A Blog for Anuj

Here's the scenario:

You have setup your web server using apache2, but now you want to serve some content off a secure site. The easiest way to achieve this, is to configure apache with your ssl certificate. This way apache takes care of encrypting the channel of communication between the browser and server.

Things you'll need:

• apache2
• openssl library
• SSL certificate

For purpose of this tutorial, i'm using Ubuntu 7.10 as my linux installation

Installing OpenSSL library

Installing this should be a piece of cake on any linux installation as this is a very widespread used library. On ubuntu you can simply do

  sudo apt-get install openssl

for red-hat based systems you should be able to simply use "yum install openssl " .

Generating self signed SSL certificate

you can easily generate a ssl certificate using openssl library. Before we generate the certificate we will create the directory to hold them. Later, we will generate a private key that is file encrypted. This will be used to create our certificate

UPDATED !!

  sudo mkdir /etc/apache2/ssl
  cd /etc/apache2/ssl
  openssl genrsa -des3 -out keyname.key 4096

This will prompt for your password now, and also when you (re)start your webserver. This can be an issue, as your web server will halt for password prompt at boot time. To avoid that, I prefer to create a key without file encryption:

  openssl rsa -in keyname.key -out keyname.insecure.key

Now we can use this key to generate our certificate

  openssl req -new -x509 -days 365 -key keyname.key -out cert_name.crt

we should have following files at the end

• keyname.key
• keyname.insecure.key
• cert_name.crt (valid for 365 days)

What we have done is to create ourselves a digital certificate, encrypted with our private key. If you wanna be thorough and proper, you can supply this certificate along with your credentials to a company like verisign to sign you certificate and make it official. But the certificate is Good as it is to enable us running a secure site.

Configuring Apache

First of all we need to enable ssl module in apache. It is included by default, but not enabled.

  sudo a2enmod ssl

should do the trick for us.

Also we need to make a seperate document root for secure site.

  sudo mkdir /var/www-ssl

Second, we have to configure our secure site. We'll use the configuration defined for the default http site as a template and modify it to server a secure site on https

  cd /etc/apache2
  sudo cp sites-available/default sites-available/secure
  sudo ln -s sites-available/secure sites-enabled/secure

making a link to our secure conf in sites-enabled will cause apache to load secure configuration as well.

Third, we have to modify default and secure configurations

default configuration

change

 NameVirtualHost *
 <VirtualHost *>

To

 NameVirtualHost *:80
 <VirtualHost *:80>

make sure you fix all your VirtualHost directives.

secure configuration

Change

 NameVirtualHost *
 <VirtualHost *>

To

 NameVirtualHost *:443
 <VirtualHost *:443>

and add following lines in your virtual host decleration block

 DocumentRoot /var/www-ssl/
 SSLEngine On
 SSLCertificateFile /etc/httpd/ssl.crt/cert_name.crt
 SSLCertificateKeyFile /etc/httpd/ssl.key/keyname.insecure.key

That All Folks!!!!

In case you are wondering that what happened to the port configuration and ssl configurations; well, apache2 installation on ubuntu is all setup for running a secure site. The magic happens when you execute the a2enmod ssl command. That command makes a link to ssl-mod and ssl-conf in mods-enabled dir of apache2 setup. This way apache will pick up the ssl-mod and default configurations that our mates at apache have graciously done for us.

Server Restart

  sudo /etc/init.d/apache2 restart
  OR (if you want zero downtime)
  sudo /etc/init.d/apache2 reload

now go to the https:// in your browser and you should be prompted to accept your shiny certificate.

Happy Days :)

following link were great help in getting me up and running with my secure site and compiling this tutorial

• Creating a self-signed SSL certificate: Ubuntu
• Generate a Certificate Signing Request (CSR) for an SSL Certificate

This error is obvious when you try to delete a non-existing route; but what if you get this error when adding a route ??

In my case the broadcast address set on the interface while configuring was wrong. Double check the broadcasting address on your interface with this command

  
 ifconfig eth0(or your interface name)

 eth0     Link encap:Ethernet  HWaddr 00:13:D3:3A:81:E5  
          inet addr:192.168.0.125  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::213:d3ff:fe3a:81e5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:351065 errors:0 dropped:0 overruns:0 frame:0
          TX packets:123809 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:149491407 (142.5 MB)  TX bytes:20983510 (20.0 MB)
          Base address:0xcf00 Memory:fdde0000-fde00000 

As you can see my broadcast address is set to 192.168.0.255

you can use ifconfig command again to set configuration on any network interface. See man page for ifconfig.

Hope this helps you.

Finally i’m running my own web-server at home at a static IP i got as bonus from my ISP.

After my 3 day lazy ordeal to get everything i wanted for a basic setup up and running, i thought i’ll share my experience with everybody. For starters, I love Ubuntu server edition (gutsy). Although i’m saying it was an ordeal, but in fact the whole setup was a breeze :)

During OS installation (which lasted for 3 hours, as i started to vacuum my old unused box …) i opted for a LAMP ( linux, apache, mysql, php) setup along with SSh, Samba and Print server to be installed. Now this takes at least a couple of hours to get perfect on a good day….. we all agree on that, dont we??

so when I finally reboot after installation is over, i login to find that everything is up and running!!

• apache2
• mod_php
• cupsd (print server)
• samba ( for ease with mounting windows shares .. can’t ignore the hated sibling)
• ssh (for logging in remotely )

note the IP address of the new born server and check from another system, if you can ssh into it. To check this, get onto a a different machine, and type:

ssh user@IP

you should be prompted for saving the secure fingerprint key, say yes, and put in the password. If you can still remember your password for the user you setup while installing OS, you are good to go. Unplug the monitor from your box and chuck the new server in a dingy (dark areas are cooler) but breezy part of you house, or as far as you network cable reaches :)

Now that we are done with getting a basic server up and running, we need to forward the internet traffic to it somehow. I have a ADSL2+ modem/router, which lets me configure port-forwarding very easily. Simply forward port 80 to this new machine. Now we want to check if our local setup works!!! In my case, before i went ahead and bought myself a sexy domain name (with my own name…. lame); i used a dynamic dns server like dyndsn.com . Just go there and register for a dynamic domain name and point it to your Static/Dynamic IP. Allow 5 minutes and enter the newly registered domain into your web-browser. You should get your default apache web page. Horrayyyyyyy

In next post i’ll tell you how i tweaked my apache to get a decent landing page plus configuring a front-ent to run/manage my torrents remotely.