# Configuring Web Suite

# System Prerequisites

In order to authenticate the user in the web interface, the following must be true:

  • User has a password (can be set with the passwd command or through other user management software that is setup on the system)
  • Ports 80 & 443 on the gateway must be accessible (allowed through both the system firewall and cloud security group)
  • SSH password authentication must be enabled (can be set in /etc/ssh/sshd_config in CentOS or through other access management software that is setup on the system)

# Setting domain name

The domain name is what the Web-Suite will be accessed through, either a hostname or ip address. It is also used for certificate generation, and a publicly accessible value should be used if intending to use Lets Encrypt certificates.

Set the domain name:

flight web-suite set-domain chead1.mycluster1.example.com

Restart the web-suite to apply changes:

flight web-suite restart

# Certificate Preparation

To secure the server connections, it is recommended to generate a certificate to be used by the web suite. The Flight Web Suite comes with tools that can generate either a “self-signed” or LetsEncrypt certificate. Alternatively, a certificate that has been created outside of the web suite can be used to secure the server.

A self-signed certificate, whilst not usually trusted by browsers, does still provide extra security to the web server over HTTP communication. A self-signed certificate is automatically created when setting the domain name. To generate and install the self-signed certificates, simply:

flight www cert-gen --cert-type self-signed --domain $(flight web-suite get-domain)

After this has run, changes are applied on a service restart:

flight web-suite restart

To generate and install a Lets Encrypt certificate, run the following (replacing the domain and email with appropriate values):

flight www cert-gen --cert-type lets-encrypt --domain <chead1.mycluster1.example.com> --email <user@example.com>

The Let's Encrypt certificate is only valid for a limited time. Depending on how long a cluster is intended to live for, it may be useful to install a cron job to automate renewing the certificate.

flight www cron-renewal

The cronjob can be removed by running:

flight www cron-renewal --disable

After this has run, changes are applied on a service restart:

flight web-suite restart

Externally generated certificates can be used by placing them in /opt/flight/etc/www/ssl/, the files that should be in there are:

  • fullchain.pem: The full certificate (recommended permissions are 644 root:root)
  • key.pem: The private key for the certificate (recommended permissions are 644 root:root) After placing the certificates in place, the HTTPS server can be enabled with:
flight web-suite restart