Xibo 1.8.1 config to force https with own cert


#1

Great guide to setup Ubuntu 16.04, using Docker container for v1.8.x at Xibo 1.8.0 with Docker on Ubuntu 16.04.

I ran into one issue, I didn’t want to use LetsEncrypt because we already have a wildcard certificate that we purchase. LetsEncrypt is a great thing if you need a cert, I just didn’t need it in this case. Below is what I did to make it work with my purchased certificates.


Adding SSL Support
There are several ways you could add SSL support to this configuration.

The simplest will be to install Apache on the host Ubuntu server, and have it proxy the SSL requests in to our container.

First, we need to stop the running CMS since we’ll need port 80 for our Apache server.

cd /opt/xibo
docker-compose down

Lets now move Xibo on to a different port number.

We’ll be following the instructions in the manual here under the “using different ports” heading:
http://xibo.org.uk/manual-tempel/en/install_cms.html30

cp cms_custom-ports.yml.template cms_custom-ports.yml
vi cms_custom-ports.yml

Edit the “ports” section of the cms-xmr and cms-web services so they read as follows:

version: "2.1"
 
services:
    cms-db:
        image: mysql:5.6
        volumes:
            - "./shared/db:/var/lib/mysql"
        restart: always
        environment:
            - MYSQL_DATABASE=cms
            - MYSQL_USER=cms
            - MYSQL_RANDOM_ROOT_PASSWORD=yes
        mem_limit: 1g
        env_file: config.env
    cms-xmr:
        image: xibosignage/xibo-xmr:release_1.8.0
        ports:
            - "9505:9505"
        restart: always
        mem_limit: 256m
        env_file: config.env
    cms-web:
        image: xibosignage/xibo-cms:release_1.8.0
        volumes:
            - "./shared/cms/custom:/var/www/cms/custom"
            - "./shared/backup:/var/www/backup"
            - "./shared/cms/web/theme/custom:/var/www/cms/web/theme/custom"
            - "./shared/cms/library:/var/www/cms/library"
            - "./shared/cms/web/userscripts:/var/www/cms/web/userscripts"
        restart: always
        links:
            - cms-db:mysql
            - cms-xmr:50001
        environment:
            - XMR_HOST=cms-xmr
        env_file: config.env
        ports:
            - "127.0.0.1:8080:80"
        mem_limit: 1g

So specifically, we changed the line:

    ports:
         - "65500:9505"

to

        ports:
             - "9505:9505"

and

        ports:
             - "65501:80"

to

        ports:
             - "127.0.0.1:8080:80"

Save your changes. That will ensure that XMR runs on port 9505 as before, and the web service runs on port 8080 only on the loopback interface.

Bring the containers back up with those changes:

docker-compose -f cms_custom-ports.yml up -d

Now let’s protect that Container with an Apache server and an SSL certificate:

apt-get install apache2
a2enmod proxy
a2enmod proxy_http
a2enmod ssl

Now edit the default apache config file to create a reverse proxy to our container:

vi /etc/apache2/sites-available/000-default.conf
It should contain

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        RedirectMatch permanent /(.*) https://your-domain.url/$1
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        ProxyPreserveHost On

        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/your-domain.url-wildcard.crt
        SSLCertificateKeyFile /etc/ssl/private/your-domain.url-wildcard.key
        SSLCertificateChainFile /etc/ssl/certs/GlobalSign_Intermediate_-_SHA256-G2.pem

</VirtualHost>

Save your changes. Upload your certificate files and copy them to their respective locations.

We will now need to make a few changes to the SSL engine in Apache. At a minimum you will need to make sure that you disable SSLv3 to prevent the POODLE vulnerability, disable the RC4 cipher, and enable Forward Secrecy.

To make these changes, we will need to edit the following file

vi /etc/apache2/mods-available/ssl.conf

First we change the following line:

 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

to:

 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4

Second we will un-comment the following line:

#SSLHonorCipherOrder on

to:

SSLHonorCipherOrder on

Last we will change the following line:

 SSLProtocol all

to:

 SSLProtocol all -SSLv3 -SSLv2

Save your changes. Then restart Apache.

service apache2 restart

Xibo CMS should now be available on port 443 with port 80 redirecting to 443.

If you’re using ufw, lets put a rule in for https traffic now

ufw allow 443/tcp

Custom SSL on docker - Player wont work
Xibo for android & Xibo-cms over HTTPS
CMS 1.8.1 Content will not be downloaded by Windows Player