https://wiki.uniformserver.com/index.php?title=Stunnel:_Single_Vhost&feed=atom&action=historyStunnel: Single Vhost - Revision history2024-03-28T08:30:30ZRevision history for this page on the wikiMediaWiki 1.41.0https://wiki.uniformserver.com/index.php?title=Stunnel:_Single_Vhost&diff=2996&oldid=prevRic: Protected "Stunnel: Single Vhost" [edit=sysop:move=sysop]2008-06-04T19:42:50Z<p>Protected "<a href="/Stunnel:_Single_Vhost" title="Stunnel: Single Vhost">Stunnel: Single Vhost</a>" [edit=sysop:move=sysop]</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 19:42, 4 June 2008</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Richttps://wiki.uniformserver.com/index.php?title=Stunnel:_Single_Vhost&diff=2995&oldid=prevRic: New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || Stunnel: Home | [[Stunne...2008-06-04T19:42:33Z<p>New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | <a href="/File:Uc_small_logo.gif" title="File:Uc small logo.gif"> MPG UniCenter</a> || Stunnel: <a href="/Stunnel:_Home" title="Stunnel: Home"> Home</a> | [[Stunne...</p>
<p><b>New page</b></p><div><span id="top"></span><br />
<div style="padding:0;margin:0; border-bottom:3px inset #000000"><br />
{| <br />
| [[Image:uc_small_logo.gif | MPG UniCenter]] ||<br />
Stunnel: <br />
[[Stunnel: Home | Home]] | <br />
[[Stunnel: Upgrade 4.24 | Upgrade 4.24]] | <br />
[[Stunnel: Install 4.24 | Install]] | <br />
[[Stunnel: SSL Certificate | SSL Certificate]] |<br />
[[Stunnel: Single Vhost | Single Vhost]] | <br />
[[Stunnel: Resolved | Resolved]] | <br />
[[Stunnel: Basics | Basics]] | <br />
[[Stunnel: Cost | Cost]] | <br />
[[Stunnel: Original | Original]]<br />
|}<br />
</div><br />
{| cellpadding="2"<br />
|<br />
__TOC__<br />
||<br />
'''Stunnel securing a single virtual host<br>''' '''Uniform Server 3.5-Apollo'''<br />
|}<br />
Uniform Server’s default Stunnel installation secures the entire server or does it? I have had several emails stating that Stunnel does not secure the server because the server contents are accessible by both http (port 80) and https (port 443).<br />
<br />
That’s true however using https any data entered into a form are encrypted before being sent over the Internet, which is the whole point of a secure link. In addition page content is also encrypted.<br />
<br />
'''''Problem'''''<br />
<br />
After several emails I finally discovered what was required. They were running several virtual hosts and wanted a single host to be secure. Further they wanted to freely switch between secure and non-secure with the same domain name displayed.<br />
<br />
'''''Solution'''''<br />
<br />
Stunnel like Apache (mod_ssl) can only secure one virtual host and is relatively easy to implement, splitting a domain name into secure and non-secure parts is the main problem area. The solution is to use port based virtual hosting this allows you to use ports as selectors for separation. The following explains this proposed solution, its not intended for a production server however for a personal server should be more than adequate.<br />
<br />
'''''[[#top | Top]]'''''<br />
== Stunnel and Headers ==<br />
Stunnel connects one port to another effectively acting as a port translator. One side of Stunnel is encrypted and the other decrypted more importantly for this solution it '''does not mangle header information'''; hence all information is routed from one port to another.<br />
<br />
The significance of this, Apache can separate out any domain name on any port using virtual hosts. The standard (non-secure) listening port is port 80. However Apache can listen on as many ports as we like which we use to our advantage. This solution uses port '''8080''' (only because its an easy number to remember) you may need to change this if it clashes with another application you are running.<br />
<br />
'''''[[#top | Top]]'''''<br />
== Stunnel Config ==<br />
Open '''stunnel.conf''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin''' and change the default '''connect''' port to '''8080''' (or use an alternative)<br />
<br />
{|cellpadding="4"<br />
|-<br />
!style="background:#e4e4e4"|Default<br />
!style="background:#e4e4e4"|New<br />
!style="background:#e4e4e4"|Encrypted Data User B<br />
|-<br />
|style="background:#f3f3f3"|<br />
<nowiki>[uniform35]</nowiki><br><br />
accept = 443<br><br />
connect = localhost:80<br />
|style="background:#f3f3f3"|<br />
<nowiki>[uniform35]</nowiki><br><br />
'''accept = 443'''<br><br />
'''connect = 8080''' <br />
|style="background:#f3f3f3"|<br />
Port 443 is the standard secure port for https<br><br />
We are translating this port to 8080.<br />
|}<br />
<br />
=== Firewall ===<br />
Open up your firewall and or router make sure you deny external access to port '''8080''' this prevents anyone viewing the secure part of your site on a non-secure connection (when using <nowiki>http://</nowiki>). See previous page for [[Stunnel: SSL Certificate#Fully secure server |details]].<br />
<br />
== Stunnel PEM file ==<br />
If this is a new installation of Stunnel create a new Stunnel PEM (self-signed certificate ) for your site, if you like you can use the existing one included in the download for testing, remember to create a new certificate. The PEM file contains your secret key hence the default has been rendered useless due to the fact anyone can download the files and retrieve this key.<br />
<br />
To create a new key see previous page for [[Stunnel: SSL Certificate#Generating a certificate | details]].<br />
<br />
If its not a new installation and you have already created your PEM you can continue to use it, its unique to you.<br />
<br />
'''''[[#top | Top]]'''''<br />
== Virtual host errors ==<br />
Before looking at the Apache configuration thought I would confess to a lack of understating of virtual host. This was brought home to me when I noticed these warnings and errors in the Apache error log:<br />
<br />
<pre><br />
[warn] default VirtualHost overlap on port 8080, the first has precedence<br />
[error] mixing * ports and non-* ports with a NameVirtualHost address is not supported<br />
</pre><br />
<br />
I like to group common elements together however the above error was generated because of this practice. I originally had these two lines followed by all the virtual host sections<br />
<br />
<pre><br />
NameVirtualHost *:80<br />
NameVirtualHost *:8080<br />
</pre><br />
<br />
I thought these were general statements and could be grouped together however it turns out they are block statements. Hence what follows each statement (block) must be related.<br />
<br />
'''''[[#top | Top]]'''''<br />
== Correct Virtual Host sequence ==<br />
To show you what I mean, here is a cut down version of the virtual host section with listening statements added.<br />
<br />
{|cellspacing="1" cellpadding="2" style="background:#000000;"<br />
|-style="background:#cccccc"<br />
!Commands<br />
!Comments<br />
|-style="background:#dadada"<br />
|<br />
Listen 80<br><br />
Listen 8080<br />
|<br />
These can be grouped hence add '''Listen 8080''' below '''Listen 80''' in the config file around line '''125'''<br />
|-style="background:#cccccc"<br />
|<br />
'''NameVirtualHost *:80'''<br />
|<br />
Defines a block of virtual hosts associated with '''port 80''' they can have '''any domain name''' indicated by the *<br />
|-style="background:#dadada"<br />
|<br />
<VirtualHost '''_default_''':80><br><br />
&nbsp;&nbsp;DocumentRoot /www/default_notsecure<br><br />
</VirtualHost> <br />
|<br />
If Apache cannot find a matching site as requested by a user on port 80 it will display this site by default. The default is always the first one in a virtual host list, normally a single page will do. Make the page content general and none descript, remember any user can come across this page by mistake! Or perhaps we have screwed up badly.<br />
<br />
'''''Note''''': By using '''_default_''' a ServerName directive is no longer required it also prevents Apache serving pages from our main server.<br />
|-style="background:#dadada"<br />
|<br />
<VirtualHost *:80><br><br />
&nbsp;&nbsp;'''ServerName fred.gotdns.com'''<br><br />
&nbsp;&nbsp;'''DocumentRoot&nbsp;/www/site1_unsecure'''<br><br />
</VirtualHost> <br />
|<br />
This is the first real virtual site coincidentally it is the one we wish to partially secure however this section is un-secured. It can be placed anywhere in the virtualhost list.<br />
|-style="background:#dadada"<br />
|<br />
<VirtualHost *:80><br><br />
&nbsp;&nbsp;ServerName cars.dyndns2.com<br><br />
&nbsp;&nbsp;DocumentRoot /www/cars<br><br />
</VirtualHost> <br />
|<br />
A second virtual site again its public and not secured, add as many sites to this section that you will be hosting.<br />
<br />
'''''Note 1''''': If you use admin panel to add virtual sites it saves a little bit of typing however you will need to edit the resulting config file.<br><br />
'''''Note 2''''': Each site that does not correspond to your secured site needs to be moved under this section and the * replaced with *:80<br />
|-style="background:#cccccc"<br />
|<br />
'''NameVirtualHost *:8080'''<br />
|<br />
Defines a block of virtual hosts associated with port 8080 they can have any domain name indicated by the * this block '''must contain only two virtual hosts'''.<br />
|-style="background:#dadada"<br />
|<br />
<VirtualHost _default_:8080><br><br />
&nbsp;&nbsp;DocumentRoot /www/default_secure<br><br />
</VirtualHost> <br />
|<br />
If Apache cannot find a matching site as requested by a user (secure port 443 remapped to port 8080) on port 8080 it will display this site by default. The default is always the first one in a virtual host list, normally a single page will do. Make the page content general and nondescript, remember any user can come across this page by mistake! Or perhaps we have screwed up badly.<br />
<br />
'''''Note 1''''': By using _default_ a ServerName directive is no longer required it also prevents Apache serving pages from our main server.<br><br />
'''''Note 2''''': One minor irritation, a browser will warn users a certificate is invalid before the default page is displayed.<br />
|-style="background:#dadada"<br />
|<br />
<VirtualHost *:8080><br><br />
&nbsp;&nbsp;'''ServerName fred.gotdns.com'''<br><br />
&nbsp;&nbsp;'''DocumentRoot /www/site1_secure'''<br><br />
</VirtualHost><br />
|<br />
This is the last virtual site in this section (for port 8080). It corresponds to the unsecured portion (for port 80) of our partially secured site. Stunnel accesses this unsecured virtual host and secures it.<br />
|}<br />
<br />
The above I admit was conservative with the truth, it is the full solution and not a cut down version. NOW’s a good time to go back and have another read just to see what you have missed! The following provides a few more details.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
== Sites ==<br />
The main root folder www contains the following site root folders.<br />
<br />
{|cellspacing="1" cellpadding="2" style="background:#000000;"<br />
|-style="background:#cccccc"<br />
!Main Root Folder www<br />
!Comments<br />
|-style="background:#dadada"<br />
|<br />
default_notsecure<br />
|<br />
Contains a single index.html page this is descriptive for all non secured sites hosted. A user can mistype an address name hence may reach this page by mistake<br />
|-style="background:#cccccc"<br />
|<br />
default_secure<br />
|<br />
Contains a single index.html page this is descriptive for all secured sites hosted. There is only one site, however a user can mistype an address name hence may reach this page by mistake.<br />
|-style="background:#dadada"<br />
|<br />
site1_unsecure<br />
|<br />
This is the unsecured site it shares the common host name '''fred.gotdns.com'''<br />
|-style="background:#dadada"<br />
|<br />
site2<br />
site3<br />
site4<br />
siten<br />
|<br />
More virtualhost sites.<br />
|-style="background:#cccccc"<br />
|<br />
site1_secure<br />
|<br />
This is the unsecured site being secured using Stunnel it shares the common host name '''fred.gotdns.com'''.<br />
|}<br />
<br />
There are no restriction on folder names choose whatever you like. I avoid names with spaces, some FTP programs fall over when they come across these. You can if you wish use the main root folder www as default however my personal preference is to have separate folders and never serve from main root.<br />
<br />
=== Browser Access ===<br />
To access the non secure portion of your site a user would type '''<nowiki>http://fred.gotdns.com</nowiki>'''<br />
<br />
To access the secure portion of your site a user would type '''<nowiki>https://fred.gotdns.com</nowiki>'''<br />
<br />
(Obviously substitute fred.gotdns.com for your real domain name)<br />
<br />
'''''[[#top | Top]]'''''<br />
== Password protection ==<br />
In this document I have been using the term secure to refer to data sent over the Internet in an encrypted form. The server remains open to public access however you may wish to authenticate access by using a name and password.<br />
<br />
You can use Apache's basic authentication to password protect access to the secure area, however from a users point of view it appears both name and password are sent in plain text (lock icon shows open). In actual fact the handshake process has been completed and encrypted communication established before the name and password are sent. The lock only toggles to the locked position when the first part of the actual web page data is transferred. If you are happy with this you can use the existing Uniform Server password file. Alternatively create a new password file.<br />
<br />
Note: Windows XP will not allow you to copy and rename the file '''.htpasswd''' which is located in folder '''*\Uniform Server\udrive\htpasswd\www'''. To Windows the file looks like a file extension (because of the full stop) if you try to rename it Windows insists you add a filename! <br />
<br />
Instead open the file in a text editor add the new name and password save the file say as '''.newpass1''' The file looks similar to this substitute your real name and password that you want to use.<br />
<br />
'''.newpass1'''<br />
<pre><br />
john:doe123<br />
</pre><br />
Now copy an existing '''.htaccess''' file (just saves a little typing) to folder '''site1_secure''' and change it to this:<br />
<br />
{| cellpadding="8" cellspacing="1" style="background:#000000;"<br />
|style="background:#f5f5f5;"|<br />
<nowiki>#</nowiki> This file provides security to the server limiting access to the localhost only.<br><br />
<nowiki>#</nowiki> Comment to deactivate.<br><br />
<br />
<nowiki>#</nowiki>Order Deny,Allow<br><br />
<nowiki>#</nowiki>Deny from all<br><br />
<nowiki>#</nowiki>Allow from 127.0.0.1<br />
<br />
<nowiki>#</nowiki> To allow execution of cgi scripts in this directory uncomment next two lines.<br />
<br />
AddHandler cgi-script .pl .cgi<br><br />
Options +ExecCGI<br />
<br />
<nowiki>#</nowiki>--<br><br />
<nowiki>#</nowiki> Activate this to use the Private Server Feature!<br><br />
<nowiki>#</nowiki>--<br><br />
<nowiki>#</nowiki> To lock server, uncomment the next 4 lines.<br><br />
<nowiki>#</nowiki> Defaults: Username - root; Password - root<br />
<br />
'''AuthName "Uniform Server - Server Access"'''<br><br />
'''AuthType Basic'''<br><br />
'''AuthUserFile /htpasswd/www/.newpass1'''<br><br />
'''Require valid-user'''<br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
== Paranoid - Protect each page ==<br />
As mentioned above using Apache’s basic authentication gives a user the impression that both name and password are sent unencrypted. The padlock only synchronises to the closed position on receiving the first part of a web page.<br />
<br />
An alternative to using basic authentication is to search the Internet for scripts that password protect pages, there are hundreds of these PHP scripts. Stunnel encrypts your pages hence any protection used name/passwords will inherently be encrypted by Stunnel.<br />
<br />
To save you some legwork I found this script Page Password Protect 2.13<br />
<br />
* '''Download:''' [http://wiki.uniformserver.com/exeload/stunnel/ucPasswordProtect.exe ucPasswordProtect.exe] <br><br />
* '''MD5:''' fcb653ae954c3daca338f263e025787e<br />
<br />
<br />
Alternatively go to [http://www.zubrag.com/ http://www.zubrag.com/] and download the latest version of [http://www.zubrag.com/scripts/password-protect.php Web Page Password Protect]. Please note my write-up is for version 2.13 hence there may be small differences.<br />
<br />
It really is an easy script to use, ideal for demonstrating the concept of page authentication over Stunnel, which serves my purpose admirably.<br />
<br />
# Save the file '''ucPasswordProtect.exe''' to any location.<br />
# Double click on this file to run the self-extracting utility.<br />
# In the folder extracted password_protect you will find a file named '''password_protect.php''' copy this file to folder '''site1_secure''' (your secure folder).<br />
<br />
'''''[[#top | Top]]'''''<br />
=== Setup ===<br />
Open the file '''password_protect.php''' add names and passwords that you are going to use. I have show the relevant section below:<br />
<br />
{| cellpadding="8" cellspacing="1" style="background:#000000;"<br />
|style="background:#f5f5f5;"|<br />
<nowiki>#</nowiki> SETTINGS START<br><br />
<nowiki>##################################################################</nowiki><br />
<br />
// Add login/password pairs below, like described above<br><br />
// NOTE: all rows except last must have comma "," at the end of line<br><br />
$LOGIN_INFORMATION = array(<br><br />
''''root' => 'root','''<br><br />
''''mike' => 'fred123''''<br><br />
);<br />
<br />
// request login? true - show login and password boxes, false - password box only<br><br />
define('USE_USERNAME', true);<br />
|}<br />
<br />
The file is self-documenting hence read the comments; you can change the page if you wish to match your web site. I have not butchered the page in anyway it remains as downloaded. After setting up your names and passwords save the page.<br />
<br />
Each page you are going to protect (must have the file extension '''.php''') requires one line of code adding to the top of each page.<br />
<br />
To obtain this information run the page '''password_protect.php?help''' from you server (both Apache and Stunnel running) for example<br />
<br />
<nowiki>https://</nowiki>'''fred.gotdns.com/password_protect.php?help'''<br />
<br />
You will see a line similar to this displayed which you add to each page:<br />
<br />
'''<nowiki><?php include("W:\\www\\site1_secure\\password_protect.php"); ?></nowiki>'''<br />
<br />
=== One small mod to the line ===<br />
The script is general purpose hence the method of obtaining a path to the file. Since we are running our own server there is no real need to use this method. The file * is an include file and we know where we placed it, in addition we know where to start looking (top of the drive where Apache is running) hence no need to specify a drive letter. The line effectively becomes this just use your real folder names where appropriate:<br />
<br />
'''<nowiki><?php include("\\www\\site1_secure\\password_protect.php"); ?></nowiki>''' <br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
== Prevent Folder (Directory) listing ==<br />
You may want to prevent directory listings (for folders that do not contain an index file) modify the .htaccess file in site1_secure to look like this:<br />
<br />
{| cellpadding="8" cellspacing="1" style="background:#000000;"<br />
|style="background:#f5f5f5;"|<br />
<nowiki>#</nowiki> This file provides security to the server limiting access to the localhost only.<br><br />
<nowiki>#</nowiki> Comment to deactivate.<br><br />
<br />
<nowiki>#</nowiki>Order Deny,Allow<br><br />
<nowiki>#</nowiki>Deny from all<br><br />
<nowiki>#</nowiki>Allow from 127.0.0.1<br />
<br />
<nowiki>#</nowiki> To allow execution of cgi scripts in this directory uncomment next two lines.<br />
<br />
AddHandler cgi-script .pl .cgi<br><br />
Options +ExecCGI<br />
<br />
<nowiki>#</nowiki>--<br><br />
<nowiki>#</nowiki> Activate this to use the Private Server Feature!<br><br />
<nowiki>#</nowiki>--<br><br />
<nowiki>#</nowiki> To lock server, uncomment the next 4 lines.<br><br />
<nowiki>#</nowiki> Defaults: Username - root; Password - root<br />
<br />
<nowiki>#</nowiki> AuthName "Uniform Server - Server Access"<br><br />
<nowiki>#</nowiki> AuthType Basic'''<br><br />
<nowiki>#</nowiki> AuthUserFile /htpasswd/www/.newpass1<br><br />
<nowiki>#</nowiki> Require valid-user<br />
<br />
'''<nowiki>IndexIgnore *</nowiki>'''<br />
|}<br />
<br />
Its not absolutely necessary but adding the line IndexIgnore *prevents directory listings.<br />
<br />
I have shown one script you can use for name/password protection try some others its always worth looking at new code.<br />
<br />
== One final point ==<br />
Once you have set up the servers remember to do a bit of port bashing as explained on the previous page, enjoy.<br />
<br />
== Conclusion ==<br />
I once asked myself the question “why do I support Uniform Server”? Well if you have read this article one thing is clear, it is easy to tailor and change to meet a specific requirement. Overall I find it logically constructed and extremely accessible, it’s a perceived simplicity and that’s a real credit to the design team.<br />
<br />
Back to Stunnel, don’t be intimated by the techno stuff go in and have a play. If you break it, load up another copy and hack it some more.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
----<br />
<br />
{| <br />
| [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]]<br />
|}<br />
<br />
[[Category: UniCenter]]<br />
[[Category: Support]]<br />
[[Category: Installation]]<br />
[[Category: Application]]<br />
[[Category: Development]]<br />
[[Category: Plugins]]</div>Ric