Difference between revisions of "HTTPS"

From LinuxMCE
Jump to: navigation, search
m
(changes because ssl is enabled by default)
Line 43: Line 43:
  
  
add to /etc/apache2/ports.conf:
 
 
<pre>
 
<IfModule mod_ssl.c>
 
    Listen 443
 
</IfModule>
 
 
</pre>
 
 
  ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
 
  ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
 
  
 
add the following in /etc/apache2/httpd.conf
 
add the following in /etc/apache2/httpd.conf
Line 115: Line 104:
 
<pre>
 
<pre>
 
# NameVirtualHost *
 
# NameVirtualHost *
<VirtualHost *:80>
+
<VirtualHost _default_:80>
 
</pre>
 
</pre>
  
Line 124: Line 113:
 
<pre>
 
<pre>
 
# NameVirtualHost *
 
# NameVirtualHost *
<VirtualHost *:443>
+
<VirtualHost _default_:443>
 
         SSLEngine On
 
         SSLEngine On
 
</pre>
 
</pre>
Line 130: Line 119:
 
make a symbolic link:
 
make a symbolic link:
 
  ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443
 
  ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443
 +
 +
move the original ssl configuration out of the way (to your home dir):
 +
mv /etc/apache2/sites-available/default-ssl ~/
 +
rm /etc/apache2/sites-enabled/default-ssl
  
 
go to pluto web admin and to Advanced>Network>Firewall and add a new rule:
 
go to pluto web admin and to Advanced>Network>Firewall and add a new rule:

Revision as of 18:38, 12 March 2011

HTTPS / SSL access on the outside

I am trying to setup https on the outside so Linuxmce can be used safely. Below is my setup.

We start by creating a new password file (-c option) and adding a user (linux) with a password (test) to the password file:

htpasswd -bc /etc/apache2/httpd.passwd linuxmce test

(Use the same line without the -c to add additional users)


mkdir /root/ssl
openssl genrsa -des3 -out /root/ssl/server.key 4096

(type a passwd twice)

openssl req -new -key /root/ssl/server.key -out /root/ssl/server.csr 

(type your previous passwd once and then fill in the fields)

Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one).


openssl x509 -req -days 3650 -in /root/ssl/server.csr -signkey /root/ssl/server.key -out /root/ssl/server.crt 
openssl rsa -in /root/ssl/server.key -out /root/ssl/server.key.insecure
mv /root/ssl/server.key /root/ssl/server.key.secure
mv /root/ssl/server.key.insecure /root/ssl/server.key 

You now have the following files in /root/ssl:

server.crt: The self-signed server certificate. server.csr: Server certificate signing request. server.key: The private server key, does not require a password when starting Apache. server.key.secure: The private server key, it does require a password when starting Apache.


mkdir /etc/apache2/ssl
cp /root/ssl/server.key /etc/apache2/ssl
cp /root/ssl/server.crt /etc/apache2/ssl


add the following in /etc/apache2/httpd.conf

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

<LocationMatch "/*">
#   Inside the subarea any Intranet access is allowed
#   but from the Internet only HTTPS + Strong-Cipher + Password
#   or the alternative HTTPS + Strong-Cipher + Client-Certificate

#   If HTTPS is used, make sure a strong cipher is used.
#   Additionally allow client certs as alternative to basic auth.
SSLVerifyClient      optional
SSLVerifyDepth       1
SSLOptions           +FakeBasicAuth +StrictRequire
SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128

#   Force clients from the Internet to use HTTPS
#RewriteEngine        on
#RewriteCond          %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$
#RewriteCond          %{HTTPS} !=on
#RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L]

#   Allow Network Access and/or Basic Auth
Satisfy              any

#   Network Access Control
Order                deny,allow
Deny                 from all
Allow                from 192.168.80.0/24 127.0.0.1

#   HTTP Basic Authentication
AuthType             basic
AuthName             "LinuxMCE"
AuthUserFile         /etc/apache2/httpd.passwd
Require              valid-user

</LocationMatch>

# Since mythweb has it's own rewrites in a .htaccess file https redirection is enabled only on other urls
<LocationMatch "^/(?!mythweb).*">
#   Force clients from the Internet to use HTTPS
RewriteEngine        on
RewriteCond          %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$
RewriteCond          %{REMOTE_ADDR} !^127\.0\.0\.[0-9]+$
RewriteCond          %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L]
</LocationMatch>


On the top of httpd.conf add the fully qualified domain name of your box that you added by "Common Name (eg, YOUR name)" when creating the certificate:

ServerName linuxmce.yourdomain.com

we have to change the beginning of vi /etc/apache2/sites-available/pluto to:

# NameVirtualHost *
<VirtualHost _default_:80>

and then copy this file:

cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443

then change the beginnig to:

# NameVirtualHost *
<VirtualHost _default_:443>
        SSLEngine On

make a symbolic link:

ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443

move the original ssl configuration out of the way (to your home dir):

mv /etc/apache2/sites-available/default-ssl ~/
rm /etc/apache2/sites-enabled/default-ssl

go to pluto web admin and to Advanced>Network>Firewall and add a new rule:

tcp 443 443 core_input

then run:

apache2ctl restart