← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-documenters/dhis2/dhis2-docbook-docs] Rev 277: Added a section on using SSL through a reverse proxy.

 

------------------------------------------------------------
revno: 277
committer: Jason P. Pickering <jason.p.pickering@xxxxxxxxx>
branch nick: dhis2-docbook-docs
timestamp: Mon 2011-03-21 14:56:41 +0200
message:
  Added a section on using SSL through a reverse proxy.
modified:
  src/docbkx/en/dhis2_implementation_guide_installation_detailed.xml


--
lp:~dhis2-documenters/dhis2/dhis2-docbook-docs
https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs

Your team DHIS 2 developers is subscribed to branch lp:~dhis2-documenters/dhis2/dhis2-docbook-docs.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs/+edit-subscription
=== modified file 'src/docbkx/en/dhis2_implementation_guide_installation_detailed.xml'
--- src/docbkx/en/dhis2_implementation_guide_installation_detailed.xml	2011-03-15 13:31:42 +0000
+++ src/docbkx/en/dhis2_implementation_guide_installation_detailed.xml	2011-03-21 12:56:41 +0000
@@ -440,7 +440,36 @@
 </screen></para>
       <para>You now can restart Tomcat and the Apache HTTPD server and your DHIS 2 instance should not be available on http://localhost/dhis. </para>
     </section>
-    <section/>
+    <section>
+      <title>Implementing SSL encryption</title>
+      <para>In certain deployments, data may need to  be encrypted between the client and server. Using Apache and the reverse proxywa  setup mentioned above, we can easily implement secure transfer of data between clients and the server over HTTPS. This section will describe how to use self-signed certificates, although you can easily skip this section if you have certificates which have been generated and authenticated by a third-party. </para>
+      <para>First (as root), generate and key files and CSR (Certificate Signing Request) </para>
+      <screen>mkdir /etc/apache2/ssl
+cd /etc/apache2/ssl
+openssl genrsa -des3 -out server.key 1024
+openssl req -new -key server.key -out server.csr</screen>
+      <para>We need to remove the password from the key, otherwise Apache will not be able to use it. </para>
+      <para><screen>cp server.key server.key.org
+openssl rsa -in server.key.org -out server.key</screen></para>
+      <para>Next, generate a self-signed certificate which will be valid for one year.</para>
+      <screen>penssl x509 -req -days 365 -in server.csr -signkey \ server.key -out server.crt</screen>
+      <para>Now, lets configure Apache by the SSL modules and creating a default site.</para>
+      <screen>a2enmod ssl
+a2ensite default-ssl</screen>
+      <para>Now, we need to edit the default-ssl (located at <filename>/etc/apache2/sites-enabled/default-ssl</filename>) file in order to enable the SSL transfer fully. </para>
+      <para><screen>&lt;VirtualHost *:443&gt;
+        ServerAdmin wemaster@xxxxxxxxxxxx
+       SSLEngine On
+       SSLCertificateFile /etc/apache2/ssl/server.crt
+       SSLCertificateKeyFile /etc/apache2/ssl/server.key
+...</screen></para>
+      <para>Be sure that the *:80 section of this file is changed to port *:443, which is the default SSL port. Also, be sure to change the ServerAdmin to the webmaster&apos;s email. </para>
+      <para>Lastly, we need to be sure that the hostname is setup properly in /etc/hosts. Just under the &quot;localhost&quot; line, be sure to add the server&apos;s IP address and domain name. </para>
+      <para><screen>127.0.0.1 localhost
+XXX.XX.XXX.XXX foo.mydomain.org</screen></para>
+      <para>Now, just restart Apache and you should be able to view https://foo.mydomain.org/dhis. </para>
+      <screen>/etc/init.d/apache2 restart</screen>
+    </section>
     <section/>
     <section>
       <title>Performance tuning</title>