HTTPS on Linux

Tagged: , , ,

Viewing 15 posts - 31 through 45 (of 47 total)
  • Author
    Posts
  • #7819
    Avatarkumajaya
    Participant

    I can’t edit my previous post, you can test previous configuration by accessing for example https://scada.rapidscada.org/ after restarting Apache web server:

    sudo service apache2 restart

    For my future references:
    1. Run Apache and Nginx together: http://kbeezie.com/apache-with-nginx/
    2. Mono and Nginx: https://www.mono-project.com/docs/web/fastcgi/nginx/

    #7823
    Avatarkumajaya
    Participant

    I think run scada web as web root for my server is not a good idea since I also use it for different service.

    1. Edit scada-xsp4 config:

    sudo nano /etc/xsp4/scada.webapp

    <apps>
      <web-application>
        <name>scada</name>
        <vpath>/scada</vpath>
        <path>/opt/scada/ScadaWeb</path>
      </web-application>
    </apps>

    2. Edit Apache config:

    sudo nano /etc/apache2/sites-enabled/default-ssl.conf

        	SSLProxyEngine on
        	SSLProxyVerify none
        	SSLProxyCheckPeerCN off
        	SSLProxyCheckPeerName off
        	SSLProxyCheckPeerExpire off
        	ProxyPreserveHost off
        	ProxyRequests off
        	ProxyVia off
    
        	ProxyPass /scada http://127.0.0.1:8000/scada
        	ProxyPassReverse /scada http://127.0.0.1:8000/scada

    3. Disable scada web in Apache:

    sudo a2dissite scada.conf

    4. Restart scada-xsp4 service:

    sudo service scada-xsp4 stop
    ps ax –> to check mono pid that load xsp4.exe
    sudo kill -9 pid_from_previous_step
    sudo service scada-xsp4 start

    5. Restart Apache:

    sudo service apache2 restart

    #7828
    Avatarmanjey73
    Participant

    Thank you, it works. But there are nuances 🙂 For example, if you write the root of the site mysite.com then there is a redirect from the apache page that should not be, is there any way to fix it ?

    http://mysite.com:8084/scada/Login.aspx

    I used port 8084. Michael needlessly removed the settings for mono-xsp4 from the installation description file for the mono version

    • This reply was modified 2 months, 1 week ago by Avatarmanjey73.
    #7837
    Avatarkumajaya
    Participant

    No problem here, I can access for example http://scada.myserver.com/ without a redirect. But to be honest, I’m not expert in Apache configuration.

    #7838
    Avatarmanjey73
    Participant

    This means that when we open the root of the site, the Apache page should open and not jump to the internal site. It is not clear why this is happening ?

    #7846
    Avatarkumajaya
    Participant

    Run Mono FastCGI via Nginx behind Apache (even Apache behind Nginx must be better):

    1. Install Nginx:

    sudo apt-get install nginx

    2. Change Nginx default port from 80 to 8008 and add /scada-fastcgi virtual path:

    sudo nano /etc/nginx/sites-available/default

    	listen 8008 default_server;
    	listen [::]:8008 default_server;
    	location /scada-fastcgi {
    		index index.html index.htm default.aspx Default.aspx;
    		fastcgi_index index.htm;
    		fastcgi_pass 127.0.0.1:9000;
    		include /etc/nginx/fastcgi_params;
    	}

    3. Edit Nginx FastCGI parameter:

    sudo nano /etc/nginx/fastcgi_params

    fastcgi_param  PATH_INFO          "";
    fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

    4. Edit Apache config and reload it:

    sudo nano /etc/apache2/sites-enabled/default-ssl.conf

        	ProxyPass /scada-fastcgi http://127.0.0.1:8008/scada-fastcgi
        	ProxyPassReverse /scada-fastcgi http://127.0.0.1:8008/scada-fastcgi

    sudo systemctl reload apache2

    5. Install Mono FastCGI if needed, run it:

    sudo apt-get install mono-fastcgi-server
    fastcgi-mono-server4 /applications=/scada-fastcgi:/var/www/html/scada/ /socket=tcp:127.0.0.1:9000

    6. Start Nginx:

    sudo systemctl reload nginx

    You can access SCADA web at https://yourserver/scada-fastcgi

    #7847
    Avatarmanjey73
    Participant

    Redirection was enabled by the site owner on the apache stub page, so it shouldn’t happen by itself 🙂

    #7848
    Avatarkumajaya
    Participant

    At least we have 2 options to run RS with SSL even with a negative impact if exists. Nginx + Mono FastCGI will be perfect for RS but I have multiple application run under Apache for now.

    #8098
    Avatar123abc56
    Participant

    using kumajaya’s nginx fastcgi method, the demo project works well.
    I am testing more complicated projects currently.
    The first issue I encounter URL in Interface table not working properly. (something like the grafana integration)

    I tested 2 URL format:
    – scadaserverip:5000/example (other web running on the same scada server)
    – other.example.com

    they can be loaded correctly when I open browser on server. but when i open browser on other clients, the content frame can’t load the URL page.

    Is it because of the scadasweb or fastcgi or just the proxy setting?

    #8105
    Avatar123abc56
    Participant

    by enabling ssl of apache2 itself, the https site show error msg of
    error updating current/hourly data
    Is it the Mono-WCF bug stopping scada with apache2 https?

    Why would we need Nginx + Mono FastCGI?

    Apache2:80--->apache2-scada:80
    |
    Apache2:443--->Nignx:8008---fastcgi:9000-----apache2-scada:80

    I am thinking about the following method, is there any obstacle or bug stopping it from working? I will have a try and update my result here.

    Nginx:80--->apache2-scada:8080
    |
    Nginx:443--->apache2-scada:8080
    #8113
    MikhailMikhail
    Moderator

    Is it the Mono-WCF bug stopping scada with apache2 https?

    Yes.
    What is the current status of your research?

    #8115
    Avatar123abc56
    Participant

    Architecture of my latest approach is listed below, which seems working. the configuration should be less complicated than the approach mentioned in previous replies.

    ---Nginx:80
         |
    ---Nginx:443---apache2-scada:8080

    Note: because embedding http content in iframe (such as External URL on Interface, or Dashboard) of https site will not work, so I redirect all http request to https. the site becomes https only. The content being embedded need to be changed to https too.

    I only tested demo project will a few different External URL on interface at the moment.

    I will make a procedure in detail and update here later. (Friday night or weekend)

    #8130
    MikhailMikhail
    Moderator

    The content being embedded need to be changed to https too.

    Yes, because of the browser protection.
    Thank you for the details.

    #8143
    Avatar123abc56
    Participant

    Continuing from previous reply. Assuming a Linux system with SCADA installed using all default setting, no other websites.

    STEP 1 – Prepare ssl certification
    put them in the path you like, make sure their permission allows read

    /path/to/ssl.crt
    /path/to/ssl.key

    STEP 2 – Change apache2 default ports
    Edit file
    sudo nano /etc/apache2/ports.conf
    Change content to

    Listen 8080
    
    <IfModule ssl_module>
            Listen 8081
    </IfModule>
    
    <IfModule mod_gnutls.c>
            Listen 8081
    </IfModule>

    Also edit this file
    sudo nano /etc/apache2/sites-enabled/000-default.conf
    change port number only, keep other things

    <VirtualHost *:8080>
    # keep the content in this file
    </VirtualHost>

    ssl is not enbled on apache by defualt, but if ssl is already on apache, then also edit this file.
    sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf
    change port number only, keep other things

    <VirtualHost *:8081>
    # keep the content in this file
    </VirtualHost>

    restart apache
    sudo systemctl restart apache2.service

    #8144
    Avatar123abc56
    Participant

    STEP 3 – Install and config Nginx
    Install nginx
    sudo apt install nginx

    Edit this file
    sudo nano /etc/nginx/sites-enabled/default

    change the following content

    part 1 – http:80
    this is to redirect all http request to https.
    delete or comment the original http:80 server, add the following server

    server {
        listen      80;
        server_name myserver.com;
        return      301 https://$host$request_uri;
    }

    part 2 – https:443
    this part has several functions, see comment in code
    add the following https:433 server

    server {
            listen       *:443;
            server_name  myserver.com;
    
            # log loaction, optional
            access_log  /var/log/nginx/myserver-ssl-proxy-access.log;
            error_log   /var/log/nginx/myserver-ssl-proxy-error.log;
    
            ssl on;
            # ssl cert location, must
            ssl_certificate /path/to/ssl.crt;
            ssl_certificate_key /path/to/ssl.key;
    
            # redirect root to /scada, optional
            location / {
                    rewrite ^/(.*)$ /scada/$1 redirect;
            }
    
            # reverse proxy to scada on apache, must
            location /scada/ {
                    proxy_pass http://localhost:8080/scada/;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_buffering off;
            }
    }

    restart nginx
    sudo systemctl restart nginx.service

    SETP 4 – Test
    you should be able to access from any of the following address. all of them will send you to https scada website.

    http://myserver.com
    http://myserver.com/scada
    https://myserver.com
    https://myserver.com/scada
Viewing 15 posts - 31 through 45 (of 47 total)
  • You must be logged in to reply to this topic.