Changes between Version 1 and Version 2 of spiam2018


Ignore:
Timestamp:
Sep 4, 2018, 5:15:08 AM (7 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • spiam2018

    v1 v2  
    6464
    65655. These configurations are based for test purposes with self generated ssl certificates.
    66    If you have purchased ssl certificate from a commercial CA substitute those with the self signed files.
    67    If you wish to get '''letsencrypt''' certificates //Skip //to '''Step 10'''.
    68 
    69    Create a Certificate and a Key self-signed for HTTPS:
    70 * ```openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-sp.key -out /etc/ssl/certs/ssl-sp.crt -nodes -days 1095```
     66   If you have purchased ssl certificate from a commercial CA substitute those with the self signed files. If you wish to get '''letsencrypt''' certificates //Skip //to '''Step 10'''.
     67
     68Create a Certificate and a Key self-signed for HTTPS:
     69*
     70{{{
     71openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-sp.key -out /etc/ssl/certs ssl-sp.crt -nodes -days 1095
     72}}}
    7173
    72746. Modify the file ```/etc/apache2/sites-available/sp-ssl.conf``` as follows:
    7375
    74    ```apache
     76{{{
    7577   <IfModule mod_ssl.c>
    7678      SSLStaplingCache        shmcb:/var/run/ocsp(128000)
     
    104106      </VirtualHost>
    105107   </IfModule>
    106    ```
    107 
    108 7. Enable **proxy_http**, **SSL** and **headers** Apache2 modules:
    109    * ```a2enmod proxy_http ssl headers alias include negotiation```
    110    * ```a2ensite sp-ssl.conf```
    111    * ```systemctl restart apache2```
    112 
    113 8. Configure Apache2 to open port **80** only for localhost:
    114    * ```vim /etc/apache2/ports.conf```
    115 
    116      ```apache
     108}}}
     109
     1107. Enable '''proxy_http''', '''SSL''' and '''headers''' Apache2 modules:
     111*
     112{{{
     113a2enmod proxy_http ssl headers alias include negotiation
     114}}}
     115*
     116{{{
     117a2ensite sp-ssl.conf
     118}}}
     119*
     120{{{
     121systemctl restart apache2
     122}}}
     123
     1248. Configure Apache2 to open port '''80''' only for localhost:
     125*
     126{{{
     127vim /etc/apache2/ports.conf
     128}}}
     129{{{
    117130     # If you just change the port or add more ports here, you will likely also
    118131     # have to change the VirtualHost statement in
     
    128141       Listen 443
    129142     </IfModule>
    130      ```
     143}}}
    1311449. Configure Apache2 to redirect all on HTTPS:
    132    * ```vim /etc/apache2/sites-enabled/000-default.conf```
    133    
    134      ```apache
     145*
     146{{{
     147vim /etc/apache2/sites-enabled/000-default.conf
     148}}}
     149{{{
    135150     <VirtualHost *:80>
    136151        ServerName "sp.YOUR-DOMAIN"
     
    138153        RedirectMatch permanent ^/(.*)$ https://sp.YOUR-DOMAIN/$1
    139154     </VirtualHost>
    140      ```
    141 10. **Let'sencrypt** setup (*Skip this step if you already configured SSL with self signed or CA provided certificates*)
    142 
    143     Disable the default configuration
    144     * `cd /etc/apache2/sites-available/`
    145     * `a2dissite 000-default.conf`
    146     * `systemctl reload apache2`
    147 
    148     Create a new conf file as `sp.conf`
    149 
    150     * `cp 000-default.conf sp.conf`
    151 
    152     Edit `sp.conf` with following
    153 
    154    * `vim sp.conf`
    155 
    156 ```apache
     155}}}
     15610. '''Let'sencrypt''' setup (//Skip this step if you already configured SSL with self signed or CA provided certificates//)
     157
     158Disable the default configuration
     159*
     160{{{
     161cd /etc/apache2/sites-available/
     162}}}
     163*
     164{{{
     165a2dissite 000-default.conf
     166}}}
     167*
     168{{{
     169systemctl reload apache2
     170}}}
     171Create a new conf file as `sp.conf`
     172*
     173{{{
     174cp 000-default.conf sp.conf
     175}}}
     176Edit `sp.conf` with following
     177*
     178{{{
     179vim sp.conf
     180}}}
     181{{{
    157182<VirtualHost *:80>
    158183 
     
    165190
    166191</VirtualHost>
    167 ```
    168 
    169    Enable sp site by,
    170 
    171    * `a2ensite sp`
    172    
    173    and restart Apache
    174 
    175    * `systemctl reload apache2`
    176    
    177    
    178    Install Letsencypt and enable https
    179 
    180 ```bash
     192}}}
     193Enable sp site by,
     194*
     195{{{
     196a2ensite sp
     197}}}
     198and restart Apache
     199*
     200{{{
     201systemctl reload apache2`
     202}}}   
     203Install Letsencypt and enable https
     204{{{
    181205add-apt-repository ppa:certbot/certbot
    182206apt install python-certbot-apache
    183207certbot --apache -d sp.YOUR-DOMAIN
    184 ```
    185 ```
     208}}}
     209{{{
    186210Plugins selected: Authenticator apache, Installer apache
    187211Enter email address (used for urgent renewal and security notices) (Enter 'c' to
     
    229253Congratulations! You have successfully enabled https://sp.YOUR-DOMAIN
    230254
    231 ```
    232 
    233 
    234 ### Configure Shibboleth SP
    235 
    236 
    237 
     255}}}
     256=== Configure Shibboleth SP ===
    23825711. Download Federation Metadata Signing Certificate: (If its available)
    239    * ```cd /etc/shibboleth/```
    240    * ```wget https://LEARN-Test-federation/signning-key.pem```
     258*
     259{{{
     260cd /etc/shibboleth/
     261}}}
     262*
     263{{{
     264wget https://LEARN-Test-federation/signning-key.pem
     265}}}
    241266
    242267