Server Settings
Introduction
This section will describe the general settings of the WaTTS server. This will include options like ports, hostname and SSL.
Typical values that should be changed during the initial setup are:
hostname
, change it to an actual fully qualified hostnameport
, which can be removed if the incoming traffic arrives at port 80 for http or 443 for httpslisten_port
, it will be set to the internal port WaTTS is listening at
And for production use:
ssl
, set to 'true'cachain_file
, set to the path to the filedh_file
, set to the path to the filecert_file
, set to the path to the filekey_file
, set to the path to the file
Settings
Listen_Port, Redirection Explained
The idea is to run WaTTS as a dedicated non root user for security reasons. The drawback of not beeing root is that ports 1-1024 are not available to WaTTS. To still be able to have WaTTS running at port 80 or 443 several settings are needed.
As an image tells more than a thousand words, soma ascii art:
In the picture above the client connects to the port port
and firewall rules redirect the packages arriving at port
to the listen_port
at which WaTTS is actually listen. The corresponding firewall rule is:
Redirection is needed when using SSL and http traffic should be forwarded to the https endpoint. The problem is that http and https work completely different, so a pure redirection using the firewall does not work, instead a valid http-redirection message needs to be send. Sending this valid http message is the task of the redirection and needs to be listening at a different port:
The redirection follows the same idea as the port and listen_port above. So WaTTS is listening at redirection.listen_port for incomming traffic and sending a valid http redirection message back, which tells the browser to go tho the ssl endpoint: https://`hostname`:`port`.
For the redirection another firewall rule is needed:
Example
The following example is the basic SSL setup.
and the firewall rules
Last updated