Configuring Apache http
This chapter describes how you create the required certificates. You require certificates for:
-
Using the https connection
-
Configuring the Apache http as proxy for older SINUMERIK controls
-
Connecting to the MindSphere V3 Livesystem in older SINUMERIK controls
A minimum configuration that suffices for the connection is described below. Only the required modules are loaded. Only TLS 1.2 is permitted for the SSL connection. Only those ciphers that MindSphere requires for the function are enabled.
Creating a certificate for the SSL connection
-
Create the directory for the certificate:
mkdir /usr/local/apache2/ssl_cert
-
Switch to the certificate directory:
cd /usr/local/apache2/ssl_cert
-
Create the certificate and the associated key file with the following command:
Note: Run the following lines as a command:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
-
Follow the instructions and enter the required information:
Generating a 2048 bit RSA private key.............+++
..................+++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (e.g., city) []:Nuremberg
Organization Name (e.g., company) [Internet Widgits Pty Ltd]:Siemens
Organizational Unit Name (e.g., section) []:MindSphere
Common Name (e.g. server FQDN or YOUR name) []:IoT2040
Email Address []:
Editing Apache http configuration files
In the following configuration, the proxy is configured for connecting to the following systems.
The following options are available for editing the configuration files:
-
Via the connection with WinSCP
-
Via the connection with PuTTY or some other SSH client, and using the integrated Linux command line editor "nano" in the current image
-
In any other desired manner
The following files are edited:
-
/usr/local/apache2/conf/httpd.conf
-
/usr/local/apache2/conf/extra/httpd-ssl.conf
-
/usr/local/apache2/conf/extra/httpd-vhosts.conf
Editing httpd.conf
Enter the following lines:Listen 8080
Listen 8081
Listen 8082
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
#LoadModule status_module modules/mod_status.so
#LoadModule autoindex_module modules/mod_autoindex.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule dir_module modules/mod_dir.so
#ServerAdmin you@example.com
ServerName localhost
Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-ssl.conf
Inserting the supplement for the company proxy
If a company proxy is used in your company, you must insert an additional line in the configuration.
Example:
-
Proxy: 123.124.125.126
-
Proxy port: 4321
Add the following line at the end of the file:
-
httpd.conf:
ProxyRemote * http://123.124.125.126:4321
Proxy authorization in the proxy remoteNOTE
Proxy authorization is not supported in the remote proxy in the current Apache version. It could possibly be implemented by Apache in a future release.
If you require this function for your application, one possible solution concept can be found at the following link:
Editing extra\httpd-ssl.conf
Enter the following lines:#Listen 443
#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
Note: Run the following lines as a command:SSLCipherSuite ECDHE-RSA-AES128-CBC-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA256
Note: Run the following lines as a command:SSLProxyCipherSuite ECDHE-RSA-AES128-CBC-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA256
SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2
#ServerName www.example.com:443
#ServerAdmin you@example.com
ServerName IoT2040:443
SSLCertificateFile "/usr/local/apache2/ssl_cert/certificate.pem"
SSLCertificateKeyFile "/usr/local/apache2/ssl_cert/key.pem"
Editing extra\httpd-vhosts.conf
Enter the following lines:
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot "/usr/local/apache2/docs/dummy-host.example.com"
# ServerName dummy-host.example.com
# ServerAlias www.dummy-host.example.com
# ErrorLog "logs/dummy-host.example.com-error_log"
# CustomLog "logs/dummy-host.example.com-access_log" common
#</VirtualHost>
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host2.example.com
# DocumentRoot "/usr/local/apache2/docs/dummy-host2.example.com"
# ServerName dummy-host2.example.com
# ServerAlias www.dummy-host2.example.com
# ErrorLog "logs/dummy-host2.example.com-error_log"
# CustomLog "logs/dummy-host2.example.com-access_log" common
#</VirtualHost>
<VirtualHost *:8080>
ServerName sinac.apps.mindsphere.io/
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ProxyPass / https://sinac.apps.mindsphere.io/
ProxyPassReverse / https://sinac.apps.mindsphere.io/
</VirtualHost>
<VirtualHost *:8081>
ServerName sinumerikagentcom-dev.apps.mindsphere.io/
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ProxyPass / https://sinumerikagentcom-dev.apps.mindsphere.io/
Note: Run the following lines as a command:
ProxyPassReverse / https://sinumerikagentcom-dev.apps.mindsphere.io/
</VirtualHost>
Configuration files - Export
httpd.conf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
extra\httpd-ssl.conf
|
|
|
|
|
|
|
|
Note: Run the following lines as a command:
Note: Run the following lines as a command:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
|
|
|
|
|
|
||
|
||
|
||
|
||
|
extra\httpd-vhosts.conf
|
|
|
|
|
|
|
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
NOTE
The certificate is valid for one year (365 days).
To extend the validity, add the parameter "-days 365".