Setting Up HTTPS for Request Tracker on AWS AMI

From Request Tracker Wiki
Jump to navigation Jump to search

Setting Up HTTPS for Request Tracker on Amazon AMI

Request Tracker (RT) and Request Tracker for Incident Response (RTIR) can be easily deployed on Amazon AWS EC2 servers with the AMIs provided by Best Practical Solutions.

We ship it with RT listening on HTTP (port 80) through the Apache web server.

We recommend you upgrade your connection protocol to HTTPS, securing the network traffic from and to your RT.

Here are the steps needed for setting up your Apache SSL with Best Practical RT AMIs:

Step 1: Prepare your SSL Certificates

When accessing RT over HTTPS (port 443), Apache needs to be configured with an SSL certificate. There are a few options for obtaining a certificate:

  1. Self-signed certificate: This option generates a certificate without involving a Certificate Authority (CA). Apache also ships one called Snake Oil Certificate. However, self-signed certificates may result in an "invalid certificate" error for users. It is recommended for testing or internal use.
  2. Let's Encrypt certificate: Let's Encrypt is a Certificate Authority that provides free SSL certificates. They offer a tool called Certbot, which simplifies the process of obtaining and deploying a certificate for Apache. However, it requires internet access to generate and validate the certificate.
  3. Commercial certificate: You can purchase a certificate from a Certificate Authority or use one provided by your company.

Choose the appropriate option for your use case. If you already have a certificate, make sure you have the certificate file (*.cer) and the private key file (*.key) available.

Step 2: Configure Apache for HTTPS

Assuming you have the certificate and key files ready, follow these steps:

  1. Copy the certificate file (*.cer or *.pem) to /etc/ssl/certs/ and the private key file (*.key) to /etc/ssl/private/.
  2. Update the Apache configuration file /etc/apache2/sites-available/rt.conf with the following changes:
    1. Replace the existing content with the configuration provided below, adjusting ServerAdmin and replacing certificate details if you are not going to use the Snake Oil Certificate:
# Allow bigger attachments
FcgidMaxRequestLen 1073741824
# Set to 3 mins from default of 40
FcgidIOTimeout 180
# Also 3 mins from default of 60
TimeOut 180
<VirtualHost *:443>
    ServerAdmin youremail@example.com

    AddDefaultCharset UTF-8
    ScriptAlias / /opt/rt5/sbin/rt-server.fcgi/
    DocumentRoot "/opt/rt5/share/html"

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    <Location />
        Require all granted
        Options +ExecCGI
        AddHandler fcgid-script fcgi
    </Location>
</VirtualHost>
  1. Save the changes to the file.

Enable SSL module

Next, you need to enable the mod_ssl module in Apache. Run the following command: 

sudo a2enmod ssl
sudo systemctl restart apache2

You should be able to access your RT installation now through https :)

Redirect HTTP to HTTPS

Open the /etc/apache2/sites-available/rt.conf file and add the following section to the top of the file: 

<VirtualHost *:80>
    RewriteEngine on
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</VirtualHost>

Enable the Rewrite module and restart Apache: 

sudo a2enmod rewrite
sudo systemctl restart apache2

By following these steps, you can ensure that your Request Tracker instance is securely accessible over HTTPS, providing encrypted communication and protecting sensitive information.

Retrieved from "https://rt-wiki.bestpractical.com/index.php?title=Setting_Up_HTTPS_for_Request_Tracker_on_AWS_AMI&oldid=27153"