TechStunnel

From Redrock Wiki

Revision as of 16:53, 24 April 2023 by Redrock (talk | contribs)
Use SSL Encryption to Secure Your Trac System

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communications on the Internet. There are slight differences between SSL and TLS, but they essentially provide the same protection.

For Hosted Systems
If we host your Trac System, adding or updating your SSL certificate is a straightforward process.

1. Provide us with an Apache x509 Compatible certificate, along with any intermediate/root files and the matching key.

2. If a custom URL is being used, point your domain to rscprxy.go-redrock.com. This will allow you to use a URL other than "school.go-redrock.com", for example, "tutortrac.school.edu" or otherwise.


For Non-Hosted Systems
HTTPS Encryption and Web Certificate
There are several options for implementing TLS encryption for your Trac server. A preferred method is to use a web server for https proxying such as Apache or Nginx. Another option is using a dedicated proxying application such as HAProxy. Both of these could be running on a separate physical server. Only internal traffic between the proxy and the Trac System server would then be plaintext. As an alternative, a 3rd party application (like Stunnel) may be installed on your Trac System server.

What is Stunnel?
Stunnel is a program that encrypts all data connections to your Trac server. Stunnel facilitates this by acting as a proxy between users' browsers and the Trac application. So, a user would open web browser and enter in your server address, i.e. https://trac.go-redrock.com/. Stunnel receives the encrypted request, decrypts the request, and then forwards the request to the Trac application. The Trac application will then issue a response back to Stunnel, Stunnel encrypts the response, and then forwards the encrypted response back to the user's browser. With this method, all network traffic from the server to the client is encrypted while the Trac application communicates with Stunnel in an unencrypted format.

Installing Stunnel
Click on this link to download and install the latest stable win64-installer. Once the .exe file has downloaded, install Stunnel using the default options.

Secure Certificate Files
The necessary SSL Files are a certificate (typically cert.pem) and a key file (typically key.pem). You will need to obtain your own Apache X509-compatible certificate from a "Trusted" source, such as DigiCert, GoDaddy, or VeriSign. These are just a few of the options available to you; in all, the mainstream browsers (Firefox, Chrome, Safari, etc) only trust about 100 of the major Certificate Authorities (CA).

If you choose to obtain your own certificate, be sure to retrieve an Apache X509-compatible certificate, as this is the only certificate type that is compatible with the Trac System. Some CA's will provide you with a chained certificate, which we will have to combine in order to make the file compatible. Place the certificate and key files in your Stunnel installation directory (C:\Program Files (x86)\stunnel). Keep a copy of your req.pem (CSR) file to request your new certificate when it expires.

Stunnel Config File
The Stunnel configuration file (Stunnel.conf) is located in the C:\Program Files (x86)\stunnel\ directory. You will need to edit this file to secure your Trac site. Below is a good default config file. Simply replace the contents of Stunnel.conf with this, and edit the IP Address on line 17.

Sample stunnel configuration file by Redrock Software

; identify the private key and public certificate files
cert = cert.pem
key = key.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
; debug = 7 for verbose logging 1 for emerg only
debug = 3
output = stunnel.log

; Service-level configuration
[https]
accept = 443
connect = 192.168.0.1:81
TIMEOUTclose = 0
Trac System Prefs.ini File
Open the Prefs.ini file in the Trac application folder. Edit the following lines to match the sample values.

If a school is NOT using stunnel at all, set:

serverProcs=15
serverProcs2=0
redirect=None

If a school is using stunnel, but redirect=None,

serverProcs=15
serverProcs2=2

If a school is using stunnel, and redirect=https://whatever.site, (it is set to a url)

serverProcs=2
serverProcs2=15

Full example:

[Server]
serverPort=80
serverPort2=81
serverProcs=15
serverProcs2=2
serverSecure=NO
serverSecure2=NO

The Trac application is now listening for standard HTTP connections on port 80. Those connections will come from users accessing the Trac application across the network. The Trac application is also listening for standard HTTP connections on port 81. The HTTP connections on port 81 are coming from the Stunnel application, which is listening for HTTPS connections on port 443.

Force All Connections on Secure Port
After the server connections have been tested and confirmed on ports 80 and 443, you can now force all users to connect on the secure port 443. Open the Prefs.ini file in the Trac application folder and make the following change:
redirect=https://[Your URL]/tracweb40/default.html

The Trac application now listens for a standard HTTP connection on port 80 and redirects all requests to the address entered in the redirect setting, which should be your secure HTTPS address. Now the connection is on the secure HTTPS port 443 and Stunnel receives the request. Stunnel makes the local HTTP connection to the Trac application on port 81 and responds back to the user's browser on the secure port 443. All network traffic on your Trac system is directed to the secure connection on port 443.

Configure Stunnel as a Service
To set stunnel as a service, run the following command in a Command Prompt window.
stunnel.exe -install

You will receive a prompt informing you that the service was installed. You can now access the Services from your Administrator Tool and start Stunnel as a service.

← Previous Page Next Page →