OpenEMM webadmin + SSL width Apache2 and modssl

mhr · Post by **mhr** » Tue Feb 05, 2008 5:48 pm

I am wondering that nobody in this forum seems to have a security problem with using openEMMs unencrypted port 8081 for administration..

Here's my Apache2-Proxy-SSL-howto for using OpenEMM's console over SSL:

1) install apache2 width mod_ssl and mod_proxy
2) setup a ssl-virtualhost (generate certificate,...) -> if you don't know how to do this.. just google ;)
3) configure mod_proxy using http://127.0.0.1:8081

Code: Select all

# Proxy ACL                                                                                                             
    <Proxy *>                                                                                                               
        Order deny,allow                                                                                                    
        Allow from all                                                                                                      
    </Proxy>                                                                                                                
                                                                                                                            
    # Proxy directives                                                                                                      
    ProxyPass / http://127.0.0.1:8081/                                                                                      
    ProxyPassReverse / http://127.0.0.1:8081/                                                                               
    ProxyPreserveHost on

4) add host-name option (f.e. example.test.com) to the host-tag in /home/openemm/conf/console.conf

Code: Select all

<host id="" host-name="https://example.test.com" root-directory="${resin.home}/webapps/openemm">

5) restart apache2 and restart openemm

Best,
Martin

olive · Post by **olive** » Mon Sep 22, 2008 8:50 am

Does anyone know if this is the best way to secure admin access?

Are there any issues with OpenEMM being behind mod_proxy?

Is this what the OpenEMM devs would recommend?

Post by **maschoff** » Mon Sep 22, 2008 10:00 am

Actually, we have no recommendation. But if you guys work out a best practice procedure we are happy to include it in the official install guide.

Please note that since release 5.5.0 port 8081 has become 8080.

barff-lab · Post by **barff-lab** » Thu Oct 02, 2008 3:17 pm

I'm using a similar solution as the original poster, but using Lighttpd (http://www.lighttpd.net) as the proxy web server as it's more lightweight and easier to configure.

I've installed Lighttpd using yum (I'm using Fedora) and added the following directive to /etc/lighttpd/lighttpd.conf:

Code: Select all

proxy.server = ( "" =>
 ( (
     "host" => "127.0.0.1",
     "port" => 8080
  ) )
)

Then I created a self-signed SSL certificate (details on http://trac.lighttpd.net/trac/wiki/Docs%3ASSL) and enabled SSL support in Lighttpd as follows:

Code: Select all

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/lighttpd/lighttpd.pem"
}

This solution not only gives you a secure connection, but also enables you to use port 80 instead of OpenEMM's standard port 8080 (the port Lighttpd uses can be easily changed in the config file).

Regards,
Thomas