-
Notifications
You must be signed in to change notification settings - Fork 446
SecureHttp
David Anderson edited this page Jan 20, 2024
·
4 revisions
We encourage you to enable SSL on your project's web servers. If you do this, and follow the instructions below, the following communication will be encrypted and thus protected from man-in-the-middle attacks:
- The web RPCs used for account creation, which carry volunteer email addresses.
- HTTP requests that carry volunteer email addresses and passwords, such as the login form.
- scheduler requests, which carry account authenticators, which can be used to log in to accounts.
To use SSL, you'll need to get an SSL certificate, e.g. from Let's Encrypt.. Self-signed certificates can't be used. You'll then need to change some configuration files.
In your project directory, edit the files
config.xml
html/user/schedulers.txt
In each of these files, change all http:// to https://.
Edit the project's Apache config file
(/etc/apache2/sites-enabled/<project-name>.conf)
to contain
<VirtualHost *:443>
...
SSLEngine on
SSLProtocol -all +TLSv1.2
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/isaac.ssl.berkeley.edu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/isaac.ssl.berkeley.edu/privkey.pem
Use the Linux "wget" program to test your HTTPS; it uses libcurl, same as the BOINC client.