Commit 3a38934e6417baca9c1b35698645fbb7b98ff91e
1 parent
2b336e03
Exists in
master
and in
29 other branches
Update pound setup instructions
Showing
2 changed files
with
67 additions
and
62 deletions
Show diff stats
INSTALL.https.md
| 1 | -Setup Noosfero to use HTTPS | |
| 2 | -=========================== | |
| 1 | +# Setup Noosfero to use HTTPS | |
| 3 | 2 | |
| 4 | 3 | This document assumes that you have a fully and clean Noosfero |
| 5 | 4 | installation as explained at the `INSTALL.md` file. |
| 6 | 5 | |
| 7 | -SSL certificate | |
| 8 | -+++++++++++++++ | |
| 6 | +## Creating a self-signed SSL certificate | |
| 9 | 7 | |
| 10 | 8 | You should get a valid SSL certificate, but if you want to test |
| 11 | 9 | your setup before, you could generate a self-signed certificate |
| ... | ... | @@ -17,99 +15,106 @@ as below: |
| 17 | 15 | # openssl req -new -x509 -nodes -sha1 -days $[10*365] -key noosfero.key > noosfero.cert |
| 18 | 16 | # cat noosfero.key noosfero.cert > noosfero.pem |
| 19 | 17 | |
| 18 | +## Web server configuration | |
| 19 | + | |
| 20 | 20 | There are two ways of using SSL with Noosfero: 1) If you are not using |
| 21 | 21 | Varnish; and 2) If you are using Varnish. |
| 22 | 22 | |
| 23 | -1) If you are are not using Varnish | |
| 24 | -+++++++++++++++++++++++++++++++++++ | |
| 23 | +### 1) If you are are not using Varnish | |
| 25 | 24 | |
| 26 | 25 | Simply do a redirect in apache to force all connections with SSL: |
| 27 | 26 | |
| 28 | - <VirtualHost *:8080> | |
| 29 | - ServerName test.stoa.usp.br | |
| 30 | - | |
| 31 | - Redirect / https://example.com/ | |
| 32 | - </VirtualHost> | |
| 27 | +``` | |
| 28 | +<VirtualHost *:8080> | |
| 29 | + ServerName test.stoa.usp.br | |
| 30 | + Redirect / https://example.com/ | |
| 31 | +</VirtualHost> | |
| 32 | +``` | |
| 33 | 33 | |
| 34 | 34 | And set a vhost to receive then: |
| 35 | 35 | |
| 36 | - <VirtualHost *:443> | |
| 37 | - ServerName example.com | |
| 38 | - | |
| 39 | - SSLEngine On | |
| 40 | - SSLCertificateFile /etc/ssl/certs/cert.pem | |
| 41 | - SSLCertificateKeyFile /etc/ssl/private/cert.key | |
| 42 | - | |
| 43 | - Include /etc/noosfero/apache/virtualhost.conf | |
| 44 | - </VirtualHost> | |
| 36 | +``` | |
| 37 | +<VirtualHost *:443> | |
| 38 | + ServerName example.com | |
| 39 | + SSLEngine On | |
| 40 | + SSLCertificateFile /etc/ssl/certs/cert.pem | |
| 41 | + SSLCertificateKeyFile /etc/ssl/private/cert.key | |
| 42 | + Include /etc/noosfero/apache/virtualhost.conf | |
| 43 | +</VirtualHost> | |
| 44 | +``` | |
| 45 | 45 | |
| 46 | 46 | Be aware that if you had configured varnish, the requests won't reach |
| 47 | 47 | it with this configuration. |
| 48 | 48 | |
| 49 | -2) If you are using Varnish | |
| 50 | -+++++++++++++++++++++++++++ | |
| 51 | - | |
| 52 | -Varnish isn't able to communicate with the SSL protocol, so we will | |
| 53 | -need some one who do this and Pound[1] can do the job. In order to | |
| 54 | -install it in Debian based systems: | |
| 49 | +### 2) If you are using Varnish | |
| 55 | 50 | |
| 56 | - $ sudo apt-get install pound | |
| 51 | +Varnish isn't able to communicate with the SSL protocol, so we will need some | |
| 52 | +one else who do this and [Pound](http://www.apsis.ch/pound) can do the job. In | |
| 53 | +order to install it in Debian based systems: | |
| 57 | 54 | |
| 58 | -Set Varnish to listen in other port than 80: | |
| 55 | +``` | |
| 56 | +$ sudo apt-get install pound | |
| 57 | +``` | |
| 59 | 58 | |
| 60 | -/etc/defaults/varnish | |
| 61 | ---------------------- | |
| 59 | +Set Varnish to listen in other port than 80 in `/etc/defaults/varnish`: | |
| 62 | 60 | |
| 63 | - DAEMON_OPTS="-a localhost:6081 \ | |
| 64 | - -T localhost:6082 \ | |
| 65 | - -f /etc/varnish/default.vcl \ | |
| 66 | - -S /etc/varnish/secret \ | |
| 67 | - -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G" | |
| 61 | +``` | |
| 62 | +DAEMON_OPTS="-a localhost:6081 \ | |
| 63 | + -T localhost:6082 \ | |
| 64 | + -f /etc/varnish/default.vcl \ | |
| 65 | + -S /etc/varnish/secret \ | |
| 66 | + -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G" | |
| 67 | +``` | |
| 68 | 68 | |
| 69 | 69 | Configure Pound: |
| 70 | 70 | |
| 71 | - # cp /usr/share/noosfero/etc/pound.cfg /etc/pound/ | |
| 72 | - | |
| 73 | -Edit /etc/pound.cfg and set the IP and domain of your server. | |
| 71 | +``` | |
| 72 | +# cp /usr/share/noosfero/etc/pound.cfg /etc/pound/ | |
| 73 | +``` | |
| 74 | 74 | |
| 75 | -Configure Pound to start at system initialization: | |
| 75 | +Edit `/etc/pound.cfg` and set the IP and domain of your server. | |
| 76 | 76 | |
| 77 | -/etc/default/pound | |
| 77 | +Configure Pound to start at system initialization. At `/etc/default/pound`: | |
| 78 | 78 | ------------------ |
| 79 | 79 | |
| 80 | - startup=1 | |
| 80 | +``` | |
| 81 | +startup=1 | |
| 82 | +``` | |
| 81 | 83 | |
| 82 | -Set Apache to only listen to localhost: | |
| 84 | +Set Apache to only listen to localhost, at `/etc/apache2/ports.conf`: | |
| 83 | 85 | |
| 84 | -/etc/apache2/ports.conf | |
| 85 | ------------------------ | |
| 86 | - | |
| 87 | - Listen 127.0.0.1:8080 | |
| 86 | +``` | |
| 87 | +Listen 127.0.0.1:8080 | |
| 88 | +``` | |
| 88 | 89 | |
| 89 | 90 | Restart the services: |
| 90 | 91 | |
| 91 | - $ sudo service apache2 restart | |
| 92 | - $ sudo service varnish restart | |
| 92 | +``` | |
| 93 | +$ sudo service apache2 restart | |
| 94 | +$ sudo service varnish restart | |
| 95 | +``` | |
| 93 | 96 | |
| 94 | 97 | Start pound: |
| 95 | 98 | |
| 96 | - $ sudo service pound start | |
| 97 | - | |
| 98 | -[1] http://www.apsis.ch/pound | |
| 99 | +``` | |
| 100 | +$ sudo service pound start | |
| 101 | +``` | |
| 99 | 102 | |
| 100 | -Noosfero XMPP chat | |
| 101 | -++++++++++++++++++ | |
| 103 | +## Noosfero XMPP chat | |
| 102 | 104 | |
| 103 | 105 | If you want to use chat over HTTPS, then you should add the domain |
| 104 | -and IP of your server in the /etc/hosts file, example: | |
| 106 | +and IP of your server in the /etc/hosts file, example | |
| 105 | 107 | |
| 106 | -/etc/hosts | |
| 107 | ----------- | |
| 108 | +`/etc/hosts:` | |
| 108 | 109 | |
| 109 | - 192.168.1.86 mydomain.example.com | |
| 110 | +``` | |
| 111 | +192.168.1.86 mydomain.example.com | |
| 112 | +``` | |
| 110 | 113 | |
| 111 | -Also, it's recomended that you remove lines above from the file | |
| 114 | +Also, it's recomended that you remove the lines below from the file | |
| 112 | 115 | `/etc/apache2/sites-enabled/noosfero`: |
| 113 | 116 | |
| 114 | - RewriteEngine On | |
| 115 | - Include /usr/share/noosfero/util/chat/apache/xmpp.conf | |
| 117 | +``` | |
| 118 | +RewriteEngine On | |
| 119 | +Include /usr/share/noosfero/util/chat/apache/xmpp.conf | |
| 120 | +``` | ... | ... |
etc/pound.cfg
| ... | ... | @@ -5,7 +5,7 @@ TimeOut 300 |
| 5 | 5 | Control "/var/run/pound/poundctl.socket" |
| 6 | 6 | |
| 7 | 7 | ListenHTTP |
| 8 | - Address 192.168.1.86 | |
| 8 | + Address 0.0.0.0 | |
| 9 | 9 | Port 80 |
| 10 | 10 | xHTTP 1 |
| 11 | 11 | # uncomment code above if you are using chat |
| ... | ... | @@ -22,7 +22,7 @@ ListenHTTP |
| 22 | 22 | End |
| 23 | 23 | |
| 24 | 24 | ListenHTTPS |
| 25 | - Address 192.168.1.86 | |
| 25 | + Address 0.0.0.0 | |
| 26 | 26 | Port 443 |
| 27 | 27 | Cert "/etc/noosfero/ssl/noosfero.pem" |
| 28 | 28 | Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" | ... | ... |