4 SecureHttp
David Anderson edited this page 2024-01-19 19:08:45 -08:00

Using Secure Socket Layer (SSL)

We encourage you to enable SSL on your project's web servers. If you do this, and follow the instructions below, the following communication will be encrypted and thus protected from man-in-the-middle attacks:

  • The web RPCs used for account creation, which carry volunteer email addresses.
  • HTTP requests that carry volunteer email addresses and passwords, such as the login form.
  • scheduler requests, which carry account authenticators, which can be used to log in to accounts.

To use SSL, you'll need to get an SSL certificate, e.g. from Let's Encrypt.. Self-signed certificates can't be used. You'll then need to change some configuration files.

BOINC configuration

In your project directory, edit the files

config.xml
html/user/schedulers.txt

In each of these files, change all http:// to https://.

Apache configuration

Edit the project's Apache config file (/etc/apache2/sites-enabled/<project-name>.conf) to contain

<VirtualHost *:443>
...
SSLEngine on
SSLProtocol -all +TLSv1.2
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/isaac.ssl.berkeley.edu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/isaac.ssl.berkeley.edu/privkey.pem

Use the Linux "wget" program to test your HTTPS; it uses libcurl, same as the BOINC client.