Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communications on the Internet. There are slight differences between SSL and TLS, but they essentially provide the same protection.
HTTPS Encryption and Web Certificate
There are several options for implementing TLS encryption for your Trac server. A preferred method is to use a web server for https proxying such as Apache or Nginx. Another option is using a dedicated proxying application such as HAProxy. Both of these could be running on a separate physical server. Only internal traffic between the proxy and the TutorTrac/AdvisorTrac server would then be plaintext. As an alternative, a 3rd party application (like Stunnel) may be installed on your TutorTrac/AdvisorTrac server.
What is Stunnel?
Stunnel is a program that encrypts all data connections to your Trac server. Stunnel facilitates this by acting as a proxy between users' browsers and the Trac application. So, a user would open web browser and enter in your server address, i.e. https://trac.go-redrock.com/. Stunnel receives the encrypted request, decrypts the request, and then forwards the request to the Trac application. The Trac application will then issue a response back to Stunnel, Stunnel encrypts the response, and then forwards the encrypted response back to the user's browser. With this method, all network traffic from the server to the client is encrypted while the Trac application communicates with Stunnel in an unencrypted format.
Download the latest version of stunnel (stunnel-5.41-win32-installer.exe), found at www.Stunnel.org/download. Once downloaded, install Stunnel using the default options.
Secure Certificate Files
The necessary SSL Files are a certificate (typically cert.pem) and a key file (typically key.pem). Redrock Software can provide you with these and an additional file (req.pem) without charge; however, these files are self-signed by Redrock and will produce a warning on your standard web browser. Because Redrock Software Corporation is not a "Trusted" Certificate Authority to the major browser companies, you will always receive the warning with our free SSL Certificate. The req.pem is the equivalent of a Certificate Signing Request (CSR) and is used to obtain your SSL Certificate. You have the option of obtaining your own Apache X509 compatible certificate from a "Trusted" source, such as VeriSign, DigiCert, Thawte, EnTrust, GeoTrust, and GoDaddy. These are just a few of the options available to you; in all, the mainstream browsers (IE, Firefox, Safari, etc.) only trust about 20 of the major Certificate Authorities (CA).
If you choose to obtain your own certificate, be sure to retrieve an Apache-compatible certificate so it will work with the SSL Module. Some CA's will provide you with a chained certificate, which we will have to adjoin in order to make the file compatible. Place the cert files (key, cert and any intermediate files) in your Stunnel 'config' directory (C:\Program Files\stunnel\config). Keep a copy of your req.pem (CSR) file to request your new certificate when it expires.
Stunnel Config File
The Stunnel configuration file (Stunnel.conf) is located in the C:\Program Files\stunnel\ directory. You will need to edit this file to secure your Trac site. Below is a good default config file. Simply replace the contents of Stunnel.conf with this, and edit the IP Address on line 17. Also, make sure the name of your cert file replaces ‘cert.pem’ and the name of your key file replaces ‘key.pem’.
Sample stunnel configuration file by Redrock Software
; identify the private key and public certificate files
cert = cert.pem
key = key.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting
; debug = 7 for verbose logging 1 for emerg only
debug = 3
output = stunnel.log
; Service-level configuration
accept = 443
connect = 192.168.0.1:81
TIMEOUTclose = 0
Trac System Prefs.ini File
Open the Prefs.ini file in the Trac application folder. Edit the following lines to match the sample values.
The Trac application is now listening for standard HTTP connections on port 80. Those connections will come from users accessing the Trac application across the network. The Trac application is also listening for standard HTTP connections on port 81. The HTTP connections on port 81 are coming from the Stunnel application, which is listening for HTTPS connections on port 443.
Force All Connections on Secure Port
After the server connections have been tested and confirmed on ports 80 and 443, you can now force all users to connect on the secure port 443. Open the Prefs.ini file in the Trac application folder and make the following change:
The Trac application now listens for a standard HTTP connection on port 80 and redirects all requests to the address entered in the redirect setting, which should be your secure HTTPS address. Now the connection is on the secure HTTPS port 443 and Stunnel receives the request. Stunnel makes the local HTTP connection to the Trac application on port 81 and responds back to the user's browser on the secure port 443. All network traffic on your Trac system is directed to the secure connection on port 443.
Configure Stunnel as a Service
To set stunnel as a service, run the following command in a Command Prompt window.
You will receive a prompt informing you that the service was installed. You can now access the Services from your Administrator Tool and start Stunnel as a service.