Justin Littman [11:02 AM] For testing, gwsfm-test.wrlc.org. For production, gwsfm-prod2.wrlc.org.

Dan Kerchner [11:03 AM] we should also decide whether or not to get one for gwsfm-poe.wrlc.org

Matthew Mihalik [11:03 AM] I'd recommend getting a GWU domain, our apps should have them

Justin Littman [11:03 AM] What is the process for that?

Matthew Mihalik [11:04 AM] email ithelp@gwu.edu and request a CNAME entry for the host in question to the dns request: ie: cname gwsfm-prod2.wrlc.org to sfm.library.gwu.edu

[11:04] Then when you do the SSL cert your "Common Name" value will be the GW DNS entry

justinlittman commented 7 years ago

Note to self: The keys for gwsfm-test2 are in my home directory on server.

justinlittman commented 7 years ago

Deploy note: May need to add additional sites to social apps in admin.

justinlittman commented 7 years ago 
nginx-proxy_1                   | 2017/08/23 20:37:01 [emerg] 46#46: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/sfm-test.library.gwu.edu.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx-proxy_1                   | nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/sfm-test.library.gwu.edu.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

In the certificate file provided by DIT, the server cert came last. It had to be moved first in the file.