blog
Setting up HTTPS on the ClusterControl Server
As a platform that manages all of your databases, ClusterControl maintains the communication with the backend servers, it sends commands and collect metrics. In order to avoid unauthorized access, it is critical that the communication between your browser and a ClusterControl UI is encrypted. In this blog post we will take a look at how ClusterControl uses HTTPS to improve security.
By default, ClusterControl is configured with HTTPS enabled when you deployed it using the deployment script. All you need to do is to point your browser to: https://cc.node.hostname/clustercontrol and you can enjoy secured connection, as shown on the screenshot below.
We will go through this configuration in details. If you do not have HTTPS configured for ClusterControl, this blog will show you how to change your Apache config to enable secure connections.
Apache Configuration – Debian/Ubuntu
When Apache is deployed by ClusterControl, a file: /etc/apache2/sites-enabled/001-s9s-ssl.conf is deployed. Below is the content of that file stripped from any comments:
root@vagrant:~# cat /etc/apache2/sites-enabled/001-s9s-ssl.conf | perl -pe 's/s*#.*//' | sed '/^$/d'
ServerName cc.severalnines.local
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
RewriteEngine On
RewriteRule ^/clustercontrol/ssh/term$ /clustercontrol/ssh/term/ [R=301]
RewriteRule ^/clustercontrol/ssh/term/ws/(.*)$ ws://127.0.0.1:9511/ws/$1 [P,L]
RewriteRule ^/clustercontrol/ssh/term/(.*)$ http://127.0.0.1:9511/$1 [P]
Options +FollowSymLinks
AllowOverride All
Options +Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
SSLEngine on
SSLCertificateFile /etc/ssl/certs/s9server.crt
SSLCertificateKeyFile /etc/ssl/private/s9server.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Important and not standard bits are RewriteRule directives which are used for web SSH in the UI. Otherwise, it’s a pretty standard VirtualHost definition. Please mind that you will have to create SSL keys if you would attempt to recreate this configuration by hand. ClusterControl, when being installed, creates them for you.
Also in /etc/apache2/ports.conf a directive for Apache to listen on port 443 has been added:
Listen 443
Listen 443
Again, pretty much typical setup.
Apache configuration – Red Hat, Centos
Configuration looks almost the same, it’s just located in a different place:
[root@localhost ~]# cat /etc/httpd/conf.d/ssl.conf | perl -pe 's/s*#.*//' | sed '/^$/d'
ServerName cc.severalnines.local
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
RewriteEngine On
RewriteRule ^/clustercontrol/ssh/term$ /clustercontrol/ssh/term/ [R=301]
RewriteRule ^/clustercontrol/ssh/term/ws/(.*)$ ws://127.0.0.1:9511/ws/$1 [P,L]
RewriteRule ^/clustercontrol/ssh/term/(.*)$ http://127.0.0.1:9511/$1 [P]
Options +FollowSymLinks
AllowOverride All
Options +Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/s9server.crt
SSLCertificateKeyFile /etc/pki/tls/private/s9server.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Again, RewriteRule directives are used to enable web SSH console. In addition to this, ClusterControl adds the following lines at the top of /etc/httpd/conf/httpd.conf file:
ServerName 127.0.0.1
Listen 443
This is all that’s needed to have ClusterControl running using HTTPS.
Troubleshooting
In case of issues, here are the steps you can use to identify some of the problems. First of all, if you cannot access ClusterControl over HTTPS, please make sure that Apache listens on port 443. You can check it by using netstat. Below are results for Centos 7 and Ubuntu 16.04:
[root@localhost ~]# netstat -lnp | grep 443
tcp6 0 0 :::443 :::* LISTEN 977/httpd
root@vagrant:~# netstat -lnp | grep 443
tcp6 0 0 :::443 :::* LISTEN 1389/apache2
If Apache does not listen on that port, please review the configuration and check if there’s a “Listen 443” directive added to Apache’s configuration. Please also check if ssl module is enabled. You can check it by running:
root@vagrant:~# apachectl -M | grep ssl
ssl_module (shared)
If you have “Listen” directive used in “IfModule” section, like below:
Listen 443
You have to make sure that it’s in the configuration after modules have been loaded. For example, in Ubuntu 16.04 it’ll be those lines in /etc/apache2/apache2.conf:
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
On Centos 7 it’ll be /etc/httpd/conf/httpd.conf file and line:
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf
Normally, ClusterControl handles that correctly but if you are adding HTTPS support manually, you need to keep this in mind.
As always, please refer to Apache logs for further investigation – if HTTPS is up but for some reason you cannot reach the UI, it is possible that more clues could be found in the logs.