ILIAS Tipps for school environments
  • Anmelden

Funktionen

[wolfganghuebsch], [iliasadmin1] - 15. Mai 2017, 10:30

Tutorial: Run ILIAS completely under SSL/HTTPS for free

  • ILIAS 5.2 or greater
  • Tested with Debian 8 and Ubuntu 14.04 LTS
  • Status of the tutorial: Seems to work
  • Contact: wolfgang.huebsch@gmx.de
  • Version: 0.2a, last change 02.03.2018
  • This tutorial shows how to encrypt your entire ILIAS installation with https/SSL with a valid SSL certificate for free and without any warnings. That means:
    • Your entire site, like bbs-ilias.de will be reachable only under https://bbs-ilias.de
    • This includes the ILIAS chatsystem
    • This includes also a optional Etherpad-Lite installation
I assume that you allready activated your chatsystem like described here: Tutorial: Installing ILIAS 5.2 @ Ubuntu LTS 16.04. Remember that in this older tutorial the chatserver runs @ port 8080 and that`s not the same like 443 (SSL). So before you start with https, install the chat running your site successfully  @http and port 8080! If everything works fine with http, start here - if not, go back
Please check all paths and other specifications of my scripts to make them fit to your installation!
When SSL-setup is done, adjust the file ilias.ini.php in /var/www/html/ilias accordingly with your new https-settings. Example:

[server]
http_path = "https://bbs-ilias.de/info"

What we will do

  • We will get some SSL certificates for free from https://letsencrypt.org/
  • We will redirect everything from port 80 to 443, that means from http://bbs-ilias.de to https://bbs-ilias.de
  • We will redirect the chatport 8080 to https://chat.bbs-ilias.de @ port 443
  • We will redirect the Etherpad-Lite port 9001 to https://pad.bbs-ilias.de @ port 443

General server settings to activate SSL

Go to  ILIAS->Administration->Privacy and Security->Security->General Settings->HTTPS-handling. Set it to disabled. If not, there is a redirect-login-error possible (solution at the end of this tutorial).
  • Check, which sites are running under https: ls /etc/apache2/sites-enabled
  • Disable all SSL-confs (recommended). Example: a2dissite bbs-ilias-ssl.conf
  • Now we create all vhost-files that we need. In this case:
    • cd /etc/apache2/sites-available
    • For the whole site (I think this file allready exists because you created it in the tutorial before): touch bbs-ilias.conf
    • For Etherpad: touch pad.bbs-ilias.conf
    • For ILIAS-Chat-System: touch chat.bbs-ilias.conf
  • If you don`t use similar vhost files allready, you can choose my examples. Just edit some lines so it will fit to your installation:
Change the first 10 lines if necessary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<VirtualHost bbs-ilias.de:80>
ServerAdmin admin@bbs-ilias.de
ServerName www.bbs-ilias.de
ServerAlias bbs-ilias.de
 
DocumentRoot /var/www/
#Or its this path?
#DocumentRoot /var/www/html
 
KeepAlive on
XSendFilePath /var/www
XSendFilePath /opt
 
<Directory /var/www/>
<IfModule mod_php5.c>
php_flag register_globals off
</IfModule>
 
Options -Indexes +FollowSymlinks
 
DirectoryIndex index.php
DirectoryIndex index.html
DirectoryIndex index.htm
AllowOverride All
order deny,allow
allow from all
ExpiresActive On
ExpiresByType text/css "access plus 7 day"
ExpiresByType image/gif "access plus 7 day"
ExpiresByType image/jpg "access plus 7 day"
ExpiresByType image/jpeg "access plus 7 day"
ExpiresByType image/png "access plus 7 day"
 
</Directory>
 
</VirtualHost>
Change the first line and line 20, if necessary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<VirtualHost pad.bbs-ilias.de:80>
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
 
ProxyVia On
ProxyRequests Off
ProxyPass / http://localhost:9001/
ProxyPassReverse / http://localhost:9001/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
 
RewriteEngine on
RewriteCond %{SERVER_NAME} =pad.bbs-ilias.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
Change the first line and line 21, if necessary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<VirtualHost chat.bbs-ilias.de:80>
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
 
ProxyVia On
ProxyRequests Off
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost on
 
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
 
RewriteEngine on
RewriteCond %{SERVER_NAME} =chat.bbs-ilias.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
Do not forget to enable these new Vhost files, so that there are visible in /etc/apache2/sites-enabled
  • No we create the Certificates for all domains and subdomains: 
    • Got to https://certbot.eff.org/
    • Choose your system, in my case Apache2@Debian8
    • Enable Backports like described
    • Choose automated install like described and follow the menu
    • After the prompt "which names would you like to activate HTTPS for?" , choose the names, like 1 2 3 4, give your e-mail and so on ...
    • Recommended: Choose 2: "Secure - Make all requests redirect to secure HTTPS access"
    • After all, there should appear something like this:
      • "Congratulations! You have successfully enabled https://bbs-ilias.de,https://chat.bbs-ilias.de, https://pad.bbs-ilias.de, andhttps://www.bbs-ilias.de"
    • Check, if everything works like expected: https://bbs-ilias.de

Special server settings: Let`s activate the ILIAS-Chatsystem@SSL

We activated the subdomain https://chat.bbs-ilias.de, but if we call it, we will be redirected to https://bbs-ilias.de. That`s because some settings are missing. Here we go :-)

Btw.: The mother of this part can be found here: http://www.ilias.de/docu/goto_docu_frm_1875_2242.html
  • I assume that you allready activated your chatsystem like described here: https://bbs-ilias.de/info/goto.php?target=blog_62_13&client_id=info
  • Remind: SSL will only work if you have a real FQDN like bbs-ilias.de.
  • Go to ILIAS-Administration->Chat Room->Chatserver-Settings. Complete the form like this:
    • IP-Address/FQN of Chat Server: chat.bbs-ilias.de (of course you take your own FQDN...)
    • Port of Chat Server: 443
    • Protocol: https
    • Certificat: /opt/ilias/ilchatdummy
    • Key: /opt/ilias/ilchatdummy
    • Diffie-Hellman Parameter: /opt/ilias/ilchatdummy
    • Btw.: A file called /opt/ilias/ilchatdummymust not exist.
    • Now we have to edit the file server.cfg:
      • Go to the location where the chatconfig files exist. You can find it in your datadirectory:  cd /opt/iliasdata/clientname/chatroom
      • Open the file server.cfg: nano server.cfg
      • The file should look like this, but it will not ^^:
1
2
3
4
5
6
7
8
9
10
11
{
"protocol": "http",
"port": "8080",
"address": "127.0.0.1",
"cert": "\/opt\/ilias\/ilchatdummy",
"key": "\/opt\/ilias\/ilchatdummy",
"dhparam": "\/opt\/ilias\/ilchatdummy",
"log": "",
"error_log": "",
"sub_directory": ""
}
  • That`s because we did other settings in ILIAS before. These settings are used to have a communication from outside to the server@SSL. However, here we need settings that are necessary for the communication inside the server (without SSL) .
  • So please change lines 2 and 3 of the file server.cfg accordingly like the example above. This is necessarry because the chatserver must run with the ip 127.0.0.1 at port 8080 and second a special rewrite will later point to https://pad.your.domain. That`s the trick.
  • Because it`s possible to overwrite these settings in ILIAS, you have to prevent this with this rightsettings:
    • chown root:root server.cfg
    • chmod 444 server.cfg
  • Now we check the vhost file that is responsible for the redirect:
    • cd /etc/apache2/sites-available
    • Have a look at the vhost-file thats called like this: nano chat.bbs-ilias.de-le-ssl.conf
    • Check if the settings are the same like in server.cfg. It may look like this (line 2 has your own FQDN):
Edit the line 2 and the lines 21 etc. so that they fit to your installation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<IfModule mod_ssl.c>
<VirtualHost chat.bbs-ilias.de:443>
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
 
ProxyVia On
ProxyRequests Off
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost on
 
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
 
SSLCertificateFile /etc/letsencrypt/live/bbs-ilias.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bbs-ilias.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName chat.bbs-ilias.de
</VirtualHost>
</IfModule>
  • Check also, if this file is activated. It should appear here: ls /etc/apache2/sites-enabled
  • The last step is to fit your startscript which may be located in /opt/scrips/ilchat or whatever:
    • nano /etc/init.d/ilchat 
    • It should look like this (lines 3-7):
  • Edit the lines 28-35 so that they fit to your installation, but: 
    • Do not change  IP url=127.0.0.1 !!!
    • Do not change chatport=8080 !!!
    • Do not change code="404" !!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash
## BEGIN INIT INFO
# Provides: ilchat3
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: ILIAS-Chatserver nodebased
# Description: This file should be used to construct scripts to be
# placed in /etc/init.d.
### END INIT INFO

# Author: Wolfgang Hubesch wolfgang.huebsch@gmx.de
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ilchat"
NAME=ilchat
#DAEMON=/usr/sbin/$NAME
#DAEMON_ARGS="--options args"

SCRIPTNAME=/etc/init.d/$NAME
ilroot=/var/www/html/ilias
ildata=/opt/iliasdata
client=nurderhsv
url=127.0.0.1
chatport=8080
code="404"
USER=www-data
node_path=/usr/local/bin/node

#################################################
chown ${USER} ${ilroot}/Modules/Chatroom/chat/chat.js
status=$(curl -s --head ${url}:${chatport} | head -n 1)

case "$1" in
start)

if [[ $status == *${code}* ]];
then

echo "Chat-Server seems to be up"
else
echo "Chat-Server seems to be DOWN. Try to start..."
sudo -H -u $USER bash -c "${node_path} ${ilroot}/Modules/Chatroom/chat/chat.js ${ildata}/${client}/chatroom/server.cfg ${ildata}/${client}/chatroom/client.cfg" &
sleep 5
status=$(curl -s --head ${url}:${chatport} | head -n 1)
if [[ $status == *${code}* ]];
then
echo "Chatserver is up!"
exit

else
echo "Sorry, I was not able to start the Chatserver. Try user root instead of ${USER}"
exit
fi




fi

;;

stop)

if [[ $status == *${code}* ]];
then
echo "Chatserver is up...try to stop..."
kill $(ps aux | grep chat.js | awk '{print $2}') > /dev/null 2>&1
exit

else
echo "Chatserver is already down..."
exit
fi

;;

status)

if [[ $status == *${code}* ]];
then
echo "Chatserver is up...exit now..."
exit

else
echo "Chatserver is down...exit now..."
exit

fi

;;

*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac

exit 0
  • Try the script. The server should run like expected:
    • /etc/init.d/ilchat may give: Chat-Server seems to be running

Special Settings: Etherpad-Lite@SSL

  • Normally, you run Etherpad-Lite with port 9001. Thats not longer possible, because we put everthing behind 443. The first step is to stop Etherpad-Service. @BBS-ILIAS, this is done like this:
    • /etc/init.d/etherpad-lite stop
  • Now we check if the SSL-vhost-entry is correct:
    • nano /etc/apache2/sites-available/pad.bbs-ilias.de-le-ssl.conf
    • This should give something like this: (please check also, if you see the site in /etc/apache2/sites-enabled)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<IfModule mod_ssl.c>
<VirtualHost pad.bbs-ilias.de:443>
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
 
ProxyVia On
ProxyRequests Off
ProxyPass / http://localhost:9001/
ProxyPassReverse / http://localhost:9001/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
 
SSLCertificateFile /etc/letsencrypt/live/bbs-ilias.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bbs-ilias.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName pad.bbs-ilias.de
</VirtualHost>
</IfModule>
  • Start etherpad-lite: /etc/init.d/etherpad-lite start
  • Wait a moment. It should be reachable under https://pad.bbs-ilias.de
  • Now we have to change some settings in the plugin-config from ILIAS (Administration->Plugins). Check it like this (right side):
HTTP
HTTPS
Host
pad.bbs-ilias.de
pad.bbs-ilias.de
Port
80
443
Domain
.bbs-ilias.de
.bbs-ilias.de
Https
Unchecked
Checked
Valid SSL-Cert:
Checked
Path
Leave empty
Leave empty

Troubleshooting

If you forgot to disable https in ILIAS:

Deactivate in ILIAS->Administration->Privacy and Security->Security->General Settings->HTTPS-handling. This must be set to disabled. If not, there is a redirect-login-error possible. In that case you have to disable the permanent redirect to https in your vhost responsible for port 80 (bbs-ilias.conf).
  • Look for lines like below and put a # before them. Restart apache and deactivate HTTPS-handling in ILIAS.
  • Delete the # to have full SSL-encryption again.
RewriteCond %{SERVER_NAME} =www.bbs-ilias.de [OR]
RewriteCond %{SERVER_NAME} =bbs-ilias.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

If you get an error while calling pad.bbs-ilias.de

  • The server may not understand localhost, so try 127.0.0.1 instead. Example:
1
2
3
4
5
6
ProxyVia On
ProxyRequests Off
ProxyPass / http://127.0.0.1:9001/
ProxyPassReverse / http://127.0.0.1:9001/
ProxyPreserveHost on
<Proxy *>

Funktionen

Benutzerbild: chabm
[chabm] - 06. Aug 2019

Hello,

We are trying to get our chat working completely under SSL, following this guide under proxy configuration. Chat is functioning, but we encountered the following problems: emotes are not showing in the chat, some of the icons and images. Those images will display if I uncomment WAC rule in .htaccess.

I hope anyone has some ideas about where I should look at?

There is a thread in the ILIAS forums as well: https://docu.ilias.de/ilias.php?ref_id=1875&cmdClass=ilobjforumgui&thr_pk=5955&cmd=viewThread&cmdNode=uo:2w&baseClass=ilRepositoryGUI