3a38934e
Antonio Terceiro
Update pound setu...
|
1
|
# Setup Noosfero to use HTTPS
|
06d664a6
Joenio Costa
Documenting setup...
|
2
3
4
5
|
This document assumes that you have a fully and clean Noosfero
installation as explained at the `INSTALL.md` file.
|
3a38934e
Antonio Terceiro
Update pound setu...
|
6
|
## Creating a self-signed SSL certificate
|
06d664a6
Joenio Costa
Documenting setup...
|
7
8
9
10
11
12
13
|
You should get a valid SSL certificate, but if you want to test
your setup before, you could generate a self-signed certificate
as below:
# mkdir /etc/noosfero/ssl
# cd /etc/noosfero/ssl
|
b4da6451
Antonio Terceiro
HTTPS: instruct p...
|
14
|
# openssl genrsa 2048 > noosfero.key
|
1a167fcf
Antonio Terceiro
https: suggest SH...
|
15
|
# openssl req -new -x509 -sha256 -nodes -days $[10*365] -key noosfero.key > noosfero.cert
|
06d664a6
Joenio Costa
Documenting setup...
|
16
17
|
# cat noosfero.key noosfero.cert > noosfero.pem
|
3a38934e
Antonio Terceiro
Update pound setu...
|
18
19
|
## Web server configuration
|
06d664a6
Joenio Costa
Documenting setup...
|
20
21
22
|
There are two ways of using SSL with Noosfero: 1) If you are not using
Varnish; and 2) If you are using Varnish.
|
3a38934e
Antonio Terceiro
Update pound setu...
|
23
|
### 1) If you are are not using Varnish
|
06d664a6
Joenio Costa
Documenting setup...
|
24
25
26
|
Simply do a redirect in apache to force all connections with SSL:
|
3a38934e
Antonio Terceiro
Update pound setu...
|
27
28
29
30
31
32
|
```
<VirtualHost *:8080>
ServerName test.stoa.usp.br
Redirect / https://example.com/
</VirtualHost>
```
|
06d664a6
Joenio Costa
Documenting setup...
|
33
34
35
|
And set a vhost to receive then:
|
3a38934e
Antonio Terceiro
Update pound setu...
|
36
37
38
39
40
41
42
43
44
|
```
<VirtualHost *:443>
ServerName example.com
SSLEngine On
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/cert.key
Include /etc/noosfero/apache/virtualhost.conf
</VirtualHost>
```
|
06d664a6
Joenio Costa
Documenting setup...
|
45
46
47
48
|
Be aware that if you had configured varnish, the requests won't reach
it with this configuration.
|
3a38934e
Antonio Terceiro
Update pound setu...
|
49
|
### 2) If you are using Varnish
|
06d664a6
Joenio Costa
Documenting setup...
|
50
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
51
52
53
|
Varnish isn't able to communicate with the SSL protocol, so we will need some
one else who do this and [Pound](http://www.apsis.ch/pound) can do the job. In
order to install it in Debian based systems:
|
06d664a6
Joenio Costa
Documenting setup...
|
54
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
55
56
57
|
```
$ sudo apt-get install pound
```
|
06d664a6
Joenio Costa
Documenting setup...
|
58
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
59
|
Set Varnish to listen in other port than 80 in `/etc/defaults/varnish`:
|
06d664a6
Joenio Costa
Documenting setup...
|
60
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
61
62
63
64
65
66
67
|
```
DAEMON_OPTS="-a localhost:6081 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G"
```
|
06d664a6
Joenio Costa
Documenting setup...
|
68
69
70
|
Configure Pound:
|
3a38934e
Antonio Terceiro
Update pound setu...
|
71
72
73
|
```
# cp /usr/share/noosfero/etc/pound.cfg /etc/pound/
```
|
06d664a6
Joenio Costa
Documenting setup...
|
74
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
75
|
Edit `/etc/pound.cfg` and set the IP and domain of your server.
|
06d664a6
Joenio Costa
Documenting setup...
|
76
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
77
|
Configure Pound to start at system initialization. At `/etc/default/pound`:
|
06d664a6
Joenio Costa
Documenting setup...
|
78
79
|
------------------
|
3a38934e
Antonio Terceiro
Update pound setu...
|
80
81
82
|
```
startup=1
```
|
06d664a6
Joenio Costa
Documenting setup...
|
83
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
84
|
Set Apache to only listen to localhost, at `/etc/apache2/ports.conf`:
|
06d664a6
Joenio Costa
Documenting setup...
|
85
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
86
87
88
|
```
Listen 127.0.0.1:8080
```
|
06d664a6
Joenio Costa
Documenting setup...
|
89
90
91
|
Restart the services:
|
3a38934e
Antonio Terceiro
Update pound setu...
|
92
93
94
95
|
```
$ sudo service apache2 restart
$ sudo service varnish restart
```
|
06d664a6
Joenio Costa
Documenting setup...
|
96
97
98
|
Start pound:
|
3a38934e
Antonio Terceiro
Update pound setu...
|
99
100
101
|
```
$ sudo service pound start
```
|
06d664a6
Joenio Costa
Documenting setup...
|
102
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
103
|
## Noosfero XMPP chat
|
06d664a6
Joenio Costa
Documenting setup...
|
104
105
|
If you want to use chat over HTTPS, then you should add the domain
|
3a38934e
Antonio Terceiro
Update pound setu...
|
106
|
and IP of your server in the /etc/hosts file, example
|
06d664a6
Joenio Costa
Documenting setup...
|
107
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
108
|
`/etc/hosts:`
|
06d664a6
Joenio Costa
Documenting setup...
|
109
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
110
111
112
|
```
192.168.1.86 mydomain.example.com
```
|
06d664a6
Joenio Costa
Documenting setup...
|
113
|
|
3a38934e
Antonio Terceiro
Update pound setu...
|
114
|
Also, it's recomended that you remove the lines below from the file
|
06d664a6
Joenio Costa
Documenting setup...
|
115
116
|
`/etc/apache2/sites-enabled/noosfero`:
|
3a38934e
Antonio Terceiro
Update pound setu...
|
117
118
119
120
|
```
RewriteEngine On
Include /usr/share/noosfero/util/chat/apache/xmpp.conf
```
|