ILIAS-Tricks not only for Schools

Tutorial: Run ILIAS completely under SSL/HTTPS for free

[wolfganghuebsch], [iliasadmin1] - 15. May 2017, 10:30

  • ILIAS 5.2 or greater
  • Tested with Debian 8 and Ubuntu 14.04 LTS
  • Status of the tutorial: Seems to work
  • Contact: wolfgang.huebsch@gmx.de
  • Version: 0.2a, last change 02.03.2018

  • This tutorial shows how to encrypt your entire ILIAS installation with https/SSL with a valid SSL certificate for free and without any warnings. That means:
    • Your entire site, like bbs-ilias.de will be reachable only under https://bbs-ilias.de
    • This includes the ILIAS chatsystem
    • This includes also a optional Etherpad-Lite installation

I assume that you allready activated your chatsystem like described here: Tutorial: Installing ILIAS 5.2 @ Ubuntu LTS 16.04. Remember that in this older tutorial the chatserver runs @ port 8080 and that`s not the same like 443 (SSL). So before you start with https, install the chat running your site successfully  @http and port 8080! If everything works fine with http, start here - if not, go back

Please check all paths and other specifications of my scripts to make them fit to your installation!

When SSL-setup is done, adjust the file ilias.ini.php in /var/www/html/ilias accordingly with your new https-settings. Example:

[server]
http_path = "https://bbs-ilias.de/info"

What we will do

  • We will get some SSL certificates for free from https://letsencrypt.org/
  • We will redirect everything from port 80 to 443, that means from http://bbs-ilias.de to https://bbs-ilias.de
  • We will redirect the chatport 8080 to https://chat.bbs-ilias.de @ port 443
  • We will redirect the Etherpad-Lite port 9001 to https://pad.bbs-ilias.de @ port 443

General server settings to activate SSL

Go to  ILIAS->Administration->Privacy and Security->Security->General Settings->HTTPS-handling. Set it to disabled. If not, there is a redirect-login-error possible (solution at the end of this tutorial).

  • Check, which sites are running under https: ls /etc/apache2/sites-enabled
  • Disable all SSL-confs (recommended). Example: a2dissite bbs-ilias-ssl.conf
  • Now we create all vhost-files that we need. In this case:
    • cd /etc/apache2/sites-available
    • For the whole site (I think this file allready exists because you created it in the tutorial before): touch bbs-ilias.conf
    • For Etherpad: touch pad.bbs-ilias.conf
    • For ILIAS-Chat-System: touch chat.bbs-ilias.conf
  • If you don`t use similar vhost files allready, you can choose my examples. Just edit some lines so it will fit to your installation:

Change the first 10 lines if necessary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<VirtualHost bbs-ilias.de:80>
        ServerAdmin admin@bbs-ilias.de
        ServerName www.bbs-ilias.de
        ServerAlias bbs-ilias.de
 
        DocumentRoot /var/www/
        #Or its this path?
        #DocumentRoot /var/www/html
 
        KeepAlive on
        XSendFilePath /var/www
        XSendFilePath /opt
 
<Directory /var/www/>
        <IfModule mod_php5.c>
                php_flag register_globals off
        </IfModule>
 
        Options -Indexes +FollowSymlinks
 
        DirectoryIndex index.php
        DirectoryIndex index.html
        DirectoryIndex index.htm
        AllowOverride All
        order deny,allow
        allow from all
        ExpiresActive On
        ExpiresByType text/css "access plus 7 day"
        ExpiresByType image/gif "access plus 7 day"
        ExpiresByType image/jpg "access plus 7 day"
        ExpiresByType image/jpeg "access plus 7 day"
        ExpiresByType image/png "access plus 7 day"
 
</Directory>
 
</VirtualHost>

Change the first line and line 20, if necessary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<VirtualHost pad.bbs-ilias.de:80>
  LoadModule  proxy_module         /usr/lib/apache2/modules/mod_proxy.so
  LoadModule  proxy_http_module    /usr/lib/apache2/modules/mod_proxy_http.so
  LoadModule  headers_module       /usr/lib/apache2/modules/mod_headers.so
  LoadModule  deflate_module       /usr/lib/apache2/modules/mod_deflate.so
 
  ProxyVia On
  ProxyRequests Off
  ProxyPass / http://localhost:9001/
  ProxyPassReverse / http://localhost:9001/
  ProxyPreserveHost on
  <Proxy *>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Proxy>
 
RewriteEngine on
RewriteCond %{SERVER_NAME} =pad.bbs-ilias.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

Change the first line and line 21, if necessary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<VirtualHost chat.bbs-ilias.de:80>
        LoadModule  proxy_module         /usr/lib/apache2/modules/mod_proxy.so
        LoadModule  proxy_http_module    /usr/lib/apache2/modules/mod_proxy_http.so
        LoadModule  headers_module       /usr/lib/apache2/modules/mod_headers.so
        LoadModule  deflate_module       /usr/lib/apache2/modules/mod_deflate.so
 
        ProxyVia On
        ProxyRequests Off
        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/
        ProxyPreserveHost on
 
        <Proxy *>
                Options FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Proxy>
 
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =chat.bbs-ilias.de
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

Do not forget to enable these new Vhost files, so that there are visible in /etc/apache2/sites-enabled

  • No we create the Certificates for all domains and subdomains: 
    • Got to https://certbot.eff.org/
    • Choose your system, in my case Apache2@Debian8
    • Enable Backports like described
    • Choose automated install like described and follow the menu
    • After the prompt "which names would you like to activate HTTPS for?" , choose the names, like 1 2 3 4, give your e-mail and so on ...
    • Recommended: Choose 2: "Secure - Make all requests redirect to secure HTTPS access"
    • After all, there should appear something like this:
      • "Congratulations! You have successfully enabled https://bbs-ilias.de,https://chat.bbs-ilias.de, https://pad.bbs-ilias.de, andhttps://www.bbs-ilias.de"
    • Check, if everything works like expected: https://bbs-ilias.de

Special server settings: Let`s activate the ILIAS-Chatsystem@SSL

We activated the subdomain https://chat.bbs-ilias.de, but if we call it, we will be redirected to https://bbs-ilias.de. That`s because some settings are missing. Here we go :-)

Btw.: The mother of this part can be found here: http://www.ilias.de/docu/goto_docu_frm_1875_2242.html

  • I assume that you allready activated your chatsystem like described here: https://bbs-ilias.de/info/goto.php?target=blog_62_13&client_id=info
  • Remind: SSL will only work if you have a real FQDN like bbs-ilias.de.
  • Go to ILIAS-Administration->Chat Room->Chatserver-Settings. Complete the form like this:
    • IP-Address/FQN of Chat Server: chat.bbs-ilias.de (of course you take your own FQDN...)
    • Port of Chat Server: 443
    • Protocol: https
    • Certificat: /opt/ilias/ilchatdummy
    • Key: /opt/ilias/ilchatdummy
    • Diffie-Hellman Parameter: /opt/ilias/ilchatdummy
    • Btw.: A file called /opt/ilias/ilchatdummymust not exist.
    • Now we have to edit the file server.cfg:
      • Go to the location where the chatconfig files exist. You can find it in your datadirectory:  cd /opt/iliasdata/clientname/chatroom
      • Open the file server.cfg: nano server.cfg
      • The file should look like this, but it will not ^^:

1
2
3
4
5
6
7
8
9
"protocol": "http",
    "port": "8080",
    "address": "127.0.0.1",
    "cert": "\/opt\/iliasdata\/clientname\/chatroom\/ilchatdummy",
    "key": "\/opt\/iliasdata\/clientname\/chatroom\/ilchatdummy",
    "dhparam": "\/opt\/iliasdata\/clientname\/chatroom\/ilchatdummy",
    "log": "",
    "error_log": "",
    "sub_directory": ""

  • That`s because we did other settings in ILIAS before. These settings are used to have a communication from outside to the server@SSL. However, here we need settings that are necessary for the communication inside the server (without SSL) .
  • So please change lines 2 and 3 of the file server.cfg accordingly like the example above. This is necessarry because the chatserver must run with the ip 127.0.0.1 at port 8080 and second a special rewrite will later point to https://pad.your.domain. That`s the trick.
  • Because it`s possible to overwrite these settings in ILIAS, you have to prevent this with this rightsettings:
    • chown root:root server.cfg
    • chmod 444 server.cfg
  • Now we check the vhost file that is responsible for the redirect:
    • cd /etc/apache2/sites-available
    • Have a look at the vhost-file thats called like this: nano chat.bbs-ilias.de-le-ssl.conf
    • Check if the settings are the same like in server.cfg. It may look like this (line 2 has your own FQDN):

Edit the line 2 and the lines 21 etc. so that they fit to your installation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<IfModule mod_ssl.c>
<VirtualHost chat.bbs-ilias.de:443>
        LoadModule  proxy_module         /usr/lib/apache2/modules/mod_proxy.so
        LoadModule  proxy_http_module    /usr/lib/apache2/modules/mod_proxy_http.so
        LoadModule  headers_module       /usr/lib/apache2/modules/mod_headers.so
        LoadModule  deflate_module       /usr/lib/apache2/modules/mod_deflate.so
 
        ProxyVia On
        ProxyRequests Off
        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/
        ProxyPreserveHost on
 
        <Proxy *>
                Options FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Proxy>
 
SSLCertificateFile /etc/letsencrypt/live/bbs-ilias.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bbs-ilias.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName chat.bbs-ilias.de
</VirtualHost>
</IfModule>

  • Check also, if this file is activated. It should appear here: ls /etc/apache2/sites-enabled
  • The last step is to fit your startscript which may be located in /opt/scrips/ilchat or whatever:
    • nano /etc/init.d/ilchat 
    • It should look like this (lines 3-7):

  • Edit the lines 28-35 so that they fit to your installation, but: 
    • Do not change  IP url=127.0.0.1 !!!
    • Do not change chatport=8080 !!!
    • Do not change code="404" !!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash
## BEGIN INIT INFO
# Provides:          ilchat3
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: ILIAS-Chatserver nodebased
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO
 
# Author: Wolfgang Hubesch wolfgang.huebsch@gmx.de
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
 
# Do NOT "set -e"
 
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ilchat"
NAME=ilchat
#DAEMON=/usr/sbin/$NAME
#DAEMON_ARGS="--options args"
 
SCRIPTNAME=/etc/init.d/$NAME
ilroot=/var/www/html/ilias
ildata=/opt/iliasdata
client=nurderhsv
url=127.0.0.1
chatport=8080
code="404"
USER=www-data
node_path=/usr/local/bin/node
 
#################################################
chown ${USER} ${ilroot}/Modules/Chatroom/chat/chat.js
status=$(curl -s --head ${url}:${chatport} | head -n 1)
 
case "$1" in
    start)
 
if [[ $status == *${code}* ]];
then
 
echo "Chat-Server seems to be up"
else
echo "Chat-Server seems to be DOWN. Try to start..."
sudo -H -u $USER bash -c "${node_path} ${ilroot}/Modules/Chatroom/chat/chat.js ${ildata}/${client}/chatroom/server.cfg ${ildata}/${client}/chatroom/client.cfg" &
sleep 5
                status=$(curl -s --head ${url}:${chatport} | head -n 1)
                if [[ $status == *${code}* ]];
                then
                        echo "Chatserver is up!"
                        exit
 
                else
                        echo "Sorry, I was not able to start the Chatserver. Try user root instead of ${USER}"
                        exit
                fi 
 
 
 
 
fi
 
           ;;
 
    stop)
 
                if [[ $status == *${code}* ]];
                then
                        echo "Chatserver is up...try to stop..."
                        kill $(ps aux | grep chat.js | awk '{print $2}') > /dev/null 2>&1
                        exit
 
                else
                        echo "Chatserver is already down..."
                        exit
                fi 
 
 ;;
 
    status)
 
                if [[ $status == *${code}* ]];
                then
                        echo "Chatserver is up...exit now..."
                        exit
 
                else
                        echo "Chatserver is down...exit now..."
                        exit
                           
                fi
 
        ;;
 
    *)
                echo "Usage: $0 {start|stop|status}"
                exit 1
esac
 
exit 0

  • Try the script. The server should run like expected:
    • /etc/init.d/ilchat may give: Chat-Server seems to be running

Special Settings: Etherpad-Lite@SSL

  • Normally, you run Etherpad-Lite with port 9001. Thats not longer possible, because we put everthing behind 443. The first step is to stop Etherpad-Service. @BBS-ILIAS, this is done like this:
    • /etc/init.d/etherpad-lite stop
  • Now we check if the SSL-vhost-entry is correct:
    • nano /etc/apache2/sites-available/pad.bbs-ilias.de-le-ssl.conf
    • This should give something like this: (please check also, if you see the site in /etc/apache2/sites-enabled)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<IfModule mod_ssl.c>
<VirtualHost pad.bbs-ilias.de:443>
  LoadModule  proxy_module         /usr/lib/apache2/modules/mod_proxy.so
  LoadModule  proxy_http_module    /usr/lib/apache2/modules/mod_proxy_http.so
  LoadModule  headers_module       /usr/lib/apache2/modules/mod_headers.so
  LoadModule  deflate_module       /usr/lib/apache2/modules/mod_deflate.so
 
  ProxyVia On
  ProxyRequests Off
  ProxyPass / http://localhost:9001/
  ProxyPassReverse / http://localhost:9001/
  ProxyPreserveHost on
  <Proxy *>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Proxy>
 
SSLCertificateFile /etc/letsencrypt/live/bbs-ilias.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bbs-ilias.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName pad.bbs-ilias.de
</VirtualHost>
</IfModule>

  • Start etherpad-lite: /etc/init.d/etherpad-lite start
  • Wait a moment. It should be reachable under https://pad.bbs-ilias.de
  • Now we have to change some settings in the plugin-config from ILIAS (Administration->Plugins). Check it like this (right side):

HTTP

HTTPS

Host

pad.bbs-ilias.de

pad.bbs-ilias.de

Port

80

443

Domain

.bbs-ilias.de

.bbs-ilias.de

Https

Unchecked

Checked

Valid SSL-Cert:

Checked

Path

Leave empty

Leave empty

Troubleshooting

If you forgot to disable https in ILIAS:

Deactivate in ILIAS->Administration->Privacy and Security->Security->General Settings->HTTPS-handling. This must be set to disabled. If not, there is a redirect-login-error possible. In that case you have to disable the permanent redirect to https in your vhost responsible for port 80 (bbs-ilias.conf).

  • Look for lines like below and put a # before them. Restart apache and deactivate HTTPS-handling in ILIAS.
  • Delete the # to have full SSL-encryption again.
RewriteCond %{SERVER_NAME} =www.bbs-ilias.de [OR]
RewriteCond %{SERVER_NAME} =bbs-ilias.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

If you get an error while calling pad.bbs-ilias.de

  • The server may not understand localhost, so try 127.0.0.1 instead. Example:

1
2
3
4
5
6
ProxyVia On
  ProxyRequests Off
  ProxyPass / http://127.0.0.1:9001/
  ProxyPassReverse / http://127.0.0.1:9001/
  ProxyPreserveHost on
  <Proxy *>

Comments

  • ch

    [chabm]

    Hello,

    We are trying to get our chat working completely under SSL, following this guide under proxy configuration. Chat is functioning, but we encountered the following problems: emotes are not showing in the chat, some of the icons and images. Those images will display if I uncomment WAC rule in .htaccess.

    I hope anyone has some ideas about where I should look at?

    There is a thread in the ILIAS forums as well: https://docu.ilias.de/ilias.php?ref_id=1875&cmdClass=ilobjforumgui&thr_pk=5955&cmd=viewThread&cmdNode=uo:2w&baseClass=ilRepositoryGUI
    Created on6. Aug 2019