Version 5.0

AdvertPro - SSL Integration

Considerations

Securing the Control Panel

Using SSL is a good way to protect the control panel from unauthorized access provided that suitable protocols (TLS 1.0+) are used as this guide instructs.

Serving Ads in Secure Pages

The ad server does support serving ads into HTTPS secure pages. In fact, our code wizard has a Secure option that you can check to generate a secure code. However, this only works for ads that have their entire content (including any GIF, JPG or SWF files) hosted on the ad server. Third-party ad servers generally do not support HTTPS. This must be taken into consideration since it may limit the types of ads you can run on secure pages.

Web Servers

These instructions assume that you will be using Tomcat in standalone mode or that you have Tomcat proxied behind a web server such as Apache or Nginx.

  1. Apache uses OpenSSL and these types of certificates are widely available from many providers.
  2. Nginx also uses OpenSSL.
  3. Tomcat uses Java SSL and we find that GoDaddy is the only reliable provider of such certificates.

We mention the last point about Tomcat because believe us, countless people have tried and failed to get SSL certificates from other providers to work with Tomcat. Nobody seems to know why. All we can tell you for certain is the GoDaddy SSL certificates have a 100% success rate at working with Tomcat. To keep things simple we will be using GoDaddy SSL certificates as the reference for these instructions for all web servers.

Certificate Request

Run the appropriate command for your chosen web server to generate a certificate signing request. You will be prompted to enter some information about your company. When asked for your Common Name you should enter the domain you wish to secure, i.e. ads.yourcompany.com

Apache


cd /etc/httpd/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Nginx


cd /etc/nginx
mkdir ssl
cd ssl
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Tomcat


cd /usr/local/tomcat
mkdir ssl
cd ssl
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file yourdomain.csr -keystore tomcat.keystore

At this point, you will need to provide the yourdomain.csr file to GoDaddy after you've purchased an SSL certificate. Currently GoDaddy charges $69.99/yr for them. It is possible to get discounts by paying for multiple years in advance as well.

Warning Warning

When asked to provide a challenge and keystore password for Tomcat, do not use different passwords! You must use the same password for both. Tomcat is not able to support using a different password so it simply will not work.

Intermediate Certificates

GoDaddy will provide you with a bundle of intermediate certificates. These certificates are ultimately combined with your domain certificate to form a chain of certificates. Every web server has its own different way of accomplishing this task.

Apache

Apache can directly use the provided bundle, so you can skip this step if you're using Apache.

Nginx

Nginx requires the bundle to be merged with the domain certificate to form a combined certificate.


cat yourdomain.crt bundle.crt > yourdomain_combined.crt

Tomcat

Tomcat requires the certificates to be imported into its keystore separately. You may not have received a gd_cross_intermediate.crt file. In that case, you can skip running the first command. Do ensure that you run the commands in the below order, however, so as to form the certificate chain correctly!


keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file certres.crt

Server Configuration

Now that your certificates are ready to go you can proceed with configuring your web server to use them.

Apache

Apache requires you to set up a separate vritual host to handle HTTPS connections. You can add the following configuration snippet to your Apache httpd.conf file. It will need some changes with regards to the IP address and domain name, but otherwise these settings ensure a very secure connection.


<VirtualHost 127.0.0.1:443>
  ServerAdmin admin@yourdomain.com
  DocumentRoot /usr/local/tomcat/webapps/ROOT
  ServerName ads.yourdomain.com

  <Directory "/usr/local/tomcat/webapps/ROOT">
    Options +ExecCGI
    AllowOverride All
  </Directory>

  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
  SSLCertificateFile /etc/httpd/ssl/yourdomain.crt
  SSLCertificateKeyFile /etc/httpd/ssl/yourdomain.key
  SSLCertificateChainFile /etc/httpd/ssl/yourdomain.bundle

  <IfModule mod_proxy_ajp.c>
    ProxyPass / ajp://localhost:8009/
  </IfModule>
</VirtualHost>

Nginx

Nginx allows you to serve both HTTP and HTTPS connections from the same virtual host so your combined configuration will look something like the following:


ssl_certificate /etc/nginx/ssl/yourdomain_combined.crt;
ssl_certificate_key /etc/nginx/ssl/yourdomain.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

upstream tomcat {
  server 127.0.0.1:8080;
  max_connections 256;    # set to (tomcat_max_threads / nginx_worker_processes)
  max_connections_queue_timeout 30000;
}

server {
  server_name _;

  listen 80;
  listen *:443 ssl;

  set $force_ssl "$scheme://$http_host$request_uri";

  if ($force_ssl ~ "^http://(.*)/servlet/control(?!/api)(.*)") {
    return 301 https://$http_host$request_uri;
  }

  location / {
    proxy_pass http://tomcat;

    proxy_connect_timeout 30;

    proxy_set_header Host $http_host;

    proxy_set_header Accept-Encoding "";
    proxy_set_header User-Agent $http_user_agent;
    proxy_set_header Referer $http_referer;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $http_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_redirect http://$http_host $scheme://$http_host;
  }

  location /servlet/files {
    proxy_pass http://tomcat;
    proxy_set_header Host $http_host;
    proxy_cache shared;
    proxy_cache_key "$scheme$http_host$request_uri";
  }

  location ~* \.(css|html|js|txt|xml)$ {
    proxy_pass http://tomcat;
    proxy_set_header Host $http_host;
    proxy_set_header Accept-Encoding "";
    proxy_cache shared;
    proxy_cache_key "$scheme$http_accept_encoding$http_host$request_uri";
  }

  location ~* \.(gif|jpg|png|jar)$ {
    proxy_pass http://tomcat;
    proxy_cache shared;
    proxy_cache_key "$scheme$http_host$request_uri";
  }
}

Tomcat

The following configuration snippet should be added after the existing <Connector> for HTTP port 80 in your /usr/local/tomcat/conf/server.xml file. Make sure to change the keystorePass if you entered a password. Again, these setting ensure that TLS is used rather than older insecure SSLv2 and SSLv3 protocols.


<Connector protocol="org.apache.coyote.http11.Http11Protocol"
  acceptCount="128"
  connectionTimeout="15000"
  disableUploadTimeout="false"
  enableLookups="false"
  maxKeepAliveRequests="100"
  maxThreads="256"
  maxSpareThreads="48"
  minSpareThreads="16"
  port="443"
  scheme="https"
  secure="true"
  SSLEnabled="true"
  clientAuth="false"
  sslProtocol="TLS"
  keystoreFile="/usr/local/tomcat/ssl/tomcat.keystore"
  keystorePass="changeit"
  URIEncoding="UTF-8"/>

Server Reloading

Apache


/etc/rc.d/init.d/httpd restart

Nginx


/etc/rc.d/init.d/nginx restart

Tomcat


/etc/rc.d/init.d/tomcat restart

Troubleshooting

Remember to open port 443 in your server firewall! HTTPS can't work without an open port :)