Forum Home › Forums › Rapid SCADA on Linux Controllers and Raspberry Pi › HTTPS on Linux
- This topic has 46 replies, 7 voices, and was last updated 3 years, 8 months ago by kumajaya.
-
AuthorPosts
-
December 24, 2020 at 3:11 am #7819kumajayaParticipant
I can’t edit my previous post, you can test previous configuration by accessing for example https://scada.rapidscada.org/ after restarting Apache web server:
sudo service apache2 restart
For my future references:
1. Run Apache and Nginx together: http://kbeezie.com/apache-with-nginx/
2. Mono and Nginx: https://www.mono-project.com/docs/web/fastcgi/nginx/December 24, 2020 at 12:25 pm #7823kumajayaParticipantI think run scada web as web root for my server is not a good idea since I also use it for different service.
1. Edit scada-xsp4 config:
sudo nano /etc/xsp4/scada.webapp
<apps> <web-application> <name>scada</name> <vpath>/scada</vpath> <path>/opt/scada/ScadaWeb</path> </web-application> </apps>
2. Edit Apache config:
sudo nano /etc/apache2/sites-enabled/default-ssl.conf
SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost off ProxyRequests off ProxyVia off ProxyPass /scada http://127.0.0.1:8000/scada ProxyPassReverse /scada http://127.0.0.1:8000/scada
3. Disable scada web in Apache:
sudo a2dissite scada.conf
4. Restart scada-xsp4 service:
sudo service scada-xsp4 stop
ps ax –> to check mono pid that load xsp4.exe
sudo kill -9 pid_from_previous_step
sudo service scada-xsp4 start5. Restart Apache:
sudo service apache2 restart
December 24, 2020 at 2:04 pm #7828manjey73ParticipantThank you, it works. But there are nuances 🙂 For example, if you write the root of the site mysite.com then there is a redirect from the apache page that should not be, is there any way to fix it ?
http://mysite.com:8084/scada/Login.aspx
I used port 8084. Michael needlessly removed the settings for mono-xsp4 from the installation description file for the mono version
- This reply was modified 3 years, 9 months ago by manjey73.
December 24, 2020 at 2:45 pm #7837kumajayaParticipantNo problem here, I can access for example http://scada.myserver.com/ without a redirect. But to be honest, I’m not expert in Apache configuration.
December 24, 2020 at 2:47 pm #7838manjey73ParticipantThis means that when we open the root of the site, the Apache page should open and not jump to the internal site. It is not clear why this is happening ?
December 25, 2020 at 4:24 pm #7846kumajayaParticipantRun Mono FastCGI via Nginx behind Apache (even Apache behind Nginx must be better):
1. Install Nginx:
sudo apt-get install nginx
2. Change Nginx default port from 80 to 8008 and add /scada-fastcgi virtual path:
sudo nano /etc/nginx/sites-available/default
listen 8008 default_server; listen [::]:8008 default_server;
location /scada-fastcgi { index index.html index.htm default.aspx Default.aspx; fastcgi_index index.htm; fastcgi_pass 127.0.0.1:9000; include /etc/nginx/fastcgi_params; }
3. Edit Nginx FastCGI parameter:
sudo nano /etc/nginx/fastcgi_params
fastcgi_param PATH_INFO ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
4. Edit Apache config and reload it:
sudo nano /etc/apache2/sites-enabled/default-ssl.conf
ProxyPass /scada-fastcgi http://127.0.0.1:8008/scada-fastcgi ProxyPassReverse /scada-fastcgi http://127.0.0.1:8008/scada-fastcgi
sudo systemctl reload apache2
5. Install Mono FastCGI if needed, run it:
sudo apt-get install mono-fastcgi-server
fastcgi-mono-server4 /applications=/scada-fastcgi:/var/www/html/scada/ /socket=tcp:127.0.0.1:90006. Start Nginx:
sudo systemctl reload nginx
You can access SCADA web at https://yourserver/scada-fastcgi
December 26, 2020 at 5:56 am #7847manjey73ParticipantRedirection was enabled by the site owner on the apache stub page, so it shouldn’t happen by itself 🙂
December 26, 2020 at 6:40 am #7848kumajayaParticipantAt least we have 2 options to run RS with SSL even with a negative impact if exists. Nginx + Mono FastCGI will be perfect for RS but I have multiple application run under Apache for now.
January 19, 2021 at 2:11 pm #8098JWParticipantusing kumajaya’s nginx fastcgi method, the demo project works well.
I am testing more complicated projects currently.
The first issue I encounter URL in Interface table not working properly. (something like the grafana integration)I tested 2 URL format:
– scadaserverip:5000/example (other web running on the same scada server)
– other.example.comthey can be loaded correctly when I open browser on server. but when i open browser on other clients, the content frame can’t load the URL page.
Is it because of the scadasweb or fastcgi or just the proxy setting?
January 20, 2021 at 3:27 am #8105JWParticipantby enabling ssl of apache2 itself, the https site show error msg of
error updating current/hourly data
Is it the Mono-WCF bug stopping scada with apache2 https?Why would we need Nginx + Mono FastCGI?
Apache2:80--->apache2-scada:80 | Apache2:443--->Nignx:8008---fastcgi:9000-----apache2-scada:80
I am thinking about the following method, is there any obstacle or bug stopping it from working? I will have a try and update my result here.
Nginx:80--->apache2-scada:8080 | Nginx:443--->apache2-scada:8080
January 20, 2021 at 1:54 pm #8113MikhailModeratorIs it the Mono-WCF bug stopping scada with apache2 https?
Yes.
What is the current status of your research?January 20, 2021 at 3:22 pm #8115JWParticipantArchitecture of my latest approach is listed below, which seems working. the configuration should be less complicated than the approach mentioned in previous replies.
---Nginx:80 | ---Nginx:443---apache2-scada:8080
Note: because embedding http content in iframe (such as External URL on Interface, or Dashboard) of https site will not work, so I redirect all http request to https. the site becomes https only. The content being embedded need to be changed to https too.
I only tested demo project will a few different External URL on interface at the moment.
I will make a procedure in detail and update here later. (Friday night or weekend)
January 21, 2021 at 2:13 pm #8130MikhailModeratorThe content being embedded need to be changed to https too.
Yes, because of the browser protection.
Thank you for the details.January 22, 2021 at 3:22 pm #8143JWParticipantContinuing from previous reply. Assuming a Linux system with SCADA installed using all default setting, no other websites.
STEP 1 – Prepare ssl certification
put them in the path you like, make sure their permission allows read/path/to/ssl.crt /path/to/ssl.key
STEP 2 – Change apache2 default ports
Edit file
sudo nano /etc/apache2/ports.conf
Change content toListen 8080 <IfModule ssl_module> Listen 8081 </IfModule> <IfModule mod_gnutls.c> Listen 8081 </IfModule>
Also edit this file
sudo nano /etc/apache2/sites-enabled/000-default.conf
change port number only, keep other things<VirtualHost *:8080> # keep the content in this file </VirtualHost>
ssl is not enbled on apache by defualt, but if ssl is already on apache, then also edit this file.
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf
change port number only, keep other things<VirtualHost *:8081> # keep the content in this file </VirtualHost>
restart apache
sudo systemctl restart apache2.service
January 22, 2021 at 3:41 pm #8144JWParticipantSTEP 3 – Install and config Nginx
Install nginx
sudo apt install nginx
Edit this file
sudo nano /etc/nginx/sites-enabled/default
change the following content
part 1 – http:80
this is to redirect all http request to https.
delete or comment the original http:80 server, add the following serverserver { listen 80; server_name myserver.com; return 301 https://$host$request_uri; }
part 2 – https:443
this part has several functions, see comment in code
add the following https:433 serverserver { listen *:443; server_name myserver.com; # log loaction, optional access_log /var/log/nginx/myserver-ssl-proxy-access.log; error_log /var/log/nginx/myserver-ssl-proxy-error.log; ssl on; # ssl cert location, must ssl_certificate /path/to/ssl.crt; ssl_certificate_key /path/to/ssl.key; # redirect root to /scada, optional location / { rewrite ^/(.*)$ /scada/$1 redirect; } # reverse proxy to scada on apache, must location /scada/ { proxy_pass http://localhost:8080/scada/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; } }
restart nginx
sudo systemctl restart nginx.service
SETP 4 – Test
you should be able to access from any of the following address. all of them will send you to https scada website.http://myserver.com http://myserver.com/scada https://myserver.com https://myserver.com/scada
-
AuthorPosts
- You must be logged in to reply to this topic.