SSL Certificate installation

This document is intended for Server Administrators with sufficient technical skills. 

Introduction

XTRF Platform application is expected to be run as a backend service in DMZ, not directly exposed to the Internet. Therefore, we do not support installing SSL certificated directly into XTRF.

In order to expose the proper HTTPS endpoint, you should use a tool called TLS termination proxy or load balancer. This tool intercepts HTTPS requests, allowing you to enforce access rules, log traffic and perform other actions typical to middleware. XTRF backend socket listens on HTTPS on port 8443.

One example of such a tool is Apache HTTPD, which is free and widely available for all operating systems.


Apache HTTPD SSL configuration

Below you can find the information necessary for setting up an SSL certificate for your XTRF Platform installation with an Apache server to serve as a proxy for the XTRF Platform. The SSL certificate can also be installed by our specialists for an additional fee. Please contact the XTRF Support Team for details. Please bear in mind to always use the latest Apache and OpenSSL releases for maximum security and update them regularly.

  • The Apache is required to be installed on the server. Ports 80 and 443 cannot be used by any other application.

  • The CSR can be generated from Apache. For help, refer to these instructions from your chosen SSL provider, or at Apache: CSR & SSL Installation (OpenSSL).

  • The certificate file is put on the server. The path to the file is indicated in a configuration file, which you can find in Apache's Configuration module. In the same configuration file, you should point to the domain name and ports. XTRF Platform backend runs on port 8443.


SSL Settings

You might also fine-tune the SSL settings according to the current best recommendations. For example, you can find helpful solutions under the following link: Mozilla SSL Configuration Generator.


Apache Settings for HTTPS Proxy (Windows OS)

You should download the Apache HTTPD distribution from Error Document 400.

Please notice that this configuration requires at least Apache 2.4.12. Add the following code snippet to your Apache config and enable modules: rewrite, logio, proxy, proxy_ssl, proxy_ajp, proxy_http, headers, status and ssl (if proxy_ssl isn't available) for Apache.

Also, please find in the httpd.conf  below line:

Include conf/extra/httpd-info.conf

And check if it is uncommented (if there is "#" at the beginning of the line, you have to remove it). In latest versions of Apache (>2.4.17) you should consider enabling HTTP/2: HTTP/2 guide - Apache HTTP Server Version 2.4.

As of early 2018, the default Apache HTTPD distribution enables the following file:

Include conf/extra/httpd-ahssl.conf

You should disable it as it will conflict with the SSL installation - simply prepend it with #.

You can use the following file as a base for your configuration: .

Apache Settings for HTTPS Proxy (Debian/Ubuntu)

Please notice that this configuration requires at least Apache 2.4.7. This requires at least Debian 8 Jessie or Ubuntu 14.04 Trusty. Execute the following commands to enable the required modules:

sudo a2enmod proxy_ajp ssl status headers rewrite

In latest versions of Apache (>2.4.17) you should consider enabling HTTP/2: HTTP/2 guide - Apache HTTP Server Version 2.4.

Please create a file /etc/apache2/sites-enabled/xtrf.conf with the following content (adapt the hostname and SSL certificate location): .