Implementing SSL encryption

+ Implementing SSL encryption + In certain deployments, data may need to be encrypted between the client and server. Using Apache and the reverse proxywa setup mentioned above, we can easily implement secure transfer of data between clients and the server over HTTPS. This section will describe how to use self-signed certificates, although you can easily skip this section if you have certificates which have been generated and authenticated by a third-party. + First (as root), generate and key files and CSR (Certificate Signing Request) + mkdir /etc/apache2/ssl +cd /etc/apache2/ssl +openssl genrsa -des3 -out server.key 1024 +openssl req -new -key server.key -out server.csr + We need to remove the password from the key, otherwise Apache will not be able to use it. + cp server.key server.key.org +openssl rsa -in server.key.org -out server.key + Next, generate a self-signed certificate which will be valid for one year. + penssl x509 -req -days 365 -in server.csr -signkey \ server.key -out server.crt + Now, lets configure Apache by the SSL modules and creating a default site. + a2enmod ssl +a2ensite default-ssl + Now, we need to edit the default-ssl (located at /etc/apache2/sites-enabled/default-ssl) file in order to enable the SSL transfer fully. + <VirtualHost *:443> + ServerAdmin wemaster@mydomain.org + SSLEngine On + SSLCertificateFile /etc/apache2/ssl/server.crt + SSLCertificateKeyFile /etc/apache2/ssl/server.key +... + Be sure that the *:80 section of this file is changed to port *:443, which is the default SSL port. Also, be sure to change the ServerAdmin to the webmaster's email. + Lastly, we need to be sure that the hostname is setup properly in /etc/hosts. Just under the "localhost" line, be sure to add the server's IP address and domain name. + 127.0.0.1 localhost +XXX.XX.XXX.XXX foo.mydomain.org + Now, just restart Apache and you should be able to view https://foo.mydomain.org/dhis. + /etc/init.d/apache2 restart +

Performance tuning