November 2021 Archives

The Quickest Way to Set Up HTTPS

I registered on blogs.perl.org today so that I could comment on posts about object systems. However, the very first thing I encountered was a password page with NO SSL. So, even though I have a ton to say about object systems, my first blog post will instead be about setting up SSL.

(I’m aware that this is a “legacy server problem” but I also recently learned that it doesn’t matter with traefik.)

In this grand year of 2021 you can add SSL to any site, on any architecture, for free, by adding 3 files to your server, making one small config change to Apache, and running a service. We are truly living in the future.

traefik

is the first file. It comes from https://github.com/traefik/traefik/releases, and there is one for any architecture, for instance:

The archive contains one binary, named ‘traefik’. It is a universal Linux static binary and does not depend on any library in the host system. Traefik is a reverse proxy, with lots of good defaults, and lots of features, most of which this guide is ignoring. The feature that we are going for is the automatic LetsEncrypt support built into traefik.

Put this file somewhere like /usr/local/bin/traefik

wget https://github.com/traefik/traefik/releases/download/v2.5.4/traefik_v2.5.4_linux_amd64.tar.gz
tar -xzf traefik_v2.5.4_linux_amd64.tar.gz
mkdir -p /usr/local/bin
mv traefik /usr/local/bin/

traefik.toml

is the second file. You can actually configure traefik with yaml or json as well, but I happen to have .toml files on hand, and toml is a little less likely to get whitespace-dammaged during copy/paste.


[entryPoints.http]
  address = ":80"
[entryPoints.https]
  address = ":443"
[entryPoints.traefik]
  address = "localhost:9999"
#[api]
#  insecure = true
#  dashboard = true
#  debug = true
[providers.file]
  directory = "/etc/traefik/conf"
  watch = true
[certificatesResolvers.le.acme]
  email = "hostmaster@perl.org"
  storage = "/etc/traefik/acme.json"
  caServer = "https://acme-v02.api.letsencrypt.org/directory"
  #caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.le.acme.httpChallenge]
  entryPoint = "http"

Put this at /etc/traefik/traefik.toml

blogs.perl.org.toml

is the third file. This describes how traefik should proxy your back-end service. It goes into a different config file because it is part of the “dynamic config” rather than the “static config”. You can update any of the files in the dynamic config on the fly and traefik will pick up the changes automatically without any signaling or restart.


#[http.middlewares.https_redirect.redirectScheme]
#  scheme = "https"

[http.routers.blogs]
  entryPoints = ["http"]
#  middlewares = ["https_redirect"]
  service = "blogs"
  rule = "Host(`blogs.perl.org`)"

[http.routers.blogstls]
  entryPoints = ["https"]
  service = "blogs"
  rule = "Host(`blogs.perl.org`)"
  [http.routers.blogstls.tls]
    certResolver = "le"
    [[http.routers.blogstls.tls.domains]]
      main = "blogs.perl.org"

[http.services.blogs.loadBalancer]
  passHostHeader = true
  [[http.services.blogs.loadBalancer.servers]]
    url = "http://localhost:8080/"

Put this at /etc/traefik/conf/blogs.perl.org.toml

Apache Config Change

Next, you need apache to listen on a different port than 80. Why does traefik need 80? because the LetsEncrypt registration requires challenges to be found at port 80, and Traefik is automatically creating these responses. The configs above assume apache is moved to port 8080 on localhost.

Apache configurations vary widely per Linux distribution, so I can’t really guess at the location of these files, but if you search for

egrep -Ri '(listen|virtualhost).*80' /etc/apache*

you should see it. Simply change all occurrences of :80 to localhost:8080 and restart apache.

Running Traefik

This is another varies-by-distro situation. You want to run Traefik as a service at startup.

With SysV init, this means creating an init script. Traefik does not provide one (as traefik is typically run inside docker) but github user yaxin-cn shared one.

With systemd, you need a service file. The traefik project provides one. There is also a nice write-up of the steps by github user ubergesundheit.

Debugging

If all goes as planned, you should suddenly be able to access https://blogs.perl.org, and “just work”. Since that seldom happens, you’ll see above in traefik.toml where I commented out the “[api]” keys. Un-comment those, and now you can access traefik’s dashboard on localhost:9999. To reach that, you likely need an ssh tunnel:

ssh -L9999:localhost:9999 blogs.perl.org

Now you can browse to localhost:9999 and see traefik’s interpretation of the live state of your config files. Tinker with the configs until all errors are resolved.

As a final consideration, there is a commented-out middleware in blogs.perl.org.toml, which redirects http to https. Once you have https fully working, you can un-comment that to push everyone over to SSL. You might decide not to do that for some reason, but keep in mind that Google gives a boost to sites that force SSL, making the blogs more visible.

Thanks for reading! And thanks for hosting a community forum!

About Nerdvana

user-pic I like code, and code that writes code, and code that writes code that writes code. So I especially like Perl.