#
Configuring Web Suite
#
System Prerequisites
In order to authenticate the user in the web interface, the following must be true:
- User has a password (can be set with the
passwdcommand or through other user management software that is setup on the system) - Ports 80 & 443 on the gateway must be accessible (allowed through both the system firewall and cloud security group)
- SSH password authentication must be enabled (can be set in
/etc/ssh/sshd_configin CentOS or through other access management software that is setup on the system)
#
Setting domain name
The domain name is what the Web-Suite will be accessed through, either a hostname or ip address. It is also used for certificate generation, and a publicly accessible value should be used if intending to use Lets Encrypt certificates.
Set the domain name:
flight web-suite set-domain chead1.mycluster1.example.comRestart the web-suite to apply changes:
flight web-suite restart
#
Certificate Preparation
To secure the server connections, it is recommended to generate a certificate to be used by the web suite. The Flight Web Suite comes with tools that can generate either a “self-signed” or LetsEncrypt certificate. Alternatively, a certificate that has been created outside of the web suite can be used to secure the server.
A self-signed certificate, whilst not usually trusted by browsers, does still provide extra security to the web server over HTTP communication. A self-signed certificate is automatically created when setting the domain name. To generate and install the self-signed certificates, simply:
flight www cert-gen --cert-type self-signed --domain $(flight web-suite get-domain)If --domain is omitted, a sensible default is selected. The default is taken from either the last --domain value given to flight www cert-gen or the last value given to flight web-suite set-domain. If neither of those have been given, the command will complain, and the domain will need to be specified.
If --cert-type is omitted a sensible default is selected. The default is taken from the last --cert-type value given to flight www cert-gen or self-signed if none has been given before.
After this has run, changes are applied on a service restart:
flight web-suite restartTo generate and install a Lets Encrypt certificate, run the following (replacing the domain and email with appropriate values):
flight www cert-gen --cert-type lets-encrypt --domain <chead1.mycluster1.example.com> --email <user@example.com>If --domain is omitted, a sensible default is selected. The default is taken from either the last --domain value given to flight www cert-gen or the last value given to flight web-suite set-domain. If neither of those have been given, the command will complain, and the domain will need to be specified.
Ensure that the domain/IP is publicly accessible in order for certificate generation to work
The Let's Encrypt certificate is only valid for a limited time. Depending on how long a cluster is intended to live for, it may be useful to install a cron job to automate renewing the certificate.
flight www cron-renewalThe cronjob can be removed by running:
flight www cron-renewal --disableAfter this has run, changes are applied on a service restart:
flight web-suite restartExternally generated certificates can be used by placing them in /opt/flight/etc/www/ssl/, the files that
should be in there are:
fullchain.pem: The full certificate (recommended permissions are644 root:root)key.pem: The private key for the certificate (recommended permissions are644 root:root) After placing the certificates in place, the HTTPS server can be enabled with:
flight web-suite restart