HTTPS for Distribution Point on macOS

KMak84
Contributor

Hi Everyone,

Just wanted to see if anyone had any success enabling HTTPS on macOS.
All my DP's are macOS. On-Premise Jamf.

I can see enabling Apache on macOS is straight forward but what exactly needs doing to the httpd-vhosts.conf & httpd-ssl.conf files. If thats correct?

I did add another into the DMZ for external facing devices, as the majority are WFH.
But the security team is questioning AFP or SMB through the firewall.

My company will not go down the Jamf Cloud route, as they are limiting cost expenditure. Right now, I'm telling users to connect VPN first before using Self Service etc.

14 REPLIES 14

TomDay
Release Candidate Programs Tester

I am working on this today, have an open case with Jamf for instruction, will update you later how I make out. If you're in a hurry I can share what I have so far. Trying this out so I can move away from our Distribution Point in AWS. We had a policy spin out of control and skyrocketed our data transfer costs last month.

sdagley
Esteemed Contributor II

@k84 I can't speak for configuring an HTTPS DP on macOS, but pretty much no security team is going to allow public facing AFP or SMB ports on a DMZ server, so HTTPS is definitely the way you want to go. There are other advantages to HTTPS DPs as well - resumable downloads, and faster downloads due to elimination of the mount/unmount of the server file system required with SMB.

Have you considered a non-macOS host for the DMZ DP? @Hugonaut wrote up a guide to configuring an HTTPS DP on a RHEL server: https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/

falabella_cst
New Contributor II

Here's how we do it internally...

HTTPD-SSL.CONF
1. Open /etc/apache2/extra/httpd-ssl.conf 2. Make sure it's listening on port 443 (uncomment)
3. Look for the term SSLProtocol and change to SSLProtocol -ALL + TLSv1.2
4. Look for the line that starts with <VirtualHost default: and remove all lines between <VirtualHost default: and </virtualhost>
5. Save the changes

CERTS
1. Create a certs folder in /etc/apache2/ (or any other place in your server)
2. Download and copy your certs (CA, Intermediate and Cert) into the certs folder
3. Make sure permissions for the certs are 755, o=administrator g=wheel (or tighter)

HTTPD CONFIGURATION FILES

# Add the following lines at the end of /etc/apache2/httpd.conf

# Disable Trace protocol
TraceEnable off

# Supplemental security options

# This directive controls whether Server response header field which is sent back to clients includes a description
# of the generic OS-type of the server as well as information about compiled-in modules.
ServerTokens Prod

# The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents
ServerSignature off

# The FileETag directive configures the file attributes that are used to create the ETag (entity tag)
# response header field when the document is based on a static file.
FileETag None

# Directive to mitigate XSS attacks 
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Directive to mitigate clickjacking attacks
Header always append X-Frame-Options SAMEORIGIN

# Directive to mitigate CDN attacks
Header set X-XSS-Protection "1; mode=block"

# HTTP timeout sessions in seconds
Timeout 1200 # Increase as necessary


# This file should be removed or disabled in Tomcat conf directives
# /Library/JSS/Tomcat/webapps/ROOT/robots.txt

# global robots.txt file for controlling those crawlers (good ones anyway)
<Location "/robots.txt">
   ProxyPass !
</Location>

Alias /robots.txt /Library/JSS/Tomcat/webapps/ROOT/robots.txt

HTTPD VIRTUAL HOST

# Add this code to /etc/apache2/extra/httpd-vhosts.conf

#
# HTTPS Host for File Distribution Point
#
<VirtualHost *:443>
ServerName https://your.cdn.tld:443
ServerAdmin admin@example.com

# Create a JAMF-CDN folder in a secure volume and create a symlink to the DocumentRoot path
DocumentRoot "/Library/WebServer/Documents/JAMF-CDN"

# Create an index.html file that displays some disclaimer if someone tries to reach the website directly
DirectoryIndex index.html index.php default.html

# Set Apache logging for the vhost
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log

# Set SSL for the vhost
SSLEngine On
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1.2
SSLProxyEngine Off

# Load the cert chain from the certs folder
SSLCertificateFile "/private/etc/apache2/cert/certificate.crt"
SSLCertificateKeyFile "/private/etc/apache2/cert/privatekey.key"
SSLCertificateChainFile "/private/etc/apache2/cert/certificate_bundle.crt"
SSLProxyProtocol -all +TLSv1.2
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

ErrorDocument 404 /error.html

<Directory "/Library/WebServer/Documents/JAMF-CDN">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
</Directory>

</VirtualHost>

I am running https:// Apache web servers on my two on-prem distribution points on Catalina and Mojave severs. Many thanks for these configuration suggestions. I will use them to tighten up my configurations.

 

Cheryl

KMak84
Contributor

@TomDay if & when you have time to share notes that would be great. What you said about AWS shook me to my core. My management would have breakdown if that happened in our environment

@falabella_cst thanks for sharing. Looks great.

@sdagley I did look at, on was keen to try that option but the Server team stated this not a free solution as RHEL charges, so I thought lets try CentOS as its a derivative of RHEL and again they said NO because thats something that is not allowed.

Problem is they want champagne for the price of lemonade I cant win with these guys lol.

sdagley
Esteemed Contributor II

@k84 Your server team didn't give you any grief about a Mac in your DMZ? That's kind of surprising, but good as it looks like you've now got the info needed to configure it for https. I would strongly recommend you also configure that for your on-prem DPs as the performance difference is noticeable.

I'll also comment that I suspect @TomDay has a self-hosted AWS DP rather than a Jamf Cloud hosted environment. To my knowledge Jamf Cloud subscriptions do not charge for Cloud DP downloads (which is a nice "feature" of Jamf Cloud as you've got a fixed cost versus the cost volatility of a self-hosted Jamf Pro Installation in AWS).

TomDay
Release Candidate Programs Tester

@sdagley Thx for noting that, yes to confirm I do not have Jamf Cloud, it is a self hosted AWS DP.

TomDay
Release Candidate Programs Tester

@k84 Jamf support was great in helping me with this. they sent me an internal PDF as a guide for setting up and helped troubleshoot a few its as the formatting in the PDF was a bit odd. Below are the notes I just wrote up internally. It's a bit long, hope it helps you. A lot of my formatting was stripped in the paste, hope it doesn't make the info confusing.

Create an HTTP File Share Distribution Point on macOS
This guide walks you through enabling HTTP downloads for package deployment on a macOS server. This assumes we have an existing SMB file share distribution point already up and running on the existing server.

Create an HTTP Server

Start apache (built in to macOS)
sudo apachectl start

Create a symlink for the existing file share to the default DocumentRoot directory:
sudo ln -s /Users/Shared/jamfshare /Library/WebServer/Documents

Backup the existing Apache2 configuration file in the private/etc/apache2 folder:
sudo cp httpd.conf httpd.conf.bak

Edit the Apache2 configuration file using nano or vi:
sudo nano httpd.conf

Within the file, add the word ‘Indexes’ to the first line in the ‘Directory’ section.

Here is what that will look like in the file, I bolded where 'Indexes' needs to be added:

DocumentRoot "/Library/WebServer/Documents"

<Directory "/Library/WebServer/Documents">

#

# Possible values for the Options directive are "None", "All",

# or any combination of:

# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

#

# Note that "MultiViews" must be named explicitly --- "Options All"

# doesn't give it to you.

#

# The Options directive is both complicated and important. Please see

# http://httpd.apache.org/docs/2.4/mod/core.html#options

# for more information.

#

Options FollowSymLinks Multiviews Indexes

Restart the apache2 service
sudo apachectl restart

We should see the directory structure when navigating to http://localhost/JamfShare on the server, or http://<fqdn>/JamfShare from a remote machine.

Bring on HTTPS

After the share is up and running on port 80 and we can view the contents of the directory, we can enable HTTPS. To do this follow the below steps:

Create a directory within /etc/apache2/ using Terminal.app:
sudo mkdir /etc/apache2/ssl

Create a configuration file for openssl to reference when generating the private key and certificate signing request:
Create a new configuration file within the directory for the CSR
sudo nano /etc/apache2/ssl/certconfig.cnf

Copy and paste the below into our new 'certconfig.cnf' file. Replace only '<FQDN>' with the actual server's fully qualified domain name:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names] DNS.1 = <FQDN>

Create a new private key and CSR for our SSL certificate using the new 'certconfig.cnf' file. Enter in the requested details. The email address and challenge password questions can be skipped by pressing Return.

openssl req -out /etc/apache2/ssl/server.csr -newkey rsa:2048 -nodes -keyout /etc/apache2/ssl/private.key -config /etc/apache2/ssl/certconfig.cnf

We can quickly list the contents of the CSR by running a “cat” command to be used for our next step:
cat /etc/apache2/ssl/server.csr

Copy the contents of the CSR to your clipboard, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Submit the CSR to the Jamf Pro PKI to obtain a certificate.
In Jamf Pro, navigate to Jamf Pro Settings > Global Management > PKI Certificates > Management Certificate Template
Select “Create Certificate from CSR"
Select “Web Server Certificate"
Paste our CSR contents into the text box and click “Create"

Rename the resulting certificate file to “server.pem” for simplicity and copy the file to our /etc/apache2/ssl directory.

Edit the Apache main configuration file at /etc/apache2/httpd.conf and uncomment the following lines (remove the # symbol)
1. LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
2. LoadModule ssl_module libexec/apache2/mod_ssl.so
3. Include /private/etc/apache2/extra/httpd-ssl.conf

Edit the SSL configuration file at /etc/apache2/extra/httpd-ssl.conf and pdate the paths to our SSL certificate and Private key within the “# Server Certificate:" and "# Server Private Key:” sections:

  1. SSLCertificateFile "/private/etc/apache2/ssl/server.pem"
  2. SSLCertificateKeyFile "/private/etc/apache2/ssl/private.key"

Run the following command to confirm the configuration is correct, correct any errors presented as needed:
sudo apachectl configtest

Restart the Apache2 service:
sudo apachectl restart

We should see the directory structure when navigating to https://localhost/JamfShare on the server, or https://<fqdn>/JamfShare from a remote machine.

Setting up Basic Authentication
If we need to enable basic authentication for the file share in lieu of anonymous authentication, we will need to follow these steps:

Create our HTTP user for access:
sudo htpasswd -c /etc/apache2/passwords jamfread

Edit the "/etc/apache2/httpd.conf" file again. Comment out the line that reads "Require all granted" of the <Directory "/Library/WebServer/Documents"> section.

Underneath that line, also add the below syntax to the <Directory "/Library/WebServer/Documents"> section

AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /etc/apache2/passwords
Require user jamfread

Run another configuration test and restart the service. You should now be prompted for authentication when hitting the /jamfshare endpoint

Enable HTTPS on the Current SMB Share
Go to the Jamf Pro Server
Settings > Server Infrastructure > File Distribution Points > Select the server > HTTP/HTTPS
Enable HTTPS Downloads, Enable SSL with Port 443, add 'JamfShare' to Context field
Set Authentication type to 'Username and Password' enter credentials we created earlier.
Test a policy to assure it pulls the pkg from the HTTPS share.

*Cert is good for 1 year, be sure to renew!

sassy_p
New Contributor III

Tom, i've gotta say this worked perfectly to create a local ditsro at my org, thanks so much for posting! The only one bit of syntax I had to change was adding a newline in the cert creation between..

[alt_names]
DNS.1 = <FQDN>

I combined this with the SMB article https://docs.jamf.com/technical-articles/Setting_Up_a_File_Share_Distribution_Point.html 

Everything worked a treat! Thanks again

KMak84
Contributor

@sdagley that looks great, thanks for sharing. Appreciate all the info guys

sdagley
Esteemed Contributor II

@k84 I think you meant to tag @TomDay on that thanks for the detailed process. I'm just eating popcorn on the sidelines rooting for you to replace all of your SMB servers with HTTPS :-)

KMak84
Contributor

whoops, @TomDay thanks pal

RushAdmin
New Contributor

I am currently trying to enable HTTPS on my DP in my DMZ and can't not get authentication to function when connecting to the SMB share. In addition, I am receiving a 1012 error when attempting to utilize any self-service task.

user-tWCnftIROc
New Contributor

On computers with macOS 10.15 or later that do not have an MDM profile, you must use an HTTP, HTTPS, or cloud distribution point to install packages.