Difference between revisions of "HTTPS"

From LinuxMCE
Jump to: navigation, search
(listen not in the ports.conf ?? so added remark)
Line 1: Line 1:
 
[[Category: Development]]
 
[[Category: Development]]
= HTTPS / SSL access on the outside =
+
= Introduction =
  
I am trying to setup https on the outside so Linuxmce can be used safely. Below is my setup.
+
This wiki page will help you to set up secure outside https access WITHOUT having to enable "Outside Access" in web admin (currently insecure I believe). Before starting, I would recommend registering a  fully qualified domain name. This for all intents and purposes maps your external IP to an easy-to-remember address, which makes life a lot easier. Keeping in line with the example mentioned in this guide, it will be something similar to "linuxmce.yourdomain.com".
  
We start by creating a new password file (-c option) and adding a user (linux) with a password (test) to the password file:
+
I used http://www.dyndns.com/ to set up my fully qualified domain name, and it has worked very well, as it is free!
 +
 
 +
Once set up is complete, you will be able to access your LinuxMCE admin page externally by typing in https://linuxmce.yourdomain.com. The "linuxmce.yourdomain.com" essentially replaces the "192.168.80.1" part that you would normally type in when on the internal network. This means that you can access your web orbiter (https://linuxmce.yourdomain.com/lmce-admin/weborbiter.php), your MythTV admin page (https://linuxmce.yourdomain.com/mythweb) or ZoneMinder for example (https://linuxmce.yourdomain.com/zm), if you have it installed.
 +
 
 +
Your fully qualified domain name can also be used for ssh-ing into your core i.e...
 +
 
 +
ssh root@linuxmce.yourdomain.com
 +
 
 +
Just make sure you open port 22 in the firewall settings in web admin if you want to do this.
 +
 
 +
= Setting up HTTPS / SSL access on the outside =
 +
 
 +
We start by creating a new password file (-c option) and adding a user (linuxmce) with a password (test) to the password file:
  
 
  htpasswd -bc /etc/apache2/httpd.passwd linuxmce test
 
  htpasswd -bc /etc/apache2/httpd.passwd linuxmce test
Line 30: Line 42:
 
  mv /root/ssl/server.key.insecure /root/ssl/server.key  
 
  mv /root/ssl/server.key.insecure /root/ssl/server.key  
  
You now have the following files in /root/ssl:
+
FYI, you now have the following files in /root/ssl:
  
server.crt: The self-signed server certificate.
+
*server.crt: The self-signed server certificate.
server.csr: Server certificate signing request.
+
*server.csr: Server certificate signing request.
server.key: The private server key, does not require a password when starting Apache.
+
*server.key: The private server key, does not require a password when starting Apache.
server.key.secure: The private server key, it does require a password when starting Apache.  
+
*server.key.secure: The private server key, it does require a password when starting Apache.  
  
  
Line 44: Line 56:
  
  
add the following in /etc/apache2/httpd.conf
+
Add the following in /etc/apache2/httpd.conf
  
 
<pre>
 
<pre>
Line 97: Line 109:
 
</pre>
 
</pre>
  
On the top of httpd.conf add the fully qualified domain name of your box that you added by "Common Name (eg, YOUR name)" when creating the certificate:
+
At the top of /etc/apache2/httpd.conf add the fully qualified domain name of your box that you added by "Common Name (eg, YOUR name)" when creating the certificate:
  
 
  ServerName linuxmce.yourdomain.com
 
  ServerName linuxmce.yourdomain.com
  
we have to change the beginning of vi /etc/apache2/sites-available/pluto to:
+
We have to change the beginning of vi /etc/apache2/sites-available/pluto to:
 
<pre>
 
<pre>
 
# NameVirtualHost *
 
# NameVirtualHost *
Line 107: Line 119:
 
</pre>
 
</pre>
  
and then copy this file:
+
And then copy this file:
 
  cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443
 
  cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443
  
then change the beginnig to:
+
Then change the beginning of /etc/apache2/sites-available/pluto443 to:
 
<pre>
 
<pre>
 
# NameVirtualHost *
 
# NameVirtualHost *
Line 117: Line 129:
 
</pre>
 
</pre>
  
make a symbolic link:
+
Make a symbolic link:
 
  ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443
 
  ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443
  
move the original ssl configuration out of the way (to your home dir):
+
Move the original ssl configuration out of the way (to your home dir):
 
  mv /etc/apache2/sites-available/default-ssl ~/
 
  mv /etc/apache2/sites-available/default-ssl ~/
 
  rm /etc/apache2/sites-enabled/default-ssl
 
  rm /etc/apache2/sites-enabled/default-ssl
  
make sure that apache is listening on port 443 and the following line is in /etc/apache2/ports.conf:
+
Make sure that apache is listening on port 443 and the following line is in /etc/apache2/ports.conf:
 
  Listen 443
 
  Listen 443
  
go to pluto web admin and to Advanced>Network>Firewall and add a new rule:
+
Go to pluto web admin and to Advanced>Network>Firewall and add a new rule:
 
  tcp ipv4 443 443 core_input
 
  tcp ipv4 443 443 core_input
  
then run:
+
Then run:
  
 
  apache2ctl restart
 
  apache2ctl restart
 +
 +
...and that should be it.
 +
 +
= Notes =
 +
 +
*I found that some devices had to be reset before they could connect to my core via https.
 +
*On my current installation (810 beta, snapshot 23796) I found that "/etc/apache2/sites-available/pluto" and "/etc/apache2/ports.conf" were being overwritten every time the core was restarted. To combat the problem I did...
 +
chattr +i /etc/apache2/sites-available/pluto
 +
chattr +i /etc/apache2/ports.conf
 +
...which stops even root from being able to alter the files. FYI this can be reversed using "-i" instead of "+i".

Revision as of 14:36, 28 April 2011

Introduction

This wiki page will help you to set up secure outside https access WITHOUT having to enable "Outside Access" in web admin (currently insecure I believe). Before starting, I would recommend registering a fully qualified domain name. This for all intents and purposes maps your external IP to an easy-to-remember address, which makes life a lot easier. Keeping in line with the example mentioned in this guide, it will be something similar to "linuxmce.yourdomain.com".

I used http://www.dyndns.com/ to set up my fully qualified domain name, and it has worked very well, as it is free!

Once set up is complete, you will be able to access your LinuxMCE admin page externally by typing in https://linuxmce.yourdomain.com. The "linuxmce.yourdomain.com" essentially replaces the "192.168.80.1" part that you would normally type in when on the internal network. This means that you can access your web orbiter (https://linuxmce.yourdomain.com/lmce-admin/weborbiter.php), your MythTV admin page (https://linuxmce.yourdomain.com/mythweb) or ZoneMinder for example (https://linuxmce.yourdomain.com/zm), if you have it installed.

Your fully qualified domain name can also be used for ssh-ing into your core i.e...

ssh root@linuxmce.yourdomain.com

Just make sure you open port 22 in the firewall settings in web admin if you want to do this.

Setting up HTTPS / SSL access on the outside

We start by creating a new password file (-c option) and adding a user (linuxmce) with a password (test) to the password file:

htpasswd -bc /etc/apache2/httpd.passwd linuxmce test

(Use the same line without the -c to add additional users)


mkdir /root/ssl
openssl genrsa -des3 -out /root/ssl/server.key 4096

(type a passwd twice)

openssl req -new -key /root/ssl/server.key -out /root/ssl/server.csr 

(type your previous passwd once and then fill in the fields)

Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one).


openssl x509 -req -days 3650 -in /root/ssl/server.csr -signkey /root/ssl/server.key -out /root/ssl/server.crt 
openssl rsa -in /root/ssl/server.key -out /root/ssl/server.key.insecure
mv /root/ssl/server.key /root/ssl/server.key.secure
mv /root/ssl/server.key.insecure /root/ssl/server.key 

FYI, you now have the following files in /root/ssl:

  • server.crt: The self-signed server certificate.
  • server.csr: Server certificate signing request.
  • server.key: The private server key, does not require a password when starting Apache.
  • server.key.secure: The private server key, it does require a password when starting Apache.


mkdir /etc/apache2/ssl
cp /root/ssl/server.key /etc/apache2/ssl
cp /root/ssl/server.crt /etc/apache2/ssl


Add the following in /etc/apache2/httpd.conf

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

<LocationMatch "/*">
#   Inside the subarea any Intranet access is allowed
#   but from the Internet only HTTPS + Strong-Cipher + Password
#   or the alternative HTTPS + Strong-Cipher + Client-Certificate

#   If HTTPS is used, make sure a strong cipher is used.
#   Additionally allow client certs as alternative to basic auth.
SSLVerifyClient      optional
SSLVerifyDepth       1
SSLOptions           +FakeBasicAuth +StrictRequire
SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128

#   Force clients from the Internet to use HTTPS
#RewriteEngine        on
#RewriteCond          %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$
#RewriteCond          %{HTTPS} !=on
#RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L]

#   Allow Network Access and/or Basic Auth
Satisfy              any

#   Network Access Control
Order                deny,allow
Deny                 from all
Allow                from 192.168.80.0/24 127.0.0.1

#   HTTP Basic Authentication
AuthType             basic
AuthName             "LinuxMCE"
AuthUserFile         /etc/apache2/httpd.passwd
Require              valid-user

</LocationMatch>

# Since mythweb has it's own rewrites in a .htaccess file https redirection is enabled only on other urls
<LocationMatch "^/(?!mythweb).*">
#   Force clients from the Internet to use HTTPS
RewriteEngine        on
RewriteCond          %{REMOTE_ADDR} !^192\.168\.80\.[0-9]+$
RewriteCond          %{REMOTE_ADDR} !^127\.0\.0\.[0-9]+$
RewriteCond          %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$2 [R,L]
</LocationMatch>


At the top of /etc/apache2/httpd.conf add the fully qualified domain name of your box that you added by "Common Name (eg, YOUR name)" when creating the certificate:

ServerName linuxmce.yourdomain.com

We have to change the beginning of vi /etc/apache2/sites-available/pluto to:

# NameVirtualHost *
<VirtualHost _default_:80>

And then copy this file:

cp /etc/apache2/sites-available/pluto /etc/apache2/sites-available/pluto443

Then change the beginning of /etc/apache2/sites-available/pluto443 to:

# NameVirtualHost *
<VirtualHost _default_:443>
        SSLEngine On

Make a symbolic link:

ln -s /etc/apache2/sites-available/pluto443 /etc/apache2/sites-enabled/pluto443

Move the original ssl configuration out of the way (to your home dir):

mv /etc/apache2/sites-available/default-ssl ~/
rm /etc/apache2/sites-enabled/default-ssl

Make sure that apache is listening on port 443 and the following line is in /etc/apache2/ports.conf:

Listen 443

Go to pluto web admin and to Advanced>Network>Firewall and add a new rule:

tcp ipv4 443 443 core_input

Then run:

apache2ctl restart

...and that should be it.

Notes

  • I found that some devices had to be reset before they could connect to my core via https.
  • On my current installation (810 beta, snapshot 23796) I found that "/etc/apache2/sites-available/pluto" and "/etc/apache2/ports.conf" were being overwritten every time the core was restarted. To combat the problem I did...
chattr +i /etc/apache2/sites-available/pluto
chattr +i /etc/apache2/ports.conf

...which stops even root from being able to alter the files. FYI this can be reversed using "-i" instead of "+i".