Setup Noosfero to use HTTPS
===========================

This document assumes that you have a fully and clean Noosfero
installation as explained at the `INSTALL.md` file.

SSL certificate
+++++++++++++++

You should get a valid SSL certificate, but if you want to test
your setup before, you could generate a self-signed certificate
as below:

    # mkdir /etc/noosfero/ssl
    # cd /etc/noosfero/ssl
	  # openssl genrsa 1024 > noosfero.key
    # openssl req -new -x509 -nodes -sha1 -days $[10*365] -key noosfero.key > noosfero.cert
    # cat noosfero.key noosfero.cert > noosfero.pem

There are two ways of using SSL with Noosfero: 1) If you are not using
Varnish; and 2) If you are using Varnish.

1) If you are are not using Varnish
+++++++++++++++++++++++++++++++++++

Simply do a redirect in apache to force all connections with SSL:

  <VirtualHost *:8080>
    ServerName test.stoa.usp.br
   
    Redirect / https://example.com/
  </VirtualHost>

And set a vhost to receive then:

  <VirtualHost *:443>
    ServerName example.com
   
    SSLEngine On
    SSLCertificateFile    /etc/ssl/certs/cert.pem
    SSLCertificateKeyFile /etc/ssl/private/cert.key
   
    Include /etc/noosfero/apache/virtualhost.conf
  </VirtualHost>

Be aware that if you had configured varnish, the requests won't reach
it with this configuration.

2) If you are using Varnish
+++++++++++++++++++++++++++

Varnish isn't able to communicate with the SSL protocol, so we will
need some one who do this and Pound[1] can do the job. In order to
install it in Debian based systems:

  $ sudo apt-get install pound

Set Varnish to listen in other port than 80:

/etc/defaults/varnish
---------------------

  DAEMON_OPTS="-a localhost:6081 \
               -T localhost:6082 \ 
               -f /etc/varnish/default.vcl \ 
               -S /etc/varnish/secret \ 
               -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G"

Configure Pound:

    # cp /usr/share/noosfero/etc/pound.cfg /etc/pound/

Edit /etc/pound.cfg and set the IP and domain of your server.

Configure Pound to start at system initialization:

/etc/default/pound
------------------

  startup=1

Set Apache to only listen to localhost:

/etc/apache2/ports.conf
-----------------------

  Listen 127.0.0.1:8080

Restart the services:

  $ sudo service apache2 restart
  $ sudo service varnish restart

Start pound:

  $ sudo service pound start

[1] http://www.apsis.ch/pound

Noosfero XMPP chat
++++++++++++++++++

If you want to use chat over HTTPS, then you should add the domain
and IP of your server in the /etc/hosts file, example:

/etc/hosts
----------

  192.168.1.86	mydomain.example.com

Also, it's recomended that you remove lines above from the file
`/etc/apache2/sites-enabled/noosfero`:

    RewriteEngine On
    Include /usr/share/noosfero/util/chat/apache/xmpp.conf