-
Notifications
You must be signed in to change notification settings - Fork 19
Apache 2.2 Deployment
This page documents deploying YETI on an Apache 2.2. This page attempts to be complete and correct, but may have errors and omissions. If you see something that doesn't make sense, doesn't look right, or plain doesn't work, please feel free to send an email to [email protected] with a question or comment.
Please note that other deployment configurations may work. This is the one that we have verified.
This documentation assumes an operating system of RHEL 6.x, 64-bit (uname -a
returns 2.6.32-358.11.1.el6.x86_64
).
These are required for YETI to run correctly
- Python 2.6 or 2.7 (3.x is not supported)
- Apache 2.2.x and mod_wsgi
- Django 1.4 (https://www.djangoproject.com/download/)
- libtaxii 1.0.105 or later (https://github.com/TAXIIProject/libtaxii/releases)
- libxml2 2.9.0 or later (http://www.xmlsoft.org/downloads.html)
These are required for certain aspects of YETI to function properly.
- Apache mod_ssl
yum install mod_ssl
If you want YETI to use MySQL, you will need these software packages:
- MySQL-Server
yum install mysql-server
- MySQL-Python
yum install MySQL-python
- libtaxii 1.0.105 or higher (https://github.com/TAXIIProject/libtaxii/releases/)
- lxml latest version (http://lxml.de/index.html#download)
This section lists all the install commands. You may have to run these as sudo, depending on your environment. This aims to be a comprehensive list, but may not be.
Note: If you are behind a proxy, you may need to set the proxy by issuing one (or both) of these commands: export http_proxy=http://proxy.example.com:80
and export https_proxy=http://proxy.example.com:80
Note: If you need to run via sudo and you want your userspace environment variables (like http_proxy) to be used, use the -E flag for sudo (e.g., sudo -E yum install XYZ
)
Note: Some of these may be already installed on your system, depending on the distro.
easy_install pip
yum install git
yum install python-devel
yum install gcc
yum install gcc-devel
yum install libtool
yum install libtool
yum install libxml2
yum install libxml2-devel
yum install libxslt
yum install libxslt-devel
pip install libtaxii
yum install httpd
yum install mod_ssl
yum install mod_wsgi
yum install mysql-server
pip install Django
pip install lxml
yum install mysql-server
yum install MySQL-python
-
git clone https://github.com/TAXIIProject/yeti.git
(For the latest dev version)
Apache configuration items. It is recommended to create a yeti.conf
file in /etc/httpd/conf.d/
and place these values in it.
# Maximum size of the request body - set to the maximum limit you wish to allow. 0 allows any size.
LimitRequestBody 0
#WSGI Configs
WSGIApplicationGroup %{GLOBAL}
WSGISocketPrefix /var/run/wsgi
#Replace /data/yeti with the YETI path if it is different
WSGIDaemonProcess yeti python-path=/data/yeti
WSGIScriptAlias / /data/yeti/yeti/wsgi.py process-group=yeti application-group=%{GLOBAL}
Alias /static/ /data/yeti/yeti/static/
<Directory /data/yeti/yeti>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
<VirtualHost _default_:443>
ServerName yourServerName
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private_nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
#Comment out these if YETI will not use client certificate validation
SSLVerifyClient require
SSLCACertificateFile /data/yeti/yeti/client_certs/all_certs.cer
SSLVerifyDepth 5
SSLOptions StdEnvVars
</VirtualHost>
#This is the recommended configuration for the admin interface
Listen 8443
<VirtualHost _default_:8443>
ServerName yourServerName
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private_nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
</VirtualHost>
Depending on how you will deploy YETI, you may need to configure some aspects of YETI before Apache will start. Most notably, Apache will complain if the SSLCACertificateFile is empty, but you need to use YETI to make the file not empty. The way around this is to run YETI with Django's runserver, configure the items you need, then start Apache.
Follow these instructions if you get the following error: SSLCACertificateFile: file '/data/yeti/yeti/client_certs/all_certs.cer' does not exist or is empty
- Start YETI using Django's runserver:
python manage.py runserver 80
(orpython manage.py runserver 0.0.0.0:80
if you need to connect remotely). - Navigate to the
http://hostname/admin/yeti/certificate/
URL. - Enter a certificate.
- Done! You can stop Django's runserver and start Apache.