A coworker created the following to secure the KIWI web server for https -
KIWI SYS-LOG SSL CONFIGURATION
1. Install Apache for Win32 x86 with OpenSSL. This usually comes as an MSI.
2. Modify the following files.
a. C:\Program Files\Apache Group\Apache 2\conf httpd.conf
b. C:\Program Files\Apache Group\Apache 2\conf ssl.conf
3. For the httpd.conf file you must add and change the following
Uncomment the following line
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule ssl_module modules/mod_ssl.so
Add
ServerName 10.x.x.x:80
<VirtualHost 0.0.0.0:80>
ServerName slog01
ServerAlias slog01
ProxyPass / http://localhost:8088/
ProxyPassReverse / http://localhost:8088/
</VirtualHost>
4. For the ssl.conf file you must add and change the following
Comment out the following
#<IfDefine SSL> and #</IfDefine>
Ensure the following
Listen 0.0.0.0:443
Add the following
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
</Proxy>
<VirtualHost 0.0.0.0:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl.crt/new.cert.cert
SSLCertificateKeyFile conf/ssl.key/new.cert.key
ServerName log01
ServerAlias nsochinslog01
ErrorLog logs/ssl_error_log.txt
TransferLog logs/ssl_access_log.txt
ProxyPass / http://localhost:8088/
ProxyPassReverse / http://localhost:8088/
</VirtualHost>
5. Creating the SSL Certificate
a. Location of the cert file c:\Program Files\Apache Group\Apache2\conf\ssl.crt
b. Location of the key file c:\Program Files\Apache Group\Apache2\conf\ssl.key
Procedures using UNIX to create the SSL Certificate:
Generate Server CA Signer
openssl genrsa -des3 -out server.key 2048
Generate Certificate Service Request (CSR)
openssl req -new -key server.key -out server.csr
Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Generate Self Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
6. Once everything is setup stop and start the apache services. You should then be able to hit the Kiwi Syslog Server securely with apache acting as a reverse proxy to the kiwi server.