Adding https support to FOG server with Centos 7


  • Moderator

    This guide is to show how to add https support (simple mode) to your fog server. These instructions assume you know how to request a certificate and to interact with the fog server and its configuration.

    NOTE: This approach is not supported by the fog developers

    But the intent is to simply show a hack to add https support with self signed enterprise certificates. Understand with this approach the http web interface will remain operational for pxe booting and FOG client communications. If you need these features also protected within the https protocol, please follow the officially supported process to activate https on your fog server.

    The first thing you will need, is of course your enterprise signed certificates with the subject that matches the dns name of your fog server. This certificate needs to be in .pem format. You will need 2 files you need the server private key and public certificate files. The certificate must be issued to the FQDN name of your FOG server. IP addresses are not allowed by the CA (certificate authority) for many years now.

    Understand these instructions are for Centos 7. You will to adapt them for your FOG server host OS.

    Place the private key file in /etc/pki/tls/private
    Place the public key file in /etc/pki/tls/certs

    For this tutorial lets call the private key server.key and the public certificate server.crt.

    Now that the certificates are in place lets work on the apache server configuration. For Centos we need to install the apache mod_ssl package. So as root (or sudo) install the mod_ssl package with yum install mod_ssl -y

    Change into the apache configuration directory with

    cd /etc/httpd/conf.d
    

    Copy the existing FOG configuration file to the ssl modifed version.

    cp fog.conf fogssl.conf
    

    Edit the file /etc/httpd/conf.d/fogssl.conf

    At the top change the port from 80 to the ssl port of 443

    <VirtualHost *:80>
    

    Change to

    <VirtualHost *:443>
    

    Just below the <VirtualHost *:443> line insert the following lines of text:

        SSLEngine on
    
        SSLProtocol all -SSLv2 -SSLv3 -TLSv1
        SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        SSLHonorCipherOrder on
    
        #   Server Certificate:
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        #   Server Private Key:
        SSLCertificateKeyFile /etc/pki/tls/private/server.key
    
    

    Save the configuration file

    Restart apache with the following command

    systemctl restart httpd
    

    If the system restarts cleanly then your configuration changes should be good.

    Now open a browser and key in https://<fog_server_dns_name>/fog if everything is good you should see the login page for FOG.

    Things that still need to be worked out:

    1. http redirect to https without breaking pxe booting and fog client interaction with the fog server.

    ref: https://revocent.com/configuring-apache-httpd-tls-using-microsoft-adcs-certificates/


Log in to reply
 

248
Online

7.2k
Users

14.4k
Topics

135.6k
Posts