Difference between revisions of "HTTPS"
(New page: = HTTPS / SSL access on the outside = I am trying to setup https on the outside so Linuxmce can be used safely. Below is my setup. We start by creating a new password file (-c option) an...) |
|||
(9 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | [[Category: Development]] | |
− | + | Purps, 18/07/11: '''This now appears to be set up by default.''' Just make sure you forward port 443 in web admin though (add tcp ipv4 443 443 core_input in Advanced -> Network -> Firewall | |
− | + | = Introduction = | |
− | + | This wiki page will help you to set up secure outside https access WITHOUT having to enable "Outside Access" in web admin (currently insecure I believe). Before starting, I would recommend registering a fully qualified domain name. This for all intents and purposes maps your external IP to an easy-to-remember address, which makes life a lot easier. Keeping in line with the example mentioned in this guide, it will be something similar to "linuxmce.yourdomain.com". | |
+ | |||
+ | I used http://www.dyndns.com/ to set up my fully qualified domain name, and it has worked very well, as it is free! | ||
+ | |||
+ | Once the steps in this guide have been carried out, you should be able to access your LinuxMCE admin page externally by typing in https://linuxmce.yourdomain.com. The "linuxmce.yourdomain.com" essentially replaces the "192.168.80.1" part that you would normally type in when on the internal network. This means that you can access your web orbiter (https://linuxmce.yourdomain.com/lmce-admin/weborbiter.php), your MythTV admin page (https://linuxmce.yourdomain.com/mythweb) or ZoneMinder for example (https://linuxmce.yourdomain.com/zm), if you have it installed. | ||
+ | |||
+ | Your fully qualified domain name can also be used for ssh-ing into your core i.e... | ||
+ | |||
+ | ssh root@linuxmce.yourdomain.com | ||
+ | |||
+ | Just make sure you open port 22 in the firewall settings in web admin if you want to do this. | ||
+ | |||
+ | = Setting up HTTPS / SSL access on the outside = | ||
+ | |||
+ | We start by creating a new password file (-c option) and adding a user (linuxmce) with a password (test) to the password file: | ||
+ | |||
+ | htpasswd -bc /etc/apache2/httpd.passwd linuxmce test | ||
(Use the same line without the -c to add additional users) | (Use the same line without the -c to add additional users) | ||
Line 29: | Line 45: | ||
mv /root/ssl/server.key.insecure /root/ssl/server.key | mv /root/ssl/server.key.insecure /root/ssl/server.key | ||
− | + | FYI, you now have the following files in /root/ssl: | |
− | server.crt: The self-signed server certificate. | + | *server.crt: The self-signed server certificate. |
− | server.csr: Server certificate signing request. | + | *server.csr: Server certificate signing request. |
− | server.key: The private server key, does not require a password when starting Apache. | + | *server.key: The private server key, does not require a password when starting Apache. |
− | server.key.secure: The private server key, it does require a password when starting Apache. | + | *server.key.secure: The private server key, it does require a password when starting Apache. |
Line 42: | Line 58: | ||
− | |||
− | + | Add the following in /etc/apache2/httpd.conf | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
<pre> | <pre> | ||
Line 84: | Line 89: | ||
Order deny,allow | Order deny,allow | ||
Deny from all | Deny from all | ||
− | Allow from 192.168.80.0/24 | + | Allow from 192.168.80.0/24 127.0.0.1 |
# HTTP Basic Authentication | # HTTP Basic Authentication | ||
Line 99: | Line 104: | ||
RewriteEngine on | RewriteEngine on | ||
RewriteCond %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$ | RewriteCond %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$ | ||
+ | RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.[0-9]+$ | ||
RewriteCond %{HTTPS} !=on | RewriteCond %{HTTPS} !=on | ||
RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L] | RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L] | ||
Line 106: | Line 112: | ||
</pre> | </pre> | ||
− | + | At the top of /etc/apache2/httpd.conf add the fully qualified domain name of your box that you added by "Common Name (eg, YOUR name)" when creating the certificate: | |
ServerName linuxmce.yourdomain.com | ServerName linuxmce.yourdomain.com | ||
− | + | We have to change the beginning of vi /etc/apache2/sites-available/pluto to: | |
<pre> | <pre> | ||
# NameVirtualHost * | # NameVirtualHost * | ||
− | <VirtualHost | + | <VirtualHost _default_:80> |
</pre> | </pre> | ||
− | + | And then copy this file: | |
cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443 | cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443 | ||
− | + | Then change the beginning of /etc/apache2/sites-available/pluto443 to: | |
<pre> | <pre> | ||
# NameVirtualHost * | # NameVirtualHost * | ||
− | <VirtualHost | + | <VirtualHost _default_:443> |
SSLEngine On | SSLEngine On | ||
</pre> | </pre> | ||
− | + | Make a symbolic link: | |
ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443 | ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443 | ||
− | + | Move the original ssl configuration out of the way (to your home dir): | |
− | + | mv /etc/apache2/sites-available/default-ssl ~/ | |
+ | rm /etc/apache2/sites-enabled/default-ssl | ||
− | + | Make sure that apache is listening on port 443 and the following line is in /etc/apache2/ports.conf: | |
+ | Listen 443 | ||
+ | |||
+ | Go to pluto web admin and to Advanced>Network>Firewall and add a new rule: | ||
+ | tcp ipv4 443 443 core_input | ||
+ | |||
+ | Then run: | ||
apache2ctl restart | apache2ctl restart | ||
+ | |||
+ | ...and that should be it. | ||
+ | |||
+ | = Notes = | ||
+ | |||
+ | *I found that some devices had to be reset before they could connect to my core via https. |
Latest revision as of 10:35, 18 July 2011
Purps, 18/07/11: This now appears to be set up by default. Just make sure you forward port 443 in web admin though (add tcp ipv4 443 443 core_input in Advanced -> Network -> Firewall
Introduction
This wiki page will help you to set up secure outside https access WITHOUT having to enable "Outside Access" in web admin (currently insecure I believe). Before starting, I would recommend registering a fully qualified domain name. This for all intents and purposes maps your external IP to an easy-to-remember address, which makes life a lot easier. Keeping in line with the example mentioned in this guide, it will be something similar to "linuxmce.yourdomain.com".
I used http://www.dyndns.com/ to set up my fully qualified domain name, and it has worked very well, as it is free!
Once the steps in this guide have been carried out, you should be able to access your LinuxMCE admin page externally by typing in https://linuxmce.yourdomain.com. The "linuxmce.yourdomain.com" essentially replaces the "192.168.80.1" part that you would normally type in when on the internal network. This means that you can access your web orbiter (https://linuxmce.yourdomain.com/lmce-admin/weborbiter.php), your MythTV admin page (https://linuxmce.yourdomain.com/mythweb) or ZoneMinder for example (https://linuxmce.yourdomain.com/zm), if you have it installed.
Your fully qualified domain name can also be used for ssh-ing into your core i.e...
ssh root@linuxmce.yourdomain.com
Just make sure you open port 22 in the firewall settings in web admin if you want to do this.
Setting up HTTPS / SSL access on the outside
We start by creating a new password file (-c option) and adding a user (linuxmce) with a password (test) to the password file:
htpasswd -bc /etc/apache2/httpd.passwd linuxmce test
(Use the same line without the -c to add additional users)
mkdir /root/ssl openssl genrsa -des3 -out /root/ssl/server.key 4096
(type a passwd twice)
openssl req -new -key /root/ssl/server.key -out /root/ssl/server.csr
(type your previous passwd once and then fill in the fields)
Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one).
openssl x509 -req -days 3650 -in /root/ssl/server.csr -signkey /root/ssl/server.key -out /root/ssl/server.crt
openssl rsa -in /root/ssl/server.key -out /root/ssl/server.key.insecure mv /root/ssl/server.key /root/ssl/server.key.secure mv /root/ssl/server.key.insecure /root/ssl/server.key
FYI, you now have the following files in /root/ssl:
- server.crt: The self-signed server certificate.
- server.csr: Server certificate signing request.
- server.key: The private server key, does not require a password when starting Apache.
- server.key.secure: The private server key, it does require a password when starting Apache.
mkdir /etc/apache2/ssl cp /root/ssl/server.key /etc/apache2/ssl cp /root/ssl/server.crt /etc/apache2/ssl
Add the following in /etc/apache2/httpd.conf
SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key <LocationMatch "/*"> # Inside the subarea any Intranet access is allowed # but from the Internet only HTTPS + Strong-Cipher + Password # or the alternative HTTPS + Strong-Cipher + Client-Certificate # If HTTPS is used, make sure a strong cipher is used. # Additionally allow client certs as alternative to basic auth. SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +FakeBasicAuth +StrictRequire SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 # Force clients from the Internet to use HTTPS #RewriteEngine on #RewriteCond %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$ #RewriteCond %{HTTPS} !=on #RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L] # Allow Network Access and/or Basic Auth Satisfy any # Network Access Control Order deny,allow Deny from all Allow from 192.168.80.0/24 127.0.0.1 # HTTP Basic Authentication AuthType basic AuthName "LinuxMCE" AuthUserFile /etc/apache2/httpd.passwd Require valid-user </LocationMatch> # Since mythweb has it's own rewrites in a .htaccess file https redirection is enabled only on other urls <LocationMatch "^/(?!mythweb).*"> # Force clients from the Internet to use HTTPS RewriteEngine on RewriteCond %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$ RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.[0-9]+$ RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L] </LocationMatch>
At the top of /etc/apache2/httpd.conf add the fully qualified domain name of your box that you added by "Common Name (eg, YOUR name)" when creating the certificate:
ServerName linuxmce.yourdomain.com
We have to change the beginning of vi /etc/apache2/sites-available/pluto to:
# NameVirtualHost * <VirtualHost _default_:80>
And then copy this file:
cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443
Then change the beginning of /etc/apache2/sites-available/pluto443 to:
# NameVirtualHost * <VirtualHost _default_:443> SSLEngine On
Make a symbolic link:
ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443
Move the original ssl configuration out of the way (to your home dir):
mv /etc/apache2/sites-available/default-ssl ~/ rm /etc/apache2/sites-enabled/default-ssl
Make sure that apache is listening on port 443 and the following line is in /etc/apache2/ports.conf:
Listen 443
Go to pluto web admin and to Advanced>Network>Firewall and add a new rule:
tcp ipv4 443 443 core_input
Then run:
apache2ctl restart
...and that should be it.
Notes
- I found that some devices had to be reset before they could connect to my core via https.