In this article:

Step 1. Adding a Private Key and Certificate

Step 2. Setting Up Apache2 with Certificate Use

Step 3. Setting Up Web Application Work via HTTPS Protocol

Setting Up Web Application to Work in Chromium-Gost Browser

The Chromium-Gost browser supports GOST cryptographic encryption algorithms.

NOTE. Setting up web application to work in Chromium-Gost browser is available only in Astra Linux SE 1.7.

To provide web application work in Chromium-Gost browser, follow the following steps.

Consider the use of the certificate authority based on the example of the Crypto-Pro test certificate authority. To do this, first, install CryptoPro CSP.

Step 1. Adding a Private Key and Certificate

A private key and a certificate using GOST encryption algorithms are generated in the PEM and CER formats using specific software tools, for example, OpenSSL). To install OpenSSL, execute the command:

sudo apt-get install openssl

By default, the operating system has the libgost-astra library installed and configured to support GOST encryption algorithms.

To add a private key and certificate:

Create the ssl directory in the folder with installed Apache2: /etc/apache2 and open it:

cd /etc/apache2/ssl

Generate private key:

openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out seckey.pem

Create a request to obtain certificate:

openssl req -key seckey.pem -new -out domain.csr

Send contents of domain.csr without titles from the obtained request to the certificate service.
Save the obtained certificate in the base64 format.

After executing the operations the /etc/apache2/ssl directory contains the files:

seckey.pem. Private key.
certnew.cer. Certificate that uses GOST encryption algorithms.

Step 2. Setting Up Apache2 with Certificate Use

To set up Apache2 with certificate use:

Specify domain name in the /etc/apache2/apache2.conf file:

ServerName <domain name>

Delete all files, except for default-ssl.conf in the /etc/apache2/sites-enabled directory.
Open the file /etc/apache2/sites-enabled/default-ssl.conf and execute the following operations:

Specify the private key and the certificate:

SSLCertificateFile "ssl/certnew.cer"
SSLCertificateKeyFile "ssl/seckey.pem"

Make sure that the string is present:

SSLEngine On

Add a string:

SSLProtocol TLSv1 +TLSv1.1 +TLSv1.2

Restart Apache2:

sudo systemctl restart apache2

After executing the operations, Chromium-Gost browser will display the certificate that uses GOST encryption algorithms.

Step 3. Setting Up Web Application Work via HTTPS Protocol

To set up web application work via HTTPS protocol with encryption support:

Pause web services of Foresight Analytics Platform:

sudo systemctl disable apache2-fp10.x
sudo systemctl disable apache2-fp10.x-web

Copy BI server configuration files fp10.x-biserver.conf, fp10.x-biserver.load from the directory /etc/apache2-fp10.x/mods-available to the folder with installed Apache2: /etc/apache2/mods-available:

sudo cp /etc/apache2-fp10.x/mods-available/fp10.x-biserver.conf /etc/apache2/mods-available/fp10.x-biserver.conf
sudo cp /etc/apache2-fp10.x/mods-available/fp10.x-biserver.load /etc/apache2/mods-available/fp10.x-biserver.load

Create symbolic links of configuration files fp10.x-biserver.conf, fp10.x-biserver.load in the directory /etc/apache2/mods-enabled:

sudo ln -s /etc/apache2/mods-available/fp10.x-biserver.conf /etc/apache2/mods-enabled/fp10.x-biserver.conf
sudo ln -s /etc/apache2/mods-available/fp10.x-biserver.load /etc/apache2/mods-enabled/fp10.x-biserver.load

Toggle Apache2 to the worker mode:

Delete the files:

/etc/apache2/mods-enabled/mpm_prefork.load;
/etc/apache2/mods-enabled/mpm_prefork.conf.

Create symbolic links of the files mpm_worker.conf, mpm_worker.load in the directory /etc/apache2/mods-enabled:

sudo ln -s /etc/apache2/mods-available/mpm_worker.conf /etc/apache2/mods-enabled/mpm_worker.conf
sudo ln -s /etc/apache2/mods-available/mpm_worker.load /etc/apache2/mods-enabled/mpm_worker.load

Change contents of the file /etc/apache2/mods_enabled/mpm_worker.conf:

<IfModule mpm_worker_module>
   MaxSpareThreads 64
   StartServers 1
   ThreadsPerChild 64
   MaxRequestWorkers 64
   MinSpareThreads 32
   MaxConnectionsPerChild 0
   ServerLimit 1
</IfModule>

Set up the CORS mechanism to increase system security during data exchange between different domains:

Open the file /etc/apache2/apache2.conf.

Set the following headers: Origin, Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers:

<IfModule mod_headers.c>
    SetEnvIf Origin ^(<allowed domain>)$ CORS_ALLOW_ORIGIN=$1
    Header always set Access-Control-Allow-Origin %{CORS_ALLOW_ORIGIN}e env=CORS_ALLOW_ORIGIN
    Header merge Vary "Origin"
    Header always set Access-Control-Allow-Methods "POST, OPTIONS, <HTTP request methods>"
    Header always set Access-Control-Allow-Headers "get-ppbi-time, content-type, soapaction, accept-language, cache-control, Authorization, <HTTP request headers>"
</IfModule>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

In the substitutions:

<allowed domain>. Specify the domain as a regular expression, for which getting of requests will be allowed. For example, the regular expression for the example.com domain:

https?://(?:.+\.)?example\.com(?::\d{1,5})?

This setting enables the use of the CORS mechanism on the parent and the child domains, and it is also dynamically installed to the current protocol, domain, port without the use of overriding rules.

<HTTP request methods>. Specify additional methods to access resource. The POST and OPTIONS methods are mandatory.
<HTTP request headers>. Specify headers used by resource. The headers get-ppbi-time,content-type, soapaction, accept-language, cache-control, Authorization are mandatory.

NOTE. Make sure that the specified parameters of the CORS mechanism meet the requirements of the resource in use.

Connect the headers and rewrite modules:

sudo a2enmod headers rewrite

Create the envvars file with environment variables in the /etc/opt/foresight directory to provide web application work:

DISPLAY=:987
PP_LOG=1
PP_RETMEM=1
MALLOC_MMAP_THRESHOLD_=8192
PP_RETMEM_CO=1
PATH_TO_WEB=/opt/foresight/fp10.x-webserver
PP_SOM=https://<BI server>/fpBI_App_v10.x/axis2/services/PP.SOM.Som
APACHE_LOG_DIR=logs

In the <BI server> substitution specify IP address or DNS name of the server, at which the BI server is installed.

Specify path to the file /etc/opt/foresight/envvars in the Apache2 service settings file /usr/lib/systemd/system/apache2.service after the Environment parameter:

EnvironmentFile=/etc/opt/foresight/envvars

Create the default-ssl.conf file with web server settings in the /etc/apache2/sites-enabled directory:

<VirtualHost *>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
   Alias /fp10.x/app/ ${PATH_TO_WEB}/app/
    Alias /fp10.x/build/ ${PATH_TO_WEB}/build/
    Alias /fp10.x/dashboard/ ${PATH_TO_WEB}/dashboard/
    Alias /fp10.x/resources/ ${PATH_TO_WEB}/resources/
    Alias /fp10.x/index.html ${PATH_TO_WEB}/index.html
    Alias /fp10.x/libs/ ${PATH_TO_WEB}/libs/
    Alias /fp10.x/ ${PATH_TO_WEB}/
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (.*(?:^|&))cache(=1)?((?:&|$).*)
    RewriteRule .* - [env=CACHEABLE]
    KeepAlive Off
    <Directory "${PATH_TO_WEB}/">
        Options Indexes
        AllowOverride All
        Require all granted
        FileETag None
        SetEnv no-gzip 1
        SetEnv dont-vary 1
        <FilesMatch "\.([^.]+)$">
            Header set Cache-Control "public, max-age=31536000" env=CACHEABLE
            Header unset Pragma
            Header unset ETag
            UnsetEnv CACHEABLE
        </FilesMatch>
        <FilesMatch "\.cache\.(js|html)$">
            Header set Cache-Control "public, max-age=31536000"
        </FilesMatch>
    </Directory>
</VirtualHost>

Restart Apache2:

sudo systemctl restart apache2

After executing the operations the web application works via HTTPS.