Note*: These instructions only apply to the 11H1 ServerTemplates. SSL is supported by default in the newer LTS and Infinity ServerTemplates. See 3 Tier Deployment Setup (PHP) for an example.
To enable SSL (TLS) with your load-balancer server(s), you must add a RightScript to your load balancer's ServerTemplate, which will:
- Create an HTTPS virtual host (vhost) on the Apache HTTP server.
- Perform SSL termination on the load-balancer server for incoming client connections.
- Forward plain/unencrypted HTTP requests to application servers via HAProxy.
Note: Unencrypted HTTP requests are forwarded to the application servers on the internal network. To perform SSL termination on the application servers (behind your load balancers), please refer to the Stunnel documentation ( http://www.stunnel.org/ ).
- Ensure that your load-balancer server(s) are using a security group with TCP port 443 open for SSL/TLS connections.
- If you would like to enable SSL on boot, ensure that you are using an editable (cloned or private) ServerTemplate. If your servers are using an imported ServerTemplate, clone the ServerTemplate and update your server(s) to use the cloned one instead.
Locate your SSL server certificate and private key (in X.509/PEM format). For development and testing purposes, you may generate a self-signed certificate using a tool such as OpenSSL.
openssl req -new -x509 -nodes -out /tmp/public.pem -keyout /tmp/private.pem -days 365
Retrieve the created files from the /tmp directory.
Create credentials (Design -> Credentials) for your certificate and private key (e.g.
TLS Self-Signed Certand
TLS Self-Signed Key) using the certificate and key contents.
Import the WEB apache FrontEnd https vhost RightScript from the MultiCloud Marketplace and add it as a boot script to your ServerTemplate, after or replacing the existing
WEB Apache frontend http vhostboot script. (Replace the existing
http vhostRightScript if you want to enable HTTPS connections only and disallow connections via port 80; otherwise, simply add the
https vhostRightScript after the
Edit and save the the required input values (if not already set for your ServerTemplate, deployment, or server). Set optional (OPT) inputs to
ignoreif not used.
Input Value Description APPLICATION The directory for your application's web files (/home/webapps/APPLICATION/current/); e.g. testapp. OPT_MAINTENANCE_PAGE Maintenance URI to indicate whether the page exists (based on document root). OPT_SSL_PASSPHRASE If your SSL certificate requires a password, you must enter it here. SSL_CERTIFICATE The contents of the server SSL certificate, from the certificate file; e.g. cred:TLS Self-Signed Cert. SSL_KEY The contents of the SSL private key file; e.g. cred:TLS Self-Signed Key. WEBSITE_DNS Fully qualified domain name that clients use to connect to the server; e.g. text:www.example.com.
The server is now ready to launch. You can test the SSL/TLS connection by navigating to https://<WEBSITE_DNS>/ in your web browser.