-
-
Notifications
You must be signed in to change notification settings - Fork 41
Setting up secure HTTP with AMP
There are a number of methods that can be used to set up secure HTTP (HTTPS) within AMP depending on your use case.
Note that with AMP Enterprise, use of HTTPS is mandatory.
If you use the default GetAMP.sh setup script, this is handled for you automatically if you select the option to set up HTTPS when running that script. If you need to do this after the fact, then you simply run the following as root:
ampinstmgr setupnginx my.domain.com 8080
Where 8080 is the port that ADS is currently bound to. This will automatically configure nginx and run certbot to secure the domain.
Before running the command ensure that the required dependencies are installed:
- for distros that use APT as the package manager, you need
nginx,certbotandpython-certbot-nginx. In the case of Ubuntu 20.04, swappython-certbot-nginxforpython3-certbot-nginx. - for distros that use YUM as the package manager, you need
epel-releaseandnginx. You also need to manually installcertbot-autoby running as root:
wget -P /usr/local/bin https://dl.eff.org/certbot-auto
chmod +x /usr/local/bin/certbot-auto
Also, you need port 80 forwarded and allowed through any firewall for certbot to be able to install the certificate. And of course port 443 must be forwarded and allowed through any firewall to access AMP externally via HTTPS, when this method is used.
If possible, it's highly desirable to let AMP set up the nginx reverse proxy for you. However, if your use case does not support that, see the manual setup instructions below.
AMP has built in support for HTTPS with its internal application server. AMP requires a certificate in PFX format with a passphrase. You can use ampinstmgr convertcertificate to convert a standard .cert + .key file pair into a PFX on Linux systems.
The main advantage is that no additional software is required, however it's not suitable for use with LetsEncrypt as AMP has to be restarted to swap out the certificate.
This method is optimal if you already have your certificate in use with another webserver already.
Open /home/amp/.ampdata/instances/ADS01/AMPConfig.conf while ADS is stopped and edit the following lines:
Webserver.CertificatePath=/path/to/your/certificate.pfx
Webserver.CertificatePassword=y0urc0mplexpa5$word
Install the certificate to your system into the local machine store, and then view the certificate to get its serial number. Once you've done this edit the following lines to your AMPConfig.conf file for ADS:
Webserver.CertificateSerial=CERTIFICATESERIALNUMBERGOESHERE
When using AMP’s built in HTTPS support, all existing instances other than ADS01 will need their authentication server updated to your ADS installations new URL.
Your login section for AMPConfig.conf for each instance should look like this, make sure to change ads.somedomain.com to your chosen domain.
################################
# Login
################################
Login.UseAuthServer=True
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=https://ads.somedomain.com:8080/
Login.LDAPAllowAuthOnAnyDomain=False
Login.LDAPAuthDomain=
Where 8080 is the port that ADS is currently bound to. Also in ADS, under Configuration -> New Instance Defaults you need to update the Default Auth Server URL to be the new URL of your ADS installation.
You may have a use case where you want to use an nginx reverse proxy but would prefer that AMP not set it up for you - for example, where you already have a certificate for your domain (such as a wildcard), or you prefer to use a tool other than certbot (such as acme.sh) to manage your certificates. In that case, you can configure things manually.
The following nginx virtual host configuration is based on what AMP and certbot would generate. It can be included as /etc/nginx/conf.d/EXAMPLE.DOMAIN.COM.conf, or alternatively (on Debian and Ubuntu hosts) in /etc/nginx/sites-available and symlinked to /etc/nginx/sites-enabled. Either way, ensure that the relevant directory has an include directive in /etc/nginx/nginx.conf.
server {
listen 80;
listen [::]:80;
server_name EXAMPLE.DOMAIN.COM;
if ($host = EXAMPLE.DOMAIN.COM) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name EXAMPLE.DOMAIN.COM;
# Replace the below as appropriate according to certificate locations and
# whatever SSL settings you want. The below reflects a standard certbot
# configuration
ssl_certificate /etc/letsencrypt/live/EXAMPLE.DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.DOMAIN.COM/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://localhost:8080; # Or whatever local IP and port ADS is listening on
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-AMP-Scheme $scheme;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
client_max_body_size 10240M;
# The following nine lines will only work if nginx and AMP are on the same host
error_page 502 /NotRunning.html;
location = /NotRunning.html {
root /opt/cubecoders/amp/shared/WebRoot;
internal;
}
location /shared/ {
alias /opt/cubecoders/amp/shared/WebRoot/;
}
}
}
The ADS must be stopped before making the following changes.
First (as the amp user):
ampinstmgr reconfigure ADS01 +Core.Webserver.UsingReverseProxy True
Then, if the nginx reverse proxy is not on the same host as the ADS, set the right IP (eg 10.1.1.10):
ampinstmgr reconfigure ADS01 +Core.Webserver.ReverseProxyHost INSERT_IP