dibaliklayar

Wednesday, November 30, 2005

Apache2 with SSL in Suse 9.2

We are assuming that you just want a SSL encrypted connection with a non-official Certificate (Non-Authorative). So follow the following steps:
  • Turn apache2 off first by executing: /etc/rc.d/apache2 stop
  • Generate a "fake" certificate using the following command: /usr/bin/gensslcert -c CA -s ON -l "Your_city" -o "Your_organization" -e your_name@your_isp.com -d -n FQDN Where:
    • -C Common name "$name"
      -N comment "$comment"
      -c country (two letters, e.g. DE) $C
      -s state $ST
      -l city $L
      -o organisation "$O"
      -u organisational unit "$U"
      -n fully qualified domain name $CN ($FQHOSTNAME)
      -e email address of webmaster webmaster@$CN
      -y days server cert is valid for $srvdays
      -Y days CA cert is valid for $CAdays
      -d run in debug mode
      -h show usage
  • This will generate the necessary certs in the right directory.
  • In /etc/sysconfig/apache2 make sure you have "ssl" under APACHE_MODULES. (ie: APACHE_MODULES="access actions alias auth auth_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif status suexec userdir ssl").
  • In the same file also add (check) the SSL flag (ie: APACHE_SERVER_FLAGS="-D SSL") and increase the timeout value (ie: APACHE_START_TIMEOUT="5").
  • Save the file
  • In /etc/apache2/vhosts.d directory do the following:
    • cp vhost-ssl.template vhost-ssl.conf
  • edit vhost-ssl.conf in /etc/apache2/vhosts.d and make sure the following are in place and uncommented:
    • ServerName FQDN (The FQDN has to match the cert exactly).
    • ServerAdmin your@email.address (The Email address has to match the cert).
  • Do a dry test run with this command to make sure everything is in place using the following command:
    • httpd2 -D SSL -S
  • If you get no error and Sysntax is okay continue, if not you did something wrong :-)
  • Restart the server with /etc/rc.d/apache2 start
If everything is okay (which it should be) you can now use https instead of http to get the secure version of your site.

Wednesday, November 16, 2005

kesendirian itu fana

sendiri...

sepi...

sunyi...

kosong...

hanya kata kata tanpa isi

manusia selamanya berkeluh kesah...

menagisi diri sendiri...

bukankah dalam sepi dia selalu ada yang menemani...

ditemani sunyi...

ditemani hening...

Wednesday, November 02, 2005

HTACCESS Protection.. not condom for the web but similar

Target:
create an apache authentication using htaccess file. the simplest password protection for the web.

env:
Redhat enterprise 4, Apache 2.0

Do:
1. Create .htaccess file in /my/web/directory/to/protect
.htaccess is a flat file(text file)
here is what I put in the file(feel free to copy and paste this)
#--------------------------------------------------------------
AuthUserFile /my/user/file/info/.htpasswd
AuthGroupFile /my/group/file/info/.htgroup
AuthName "my protected server"
AuthType Basic


require group myself

#---------------------------------------------------------------

2. create user
add first user:
~xxx>htpasswd -c /my/user/file/info/.htpasswd user1

next will be asked for password twice

add other user:
~xxx>htpasswd /my/user/file/info/.htpasswd user2

3. adding user to a group

open the file /my/group/file/info/.htgroup using pico or any text editor. The configuration of this file is very simple (i.e.: groupname: username username2)
so we are going to add this line in the file

myself: user1 user2

5. set the user file and group file so its readabl e by others

~xxx>chmod 755 /my/group/file/info/
~xxx>chmod 755 /my/user/file/info/
~xxx>chmod 755 /my/group/file/info/.htgroup
~xxx>chmod 755 /my/user/file/info/.htpasswd


thats it. now you can use the password protected directory.
to remove user, open this file /my/user/file/info/.htpasswd
and delete the line with username in it.



Problems:
1. Can not login , pop up windows asking the user and password again and again

solution:
check the apache error log

1. Make sure the group file and the user file is readable by others by doign the chmod above
2. Make sure you are referring to the correct userfile and group file in .htaccess
3. if you got below error or similar:

[Tue Nov 01 17:48:14 2005] [error] [client 10.1.2.69] MySQL ERROR: Access denied for user 'apache'@'localhost' (using password: NO)
[Tue Nov 01 17:48:14 2005] [error] [client 10.1.2.69] MySQL user pujo not found: /finsum_reports

this is happend because apache look for user in mysql password file instead of the password file we gave. The current solution I have is to delete the mod_auth_mysql from apache.

~xxx> rpm -e mod_auth_mysql

and try again.....

tips:
1. put he user file and groupfile out side the web folder but still under apache folder , so can not be browsed from browser (i.e. /user/local/apache2/cgi-bin/.htpasswd)
2. protect the the password and group file against it self using .htaccess
3. Using SSL will add more security since the username and password for this type of authentication is wide open to the public.


have fun trying