Setup SSL certificate with ATS & Apache httpd

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Setup SSL certificate with ATS & Apache httpd

Alexander Yurchik
Hello

I have ATS & Apache httpd installed and configured to run my site.
Both runs on the same machine. ATS is 5.x version.
ATS listens on 80 port and my config for ports is:

CONFIG proxy.config.http.server_ports STRING 80

Now I obtained an SSL certificate from Let's encrypt project and want my site to be available via https as well.
How I can do that?

Now my idea is to create SSL enabled virtual host in Apache httpd and just condigure ATS to listen on 443 port and map https url to apache's virtual host with SSL enabled. So basically I just need to setup ATS to listen on 443 and do proper mapping.

OR

Maybe I don't need to setup SSL in Apache and all SSL stuff should be configured on ATS level? If so - how I can do that?

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Setup SSL certificate with ATS & Apache httpd

Reindl Harald


Am 13.09.2017 um 12:04 schrieb Alexander Yurchik:

> Hello
>
> I have ATS & Apache httpd installed and configured to run my site.
> Both runs on the same machine. ATS is 5.x version.
> ATS listens on 80 port and my config for ports is:
>
> CONFIG proxy.config.http.server_ports STRING 80
>
> Now I obtained an SSL certificate from Let's encrypt project and want my
> site to be available via https as well.
> How I can do that?
>
> Now my idea is to create SSL enabled virtual host in Apache httpd and
> just condigure ATS to listen on 443 port and map https url to apache's
> virtual host with SSL enabled. So basically I just need to setup ATS to
> listen on 443 and do proper mapping.
>
> OR
>
> Maybe I don't need to setup SSL in Apache and all SSL stuff should be
> configured on ATS level? If so - how I can do that?

first throw way version 5.x - it's a joke when it comes to TLS - bad
enough that 7.1.1 still don't support RSA/ECDSA dualstack but 5.x as far
as i remember did even not support DHE and other ciphers proper

when you have a proxy in front there is no need to configure https on
the backend - google for "tls offloading" - the lcient never talks to
the httpd machine and it makes no sense to encrypt the traffic between
frontend and backend especially when both are on the same machine

records.config
CONFIG proxy.config.http.server_ports STRING 80 443:ssl

remap.config:
map http://whatever http://backend
map https://whatever http://backend

remap.config hwne you want to enforce https:
map http://whatever https://whatever
map https://whatever http://backend

ssl_multicert.config:
ssl_cert_name=/path/to/your/certificate-including-the-chain.pem

if you don't know how to make a sane pem-file containing the whole
chain, certficate and key just read
https://docs.trafficserver.apache.org/en/4.2.x/reference/configuration/ssl_multicert.config.en.html