To support https for learnexa subdomain sites and own domain sites.

The HTTPS implementation for learnexa subdomain sites is simpler and can be done with a single certificate but for own domain sites we need to serve different certificates for each domain. So, plan is to execute this in one of the below two ways. Both are tested and work fine except the known issues.

As of now learnexa subdomain sites are served through one public ip and own domain sites are served through another. Using HAPROXY's https support feature, we can have two front ends one for learnexa domain sites which are through https and another for own domain sites which are through http.

Following changes are needed for this.

a) Changes to haproxy for prodapp role and Chat role (https://wiki.exphosted.com/doku.php/haproxy_changes).

b) Code changes to Chat configuration so that it works correctly for both own domain and learnexa subdomain sites. (Done on na3. An issue will be filed to check in the code when ready.)

c) Create and serve the certificates. (Done.)

1. HAProxy http to https recirects are looking similar to server down messages. They need to be differentiated. (Done. For now, the difference is BADRQ string is added to the server down requests. So, we can use that.)

2. Load test haproxy with the new changes. (ab testing looked fine. But Divya reported that site is a bit slow. This is to be rechecked by Syed. )

Learnexa subdomain sites work in the above mentioned method but own domain sites with SSL certificates will be served through https. These certificates are uploaded by the customers following our instructions. If an own domain site does not have a certificate it continues to work with http.

Following are the steps.

1. Own domain sites continues to work with http.

2. Customer prepares SSL certificate by following our instructions from domain setting page of his site and uploads his certificate. We validate the certificate.

3. If its a valid certificate, this triggers an email to learnexa admin and we configure apache / haproxy accordingly with predefined templates.

4. Once done, an email is sent out to site owner and learnexa super admin that the site is SSL ready.

5. From now, the site works with SSL.

(3 and 4 can be automated without any admin intervention. But in case, we need an extra check from our side, we can keep the scripts ready and run by our selves.)

This is an obvious way but it involves maintenance on each app server. So, not preferred. NOTE - Need to try out smooth http to https redirection for on going requests.

1. Customer needs to upload .pem (crt+private key) file to our server

2. Administrator Adds the file to certs directory

3. The haproxy is config then edited and reloaded and triggers a email to user that the ssl was enabled for the domain.

4. Customer then is automatically redirected to ssl site next time when he/she refreshes the page (step 2, 3, 4 can be automated).

The steps are already automated through rlhaprox script.

a. Logic to handle ssl support for own domain sites. (Done)

b. UI for site owner to upload certificates. (Will be done after approval)

c. Templates and script to quickly add certificate and reload apache/haproxy. (Done)

1. Site owner can upload/generate his SSL certificate in one of the below 3 ways;

  a. Uploading a .pem file.
                                               
  b. Uploading CRT and his private key.
                  
  c. Requesting Learnexa to generate the CSR and KEY files, downloading the CSR and getting it signed with a Certificate Authority 
     and later upload .PEM file or .CRT and .KEY (private key) file back to Learnexa.
     
     
     
     
              What is a PEM file?
               A. This is applicable if you have a .CRT (certificate signed by Certificate Authority for your domain) 
                  and .KEY (Private key) concatenated in a single file. You can open a notepad or any text editor and 
                  paste content of CRT and followed by KEY file in a new next line without spaces as is. If you don't 
                  feel comfortable in doing it or you are seeing verification failed message in our site, then you can 
                  upload CRT + KEY file by choosing option B.
                               
              What is a Private key?
               A. This is a secret key to be used by our server to enable HTTPS. This cannot be separately uploaded 
                  as it also requires a .CRT file.

              What is a .CSR file?
               A. This file is required by your Certificate Authority (CA) to Authorize your domain's 
                  (eg, example.com) legitimacy. This is used to create .CRT file by your CA.
              
              What is a .CRT file?
               A. This is a file which your Certificate Authority generates after successful verification of .CSR file.
               

a) is choosen by Customers who have a tech team / can manage certificates on their own.

b) is chosen by customers who already have CRT file and use it on their sites.

c) is for the customers, who are not much into tech and wishes to generate necessary files through our site.

For c) -

1. Customer will be asked following Questions

             
   a. Country (2 letters)    : eg, IN (for India)
   b. State or Province Name : eg, Tamil Nadu
   c. Locality Name (city)   : eg, Chennai
   d. Organization Name      : eg, Expertus
   e. Common Name            : eg, example.com (Domain to subsite mapping)
   f. Email Address          : eg, admin@example.com
   

2. Once the details are collected, we create a openssl configuration file .cnf (example is already located in many linux boxes in /etc/ssl/openssl.cnf)

3. Then we generate the key and CSR and give it to customer.

4. Once the CSR is signed by Certificate Authority (eg, Godaddy, Comodo etc), Customer can upload .key and .crt file through option 3.

5. We concatenate .crt + .key file and create .pem file in our server.

The idea is to serve the certificates from rails app as soon as customer uploads certificate and it is valid. This avoids admin task and notifications to site owner. We do not prefer this as rails app wont scale and maintenance is hard.

All customer needs to prepare certificate with the following instructions. (As haproxy understands only .pem files, we need to concatinate crt and key to create .pem file).

a) If customer has a certificate (either a .pem file OR key + CRT file)

he can upload the certificate. We can concatenate key and CRT on server to generate .pem file

b) Else customer provides the details and gets a csr file. He can get it signed from CA and upload CRT file.

we can concatenate key and CRT on server to generate .pem file.

Once the file is uploaded, the file should be placed under /etc/haproxy/ssl/disable_certs/ folder of haproxy server.

Then run the command “rlhaprox adddom <server URL>”, this will automatically add the domain and after few seconds the customer has to refresh the page.

1. It requires users to forcefully refresh the page once the changes are made (though its one time only).

ssl_settings.yml has the following config options:

enable_own_domain: true
auto_run_script: false
ssl_script_path: "/home/expdev/bin/cphaproxy.sh"
notify_admin: true
ssl_script_process_timeout: 150

If enable_own_domain is set true, ssl certificate upload options will be shown in domain settings page.

If auto_run_script is set to true, once ssl certificate is uploaded, it will be automatically processed by the haproxy script and https own domain will be enabled. If set to false Learnexa admin can manually enable the down domain ssl by running a rake task in ssl.rake file.

ssl_script_path contains the haproxy script path.

If notify_admin is set true, admin will get email notification on https own domain enable/disable/failure messages of sub sites.

ssl_script_process_timeout is to set timeout for the haproxy script processing.

Learnexa admin can manually enable/disable own domain ssl in the following ways:

This is to process and enable ssl for subsite that has uploaded ssl certificate through UI

bundle exec rake ssl:enable[<company_id>]

This is to process and enable ssl for subsite by also passing the ssl certificate path, if the certifiacte is not uploaded by subsite admin

bundle exec rake ssl:enable[<company_id>,<certificate_path>]
eg: bundle exec rake ssl:enable[1,"/ssl_files/test.pem"]

This is to disable ssl for subsite

bundle exec rake ssl:disable[<company_id>]

1. Change the environments/<environment>.rb file and add/modify the strings below

APP_URL     = "https://app-url.com"
API_URL     = "https://app-url.com"
PUBLIC_URL  = "https://app-url.com"


SSL_ENABLED = true
HTTP_ONLY_HEADER = "HTTP_X_HTTP_ONLY"

2. Update Google callback URL -

Go to Google developers console and change the redirect URL to “https”.

Choose your app > APIs & Auth > Choose the Web client > Update redirect URL and javascript origin(s) URL > Save.

3. Update Salesforce callback URL -

Go to Setup → Manage Apps → Connected Apps (click on the link which shows the name of the learnexa app you created)

Change the ACS URL to “https”

4. Update urls in bigbluebutton config file -

File path: dev/bigbluebutton/bigbluebutton-client/src/conf/config.xml

siteBaseUrl=“https://dev01.exphosted.com”

inviteUrl=“https://dev01.exphosted.com/live_events/invite”

joinUrl=“https://dev01.exphosted.com/meetings/join_from_mail”

autoCompleteUrl=“https://dev01.exphosted.com/live_events/auto_complete”

5. Set secure false in public/crossdomain.xml (symlink to /deploy/crossbow/shared/config/crossdomain.xml) file -

<allow-access-from domain=“*” secure=“false”/>

<site-control permitted-cross-domain-policies=“master-only”/>

<allow-http-request-headers-from domain=“*” secure=“false” headers=“*”/>

6. Steps to enable own domian ssl:

a) Change the environments/<environment>.rb file and add/modify the string below

OWN_DOMAIN_SSL_ENABLED = true

b) Move /deploy/crossbow/current/config/ssl_settings.yml to /deploy/crossbow/shared/config/ssl_settings.yml and create symlink for it.

ssl_settings.yml has the following config options:

enable_own_domain: true
auto_run_script: false
ssl_script_path: "/home/expdev/bin/cphaproxy.sh"
notify_admin: true
ssl_script_process_timeout: 150

Following changes applies only to QA and Development environment:

1) Change haproxy conf files:

cd /opt/haproxy/
cp haproxy.cfg.http_only haproxy.cfg
sudo su -
service haproxy restart 

2) Change config/environments/<environment>.rb file

APP_URL = "http://dev01.exphosted.com"
CHAT_SERVER_URL="http://dev01.exphosted.com:8090"
PUBLIC_URL = "http://dev01.exphosted.com"
SSL_ENABLED = false
OWN_DOMAIN_SSL_ENABLED = false

3) Change config/juggernaut.yml file

<environment>:
     juggernaut_protocol: http

4) Update urls in bigbluebutton config file -

File path: dev/bigbluebutton/bigbluebutton-client/src/conf/config.xml

siteBaseUrl=“http://dev01.exphosted.com”

inviteUrl=“http://dev01.exphosted.com/live_events/invite”

joinUrl=“http://dev01.exphosted.com/meetings/join_from_mail”

autoCompleteUrl=“http://dev01.exphosted.com/live_events/auto_complete”

5) Update Salesforce callback URL -

Go to Setup → Manage Apps → Connected Apps (click on the link which shows the name of the learnexa app you created)

Change the ACS URL to “http”

6) Update Google callback URL -

Go to Google developers console and change the redirect URL to “http”.

Choose your app > APIs & Auth > Choose the Web client > Update redirect URL and javascript origin(s) URL > Save.