Skip to content

Use HTTPS

You can use a secured HTTPS connection on SquashTM either by setting up a reverse proxy or by changing parameters in SquashTM. Henix recommends that you set up a reverse proxy.

Reverse Proxy

If you want to use an HTTPS connection, Henix recommends that you use the Apache HTTPd reverse proxy that is installed on the server hosting SquashTM. Henix recommends that you use the apache server 2.4's branch with mod_proxy and mod_rewrite configured to force a HTTPS connection.

Here is an example to adapt: 

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine on
    ServerName myhost.mydomain.com
    ErrorLog ${APACHE_LOG_DIR}/myhost_error.log
    DocumentRoot /var/www
                # Possible values include: debug, info, notice, warn, error, crit,
                # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/myhost_access.log combined
    SSLCertificateFile    /etc/ssl/my-certificate-server.crt
    SSLCertificateKeyFile /etc/ssl/private/my-private-key.key

    <IfModule mod_proxy_http.c>
        ProxyPreserveHost On
        ProxyPass /SquashTM http://localhost:8080/squash
        ProxyPassReverse /SquashTM http://localhost:8080/squash
    </ifModule>
</VirtualHost>

If some SquashTM URLs are still in HTTP afterwards (Requirement Workspace, URLs in APIs or in description fields in Issues), you must force their rewriting by following the example hereunder: 

<IfModule mod_rewrite.c>
    RewriteLog rewrite.log
    RewriteLogLevel 0
    <IfModule mod_ssl.c>
        <Location>
            RewriteEngine on
            RewriteCond %{HTTPS} !^on$ [NC]
            RewriteCond %{HTTP_HOST} (^.*)$ [NC]
            RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
        </Location>
    </IfModule>
</IfModule>

Info

If in SquashTM, a plugin that connects to a tool configured in HTTPS is installed, you must authorize HTTPS connections between the SquashTM server and the third-party-tool server. For this, save the third-party certificate in SquashTM's JVM truststore. To learn more, please visit the page Connect to a third-party tool in HTTPS.

Activate HTTPS in SquashTM without Reverse Proxy

To activate HTTPS directly in SquashTM's embedded tomcat, you must add the following information to the file conf/squash.tm.cfg.properties:

  • SSL keys
server.ssl.key-store=<keystore path>
server.ssl.key-store-password=<keystore password>
server.ssl.key-password=<certificate server password>
server.ssl.key-alias=<password>
  • Port

You need to set the server.port variable as follows: 

server.port=8443

Focus

Once this parameter is set up, the app only works in HTTPS. In other words, if the user enters http://…, the URL will not be automatically redirected.

Warning

You must create a keystore beforehand. To generate/manipulate a keystore in JKS format (Java KeyStore), you can find Java Keytool commands here.

Connect SquashTM to a PostgreSQL in SSL Mode

To enable SSL connection between SquashTM and a PostgreSQL database, you must append the query parameter ?sslmode=require to the end of the spring.datasource.url configuration value.

spring.datasource.url = jdbc:postgresql://localhost:5432/squashtm?sslmode=require
spring.profiles.active = postgresql
spring.datasource.username = squash-tm
spring.datasource.password = password