Skip to main content

Installation and setup

include::./_macros.adoc[]

== Pre-requisites

Our recommended setup uses

  • CentOS/RedHat 7.0 for the operating system
  • Nginx as the webserver in front of {tc}
  • firewalld as the firewall software
  • openssl

NOTE: All the commands in this section need to be executed as root

If Nginx is not installed, you can:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum -y install epel-release-latest-7.noarch.rpm yum -y update

yum -y install nginx

then make sure it is enabled and started

systemctl start nginx

systemctl enable nginx

We now need to set up the firewall to allow Nginx access from outside. If firewalld is not installed and enabled, you can first do:

yum -y install firewalld

systemctl enable firewalld

Make sure openssl is installed as well:

== Installing {tc} from RPMs

The {tc} backend is made available in the form of RPMs for CentOS/Redhat 7.0. The latest version is available as a .tgz archive from link:https://storage.googleapis.com/ticrypt/ticrypt-backend/ticrypt-{tc-ver}-1.tgz[]

First step is to download and install these RPMs:

[subs="attributes+"]

Grap the archive

wget https://storage.googleapis.com/ticrypt/ticrypt-backend/ticrypt-{tc-ver}-1.tgz

Unpack the archive

tar -xzvf ticrypt-{tc-ver}-1.tgz

Install the RPMs

cd ticrypt-{tc-ver}-1

yum -y install *.rpm

Since {tc} has 10 services, dealing with them using systemctl is tedious. A small script that performs a service operation on all of the help a lot. Using an editor, create the file ticrypt-services.sh with the content:

[source,bash]

#!/bin/bash

for s in auth file-manager maintenance proxy stats vm logger notifications rest storage; do systemctl 1ticrypt1 ticrypt-s

done

Make sure you make it an executable:

chmod a+x ticrypt-services.sh

Using this script we can now enable all {tc} services:

./ticrypt-services.sh enable

== Setting up firewall rules for {tc}

firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --runtime-to-permanent # save anything you're currently working on firewall-cmd --permanent --new-service=ticrypt-proxy firewall-cmd --permanent --service=ticrypt-proxy --set-short='tiCrypt Proxy' firewall-cmd --permanent --service=ticrypt-proxy --set-description='Encrypted tunnels for tiCrypt VM traffic' firewall-cmd --permanent --service=ticrypt-proxy --add-port=6000-6010/tcp firewall-cmd --reload firewall-cmd --zone=public --add-service=ticrypt-proxy

firewall-cmd --runtime-to-permanent

In the above, we assumed that we will use the port range 6000-6010 for the {tc} proxy. If that is not the case, this rule needs to be changed accordingly.

== Setting up Nginx config files for {tc}

{tc} REST API will be set up using file /etc/nginx/conf.d/rest.ticrypt.conf.

The following configuration file is based on Mozilla's https://ssl-config.mozilla.org[SSL Configuration Generator].

Assuming that:

  • The {tc} server is abailable at ticrypt.example.com
  • The {tc} REST API runs on port 8080
  • The TLS/SSL combined certificate and chain is stored in /etc/pki/tls/certs/example-stacked.crt
  • The TLS/SSL trust chain is stored in /etc/pki/tls/certs/example-chain.crt
  • The TLS/SSL key is stored in: /etc/pki/tls/private/example.key

the configuration file can look like:

[source,nginxconf]

Used to properly map HTTP headers for WebSocket connections

map $http_upgrade $connection_upgrade { default upgrade; '' close; }

upstream tc-backend { server 127.0.0.1:8080; }

server {

### Configuration based on Mozilla Configuration Tool
listen 443 ssl;
listen [::]:443 ssl;

ssl_certificate /etc/pki/tls/certs/example-stacked.crt;
ssl_certificate_key /etc/pki/tls/private/example.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem
#   OR
# openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048
ssl_dhparam /etc/pki/tls/dhparam.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/pki/tls/certs/example-chain.crt;

# replace with the IP address of your resolver
resolver 127.0.0.1;

### Begin Custom Rules ###

server_name ticrypt.example.com;
root /var/www/ticrypt-rest;

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";


#### This is critical for tiCrypt  ####
client_max_body_size 16M;

location / {
    try_files $uri @proxy;
}

location /static {
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
    }
    if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Expose-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
    }
}

location @proxy {
    proxy_pass http://tc-backend;
    proxy_redirect off;
    proxy_buffering off;
    proxy_cache off;
    proxy_http_version 1.1;
    proxy_read_timeout 900s;
    proxy_connect_timeout 360s;
    proxy_send_timeout 360s;
    proxy_set_header    Host                $host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Proto   https;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    Upgrade             $http_upgrade;
    proxy_set_header    Connection          $connection_upgrade;
}

}

You need to customize the values for your situation.

We first do:

Create the static directory for tiCrypt REST

mkdir -p /var/www/ticrypt-rest

include::../common/nginx_critical.adoc[]