Configure RemoteLabz to use SSL¶
This section guides you through the configuration of SSL between all service of the RemoteLabz.
Requirement¶
Prior to configure SSL, Remotelabz front and worker must be installed and fully functional.
- You must connect to a device of type QEMU
- You must connect to a device of type LXC
Configure your Apache 2 with HTTPS (required if you want to use Shibboleth)¶
During the installation process, the file 200-remotelabz-ssl.conf is copied in your /etc/apache2/sites-available directory. The certificate is defined as follow :
SSLCertificateFile /etc/apache2/RemoteLabz-WebServer.crt
#SSLCertificateChainFile /etc/ssl/certs/remotelabz._INTERMEDIATE.cer
SSLCertificateKeyFile /etc/apache2/RemoteLabz-WebServer.key
Two case, either you have an official certificate or you have to generate your own certificate.
Official certificate¶
If you have an official certificate, you have to copy it in your /etc/apache2 directory and rename it to RemoteLabz-WebServer.crt and RemoteLabz-WebServer.key. Next, you have to activate this site:
sudo a2ensite 200-remotelabz-ssl.conf
sudo a2enmod ssl
sudo service apache2 reload
Self-signed certificate¶
Execute the script
cd ~
sudo remotelabz/bin/install_ssl.sh
Redirection to https¶
Verify if your application is available with HTTPS and if it works fine, you can modify the /etc/apache2/sites-available/100-remotelabz.conf to redirect all HTTP request to HTTPS.
Activate the rewrite module
sudo a2enmod rewrite
Uncomment the following lines in the file /etc/apache2/sites-available/100-remotelabz.conf:
#<IfModule mod_rewrite.c>
# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
#</IfModule>
sudo systemctl restart apache2
Tips
You can verify your certificate with the following command :
openssl x509 -noout -text -in /etc/apache2/RemoteLabz-WebServer.crt
Warning
Don't forget to reload the Apache 2 service
sudo service apache2 reload
Copy certificate files to the worker¶
Copy the two files ~/EasyRSA/RemoteLabz-WebServer.crt and ~/EasyRSA/RemoteLabz-WebServer.key to your worker in directory /opt/remotelabz-worker/config/certs
cd ~/EasyRSA
source /opt/remotelabz/.env.local
scp ~/EasyRSA/RemoteLabz-WebServer.crt user@${WORKER_SERVER}:~
sudo scp ~/EasyRSA/RemoteLabz-WebServer.key user@${WORKER_SERVER}:~
On the worker
cd ~
sudo mv RemoteLabz-WebServer.* /opt/remotelabz-worker/config/certs/
sudo sed -i "s/REMOTELABZ_PROXY_USE_WSS=0/REMOTELABZ_PROXY_USE_WSS=1/g" /opt/remotelabz-worker/.env.local
sudo service remotelabz-worker restart
Warning
You need to use the same certificate between your front and the worker. Don't forget to copy them and to change it automatically if your certificate expired.
Shibboleth (optional - You have to be registered by Renater)¶
Warning
You have to activate HTTPS to use Shibboleth authentication method
cd ~
curl --fail --remote-name https://pkg.switch.ch/switchaai/ubuntu/dists/focal/main/binary-all/misc/switchaai-apt-source_1.0.0~ubuntu20.04.1_all.deb
sudo apt install ./switchaai-apt-source_1.0.0~ubuntu20.04.1_all.deb
sudo apt update
sudo apt install --install-recommends shibboleth
sudo a2enconf shib
sudo a2enmod shib
sudo service apache2 restart
Next step, to finish to configure your Shibboleth Service Provider (SP), you have to modify your /etc/shibboleth/shibboleth2.xml file, following the guide from Paragraph 4, depend of your Shibboleth Identity Provider (IdP):
RENATER Shibboleth Service has been moved to the official shibboleth site. - Official shibboleth site Installation and Configuration Guide
You can find all the configuration guides on the following site :
To enable Shibboleth site-wide, you need to change the value of ENABLE_SHIBBOLETH environment variable :
# .env.local
ENABLE_SHIBBOLETH=1