Differences

This shows you the differences between two versions of the page.

--- howto:hiawatha [2016/02/28 20:49] – Added example configuration for Synchronet web server The5thD
+++ howto:hiawatha [2016/05/28 11:11] (current) – Updated "To Do" section. The5thD
@@ Line 1: / Line 1: @@
 ====== How to use Hiawatha as a reverse proxy server for Synchronet ======
-Synchronet 3.16c and prior versions do not support SSL connections. Synchronet CVS subsequent to 3.16c have an implementation of SSL, but you may either have problems with it working correctly or you may simply with to use Hiawatha's implementation of SSL. Hiawatha also has several other security features which can be useful for increasing security for Synchronet's webserver.
+Synchronet 3.16c and prior versions do not support SSL connections. Synchronet CVS subsequent to 3.16c have an implementation of SSL, but you may either have problems with it working correctly or you may simply wish to use Hiawatha's implementation of SSL. Hiawatha also has several other security features which can be useful for increasing security for Synchronet's webserver.
 ====== Installation of Hiawatha ======
@@ Line 57: / Line 57: @@
 In the default configuration, the default HTTP port is 80, and the default HTTPS port is 443. In our example, we are setting the default HTTP port to 81 because Hiawatha will be listening on port 80. We want to set Synchronet to listen on a different port. The port number isn't that important, but it should match the port that Hiawatha is proxying traffic to, and it should be a port that no other service is bound to.
-In our example, we are setting the HTTPS port for Synchronet's web server to 444 so that it will not conflict with Hiawatha which will be listening for incoming connections on port 443.
+In our example, we are setting the HTTPS port for Synchronet's web server to 444 so that it will not conflict with Hiawatha which will be listening for incoming connections on port 443. Alternatively, you could also disable Synchronet web server's binding to an HTTPS port completely since, in this example setup, we will not be making use of that port anyway because Hiawatha will be handling HTTPS and passing it to Synchronet as HTTP.
+====== Obtaining a free SSL certificate from Let's Encrypt ======
+This section is optional because a sysop may obtain an SSL certificate from any number of certificate authorities. However, Let's Encrypt is an attractive option for sysops who want a free option to quickly and easily add encryption to their website without triggering a security warning in a user's browser as would be the case with a self-signed certificate.
+Using Let's Encrypt is fairly simple and straightforward. The official documentation of Let's Encrypt can be found at https://letsencrypt.org/getting-started/ While installation of Let's Encrypt can vary depending on your operating system, many Linux distros offer the client on their repositories. If it isn't available for your distribution, you can use the standalone client available from the Let's Encrypt website.
+In our example, we'll assume that your Synchronet installation's webserver root is at /home/sbbs/sbbs/web/root and your web site address is stardate.synchro.net. Ensure that Synchronet's web server is running so that Let's Encrypt can access the server and verify that you control the site you are registering. Then, as root, you would enter
+<code>
+letsencrypt certonly --webroot -w /home/sbbs/sbbs/web/root -d stardate.synchro.net
+</code>
+Let's Encrypt will install its data in /etc/letsencrypt by default.
+====== Installing the Let's Encrypt SSL certificate into Hiawatha ======
+Once you've obtained a Let's Encrypt SSL certificate, run the following command as root, assuming that the URL you registered is stardate.synchro.net
+<code>
+cat /etc/letsencrypt/live/stardate.synchro.net/privkey.pem /etc/letsencrypt/live/stardate.synchro.net/cert.pem /etc/letsencrypt/live/stardate.synchro.net/chain.pem > /etc/hiawatha/stardate.synchro.net.pem
+</code>
+Then set the correct permissions so that the certificate can only be read by root.
+<code>
+chmod 400 /etc/hiawatha/stardate.synchro.net.pem
+</code>
+Edit /etc/hiawatha/hiawatha.conf and look for the heading "BINDING SETTINGS" near the top. Ensure that your settings look similar to the following:
+<code>
+# BINDING SETTINGS
+# A binding is where a client can connect to.
+#
+Binding {
+        Port = 80
+#       Interface = 127.0.0.1
+#       MaxKeepAlive = 30
+#       TimeForRequest = 3,20
+}
+#
+Binding {
+        Port = 443
+#       Interface = ::1
+#       MaxKeepAlive = 30
+#       TimeForRequest = 3,20
+        TLScertFile = stardate.synchro.net.pem
+}
+</code>
+The name of the TLScertFile could be a complete patch such as /etc/hiawatha/stardate.synchro.net.pem but a full path shouldn't be necessary if the certificate is in the same directory as the Hiawatha configuration file.
+Finally start (or restart) the Hiawatha web server.
+<code>
+/etc/init.d/hiawatha restart
+</code>
+And, if you haven't already, restart or recycle your Synchronet web server so that the changes made earlier will take effect.
+<code>
+/etc/init.d/sbbs restart
+</code>
+Open up your preferred web browser and point it to your web site and test it with http and https prefixes to ensure everything works properly.
+<code>
+https://stardate.synchro.net
+</code>
+For more information, you may refer to the following Hiawatha forum post: https://www.hiawatha-webserver.org/forum/topic/2085
+====== To Do for Wiki ======
+<code>
+. Update Wiki to reflect minor default path changes from Hiawatha 10.0 to 10.1.
+. Possibly update Wiki to support Hiawatha 10.2's built-in support for Let's Encrypt.
+. Add Wiki section on setting up automatic renewal of Let's Encrypt certificates.
+</code>
 ===== See Also =====
   * [[:howto:|howto index]]

Trace:

Differences

Navigation

Search

Toolbox