In this article:

Step 1. Adding a Private Key and Certificate

Step 2. Setting Up Apache2 Using Certificate

Step 3. Setting Up Web Application Work via HTTPS

Setting Up Web Application Work in Chromium-Gost Browser

The Chromium-Gost browser supports GOST encryption cryptographic algorithms.

NOTE. Setting up web application work in the Chromium-Gost browser is available only in Astra Linux SE 1.7.

To provide web application work in the Chromium-Gost browser, follow the steps below.

Consider the example of using the test certification authority CryptoPro as a certification authority. First of all, install CryptoPro CSP.

Step 1. Adding a Private Key and Certificate

The private key and certificate using GOST encryption algorithms are generated in the PEM and CER formats by means of special software, for example, OpenSSL. To install OpenSSL, execute the command:

sudo apt-get install openssl

By default, the libgost-astra library is installed and set up in the operating system to support GOST encryption algorithms.

To add a private key and certificate:

Create the ssl folder in the folder with installed Apache2: /etc/apache2 and open the folder:

cd /etc/apache2/ssl

Generate the private key:

openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out seckey.pem

Create a request to issue the certificate:

openssl req -key seckey.pem -new -out domain.csr

Send the contents of domain.csr without headers from the obtained request to the certification authority.
Save the obtained certificate in the base64 format.

After executing the operations the /etc/apache2/ssl folder contains the files:

seckey.pem. Private key.
certnew.cer. Certificate that uses GOST encryption algorithms.

Step 2. Setting Up Apache2 Using Certificate

To set up Apache2 using the certificate:

Specify domain name in the /etc/apache2/apache2.conf file:

ServerName <domain name>

Delete all the files, except for default-ssl.conf, from the /etc/apache2/sites-enabled folder.
Open the /etc/apache2/sites-enabled/default-ssl.conf file and execute the following operations:

Specify the private key and certificate:

SSLCertificateFile "ssl/certnew.cer"
SSLCertificateKeyFile "ssl/seckey.pem"

Make sure that the string is present:

SSLEngine On

Add the string:

SSLProtocol TLSv1 +TLSv1.1 +TLSv1.2

Restart Apache2:

sudo systemctl restart apache2

After executing the operations, the Chromium-Gost browser contains the certificate that uses GOST encryption algorithms.

Step 3. Setting Up Web Application Work via HTTPS

To set up web application work via the HTTPS protocol that supports encryption:

Stop working web services of Foresight Analytics Platform:

sudo systemctl disable apache2-fp10.x
sudo systemctl disable apache2-fp10.x-web

Copy the BI server configuration files fp10.x-biserver.conf, fp10.x-biserver.load from the /etc/apache2-fp10.x/mods-available folder to the folder with installed Apache2: /etc/apache2/mods-available:

sudo cp /etc/apache2-fp10.x/mods-available/fp10.x-biserver.conf /etc/apache2/mods-available/fp10.x-biserver.conf
sudo cp /etc/apache2-fp10.x/mods-available/fp10.x-biserver.load /etc/apache2/mods-available/fp10.x-biserver.load

Create symbolic links of the configuration files fp10.x-biserver.conf, fp10.x-biserver.load in the /etc/apache2/mods-enabled folder:

sudo ln -s /etc/apache2/mods-available/fp10.x-biserver.conf /etc/apache2/mods-enabled/fp10.x-biserver.conf
sudo ln -s /etc/apache2/mods-available/fp10.x-biserver.load /etc/apache2/mods-enabled/fp10.x-biserver.load

Switch Apache2 to the worker mode:

Delete the files:

/etc/apache2/mods-enabled/mpm_prefork.load;
/etc/apache2/mods-enabled/mpm_prefork.conf.

Create symbolic links of the mpm_worker.conf, mpm_worker.load files in the /etc/apache2/mods-enabled folder:

sudo ln -s /etc/apache2/mods-available/mpm_worker.conf /etc/apache2/mods-enabled/mpm_worker.conf
sudo ln -s /etc/apache2/mods-available/mpm_worker.load /etc/apache2/mods-enabled/mpm_worker.load

Change contents of the /etc/apache2/mods_enabled/mpm_worker.conf file:

<IfModule mpm_worker_module>
   MaxSpareThreads 64
   StartServers 1
   ThreadsPerChild 64
   MaxRequestWorkers 64
   MinSpareThreads 32
   MaxConnectionsPerChild 0
   ServerLimit 1
</IfModule>

Set up the CORS mechanism to increase system security during data exchange between different domains:

Open the /etc/apache2/apache2.conf file.

Set the following headers: Origin, Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers:

<IfModule mod_headers.c>
    SetEnvIf Origin ^(<allowed domain>)$ CORS_ALLOW_ORIGIN=$1
    Header always set Access-Control-Allow-Origin %{CORS_ALLOW_ORIGIN}e env=CORS_ALLOW_ORIGIN
    Header merge Vary "Origin"
    Header always set Access-Control-Allow-Methods "POST, OPTIONS, <HTTP request methods>"
    Header always set Access-Control-Allow-Headers "get-ppbi-time, content-type, soapaction, accept-language, cache-control, Authorization, <HTTP request headers>"
</IfModule>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

In the substitutions:

<allowed domain>. Specify the domain as a regular expression, for which getting of requests will be allowed. For example, the regular expression for the example.com domain:

https?://(?:.+\.)?example\.com(?::\d{1,5})?

This setting enables the use of the CORS mechanism on the parent and the child domains, and it is also dynamically installed to the current protocol, domain, port without the use of overriding rules.

<HTTP request methods>. Specify additional methods to access resource. The POST and OPTIONS methods are mandatory.
<HTTP request headers>. Specify headers used by resource. The headers get-ppbi-time,content-type, soapaction, accept-language, cache-control, Authorization are mandatory.

NOTE. Make sure that the specified parameters of the CORS mechanism meet the requirements of the resource in use.

Connect the headers and rewrite modules:

sudo a2enmod headers rewrite

Create the envvars file with environment variables in the /etc/opt/foresight folder to provide web application work:

DISPLAY=:987
PP_LOG=1
PP_RETMEM=1
MALLOC_MMAP_THRESHOLD_=8192
PP_RETMEM_CO=1
PATH_TO_WEB=/opt/foresight/fp10.x-webserver
PP_SOM=https://<BI server>/FPBI_App_v10.x/axis2/services/PP.SOM.Som
APACHE_LOG_DIR=logs

In the <BI server> substitution specify IP address or DNS name of the server, on which the BI server is installed.

Specify path to the /etc/opt/foresight/envvars file in the Apache2 service settings file /usr/lib/systemd/system/apache2.service after the Environment parameter:

EnvironmentFile=/etc/opt/foresight/envvars

Create the default-ssl.conf file with web server settings in the /etc/apache2/sites-enabled folder:

<VirtualHost *>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Alias /fp10.x/app/ ${PATH_TO_WEB}/app/
    Alias /fp10.x/build/ ${PATH_TO_WEB}/build/
    Alias /fp10.x/dashboard/ ${PATH_TO_WEB}/dashboard/
    Alias /fp10.x/resources/ ${PATH_TO_WEB}/resources/
    Alias /fp10.x/index.html ${PATH_TO_WEB}/index.html
    Alias /fp10.x/libs/ ${PATH_TO_WEB}/libs/
    Alias /fp10.x/ ${PATH_TO_WEB}/
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (.*(?:^|&))cache(=1)?((?:&|$).*)
    RewriteRule .* - [env=CACHEABLE]
    KeepAlive Off
    <Directory "${PATH_TO_WEB}/">
        Options Indexes
        AllowOverride All
        Require all granted
        FileETag None
        SetEnv no-gzip 1
        SetEnv dont-vary 1
        <FilesMatch "\.([^.]+)$">
            Header set Cache-Control "public, max-age=31536000" env=CACHEABLE
            Header unset Pragma
            Header unset ETag
            UnsetEnv CACHEABLE
        </FilesMatch>
        <FilesMatch "\.cache\.(js|html)$">
            Header set Cache-Control "public, max-age=31536000"
        </FilesMatch>
    </Directory>
</VirtualHost>

Restart Apache2:

sudo systemctl restart apache2

After executing the operations the web application works via HTTPS.