In this article:
Step 1. Adding a Private Key and Certificate
The Chromium-Gost browser supports GOST cryptographic encryption algorithms.
NOTE. Setting up web application to work in Chromium-Gost browser is available only in Astra Linux SE 1.7.
To provide web application work in Chromium-Gost browser, follow the following steps.
Consider the use of the certificate authority based on the example of the Crypto-Pro test certificate authority. To do this, first, install CryptoPro CSP.
A private key and a certificate using GOST encryption algorithms are generated in the PEM and CER formats using specific software tools, for example, OpenSSL). To install OpenSSL, execute the command:
sudo apt-get install openssl
By default, the operating system has the libgost-astra library installed and configured to support GOST encryption algorithms.
To add a private key and certificate:
Create the ssl directory in the folder with installed Apache2: /etc/apache2 and open it:
cd /etc/apache2/ssl
Generate private key:
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out seckey.pem
Create a request to obtain certificate:
openssl req -key seckey.pem -new -out domain.csr
Send contents of domain.csr without titles from the obtained request to the certificate service.
Save the obtained certificate in the base64 format.
After executing the operations the /etc/apache2/ssl directory contains the files:
seckey.pem. Private key.
certnew.cer. Certificate that uses GOST encryption algorithms.
To set up Apache2 with certificate use:
Specify domain name in the /etc/apache2/apache2.conf file:
ServerName <domain name>
Delete all files, except for default-ssl.conf in the /etc/apache2/sites-enabled directory.
Open the file /etc/apache2/sites-enabled/default-ssl.conf and execute the following operations:
Specify the private key and the certificate:
SSLCertificateFile "ssl/certnew.cer"
SSLCertificateKeyFile "ssl/seckey.pem"
Make sure that the string is present:
SSLEngine On
Add a string:
SSLProtocol TLSv1 +TLSv1.1 +TLSv1.2
Restart Apache2:
sudo systemctl restart apache2
After executing the operations, Chromium-Gost browser will display the certificate that uses GOST encryption algorithms.
To set up web application work via HTTPS protocol with encryption support:
Pause web services of Foresight Analytics Platform:
sudo systemctl disable apache2-fp10.x
sudo systemctl disable apache2-fp10.x-web
Copy BI server configuration files fp10.x-biserver.conf, fp10.x-biserver.load from the directory /etc/apache2-fp10.x/mods-available to the folder with installed Apache2: /etc/apache2/mods-available:
sudo cp /etc/apache2-fp10.x/mods-available/fp10.x-biserver.conf /etc/apache2/mods-available/fp10.x-biserver.conf
sudo cp /etc/apache2-fp10.x/mods-available/fp10.x-biserver.load /etc/apache2/mods-available/fp10.x-biserver.load
Create symbolic links of configuration files fp10.x-biserver.conf, fp10.x-biserver.load in the directory /etc/apache2/mods-enabled:
sudo ln -s /etc/apache2/mods-available/fp10.x-biserver.conf /etc/apache2/mods-enabled/fp10.x-biserver.conf
sudo ln -s /etc/apache2/mods-available/fp10.x-biserver.load /etc/apache2/mods-enabled/fp10.x-biserver.load
Toggle Apache2 to the worker mode:
Delete the files:
/etc/apache2/mods-enabled/mpm_prefork.load;
/etc/apache2/mods-enabled/mpm_prefork.conf.
Create symbolic links of the files mpm_worker.conf, mpm_worker.load in the directory /etc/apache2/mods-enabled:
sudo ln -s /etc/apache2/mods-available/mpm_worker.conf /etc/apache2/mods-enabled/mpm_worker.conf
sudo ln -s /etc/apache2/mods-available/mpm_worker.load /etc/apache2/mods-enabled/mpm_worker.load
Change contents of the file /etc/apache2/mods_enabled/mpm_worker.conf:
<IfModule mpm_worker_module>
MaxSpareThreads 64
StartServers 1
ThreadsPerChild 64
MaxRequestWorkers 64
MinSpareThreads 32
MaxConnectionsPerChild 0
ServerLimit 1
</IfModule>
Set up the CORS mechanism to increase system security during data exchange between different domains:
Open the file /etc/apache2/apache2.conf.
Set the following headers: Origin, Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers:
In the substitutions:
<allowed domain>. Specify the domain as a regular expression, for which getting of requests will be allowed. For example, the regular expression for the example.com domain:
https?://(?:.+\.)?example\.com(?::\d{1,5})?
This setting enables the use of the CORS mechanism on the parent and the child domains, and it is also dynamically installed to the current protocol, domain, port without the use of overriding rules.
<HTTP request methods>. Specify additional methods to access resource. The POST and OPTIONS methods are mandatory.
<HTTP request headers>. Specify headers used by resource. The headers get-ppbi-time,content-type, soapaction, accept-language, cache-control, Authorization are mandatory.
NOTE. Make sure that the specified parameters of the CORS mechanism meet the requirements of the resource in use.
Connect the headers and rewrite modules:
sudo a2enmod headers rewrite
Create the envvars file with environment variables in the /etc/opt/foresight directory to provide web application work:
DISPLAY=:987
PP_LOG=1
PP_RETMEM=1
MALLOC_MMAP_THRESHOLD_=8192
PP_RETMEM_CO=1
PATH_TO_WEB=/opt/foresight/fp10.x-webserver
PP_SOM=https://<BI server>/fpBI_App_v10.x/axis2/services/PP.SOM.Som
APACHE_LOG_DIR=logs
In the <BI server> substitution specify IP address or DNS name of the server, at which the BI server is installed.
Specify path to the file /etc/opt/foresight/envvars in the Apache2 service settings file /usr/lib/systemd/system/apache2.service after the Environment parameter:
EnvironmentFile=/etc/opt/foresight/envvars
Create the default-ssl.conf file with web server settings in the /etc/apache2/sites-enabled directory:
<VirtualHost *>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /fp10.x/app/ ${PATH_TO_WEB}/app/
Alias /fp10.x/build/ ${PATH_TO_WEB}/build/
Alias /fp10.x/dashboard/ ${PATH_TO_WEB}/dashboard/
Alias /fp10.x/resources/ ${PATH_TO_WEB}/resources/
Alias /fp10.x/index.html ${PATH_TO_WEB}/index.html
Alias /fp10.x/libs/ ${PATH_TO_WEB}/libs/
Alias /fp10.x/ ${PATH_TO_WEB}/
RewriteEngine On
RewriteCond %{QUERY_STRING} (.*(?:^|&))cache(=1)?((?:&|$).*)
RewriteRule .* - [env=CACHEABLE]
KeepAlive Off
<Directory "${PATH_TO_WEB}/">
Options Indexes
AllowOverride All
Require all granted
FileETag None
SetEnv no-gzip 1
SetEnv dont-vary 1
<FilesMatch "\.([^.]+)$">
Header set Cache-Control "public, max-age=31536000" env=CACHEABLE
Header unset Pragma
Header unset ETag
UnsetEnv CACHEABLE
</FilesMatch>
<FilesMatch "\.cache\.(js|html)$">
Header set Cache-Control "public, max-age=31536000"
</FilesMatch>
</Directory>
</VirtualHost>
Restart Apache2:
sudo systemctl restart apache2
After executing the operations the web application works via HTTPS.
See also:
Setting Up Web Application Configuration | Opening Web Application