Old:4.0-Mona: Enable SSL: Difference between revisions
(New page: {{Nav 4.0-Mona}} '''How to enable SSL on Uniform Server 4.0-Mona''' Strange as this may sound although Uniform Server 4.0-Mona has integrated SSL support its not enabled by default. Added...) |
mNo edit summary |
||
Line 63: | Line 63: | ||
'''''Note 3'':''' When run as a service Methods 1 and 2 are unavailable you must manually run the batch file located in folder '''C:\UniServer\plugins\key_cert_gen'''. | '''''Note 3'':''' When run as a service Methods 1 and 2 are unavailable you must manually run the batch file located in folder '''C:\UniServer\plugins\key_cert_gen'''. | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
Line 74: | Line 70: | ||
==== Localhost ==== | ==== Localhost ==== | ||
If you are running a local test server just press enter to accept the defaults. This will allow you to quickly produce a secure server. If you wish; change OU (organisation unit) and O (organisation) to something different however do not change the default CN (common name). | If you are running a local test server just press enter to accept the defaults. This will allow you to quickly produce a secure server. If you wish; change OU (organisation unit) and O (organisation) to something different however do not change the default CN (common name). | ||
'''''Note'':''' If you have changed the SSL port 443 to say 444 you must change the common name from localhost to '''localhost:444''' | |||
==== Real Domain ==== | ==== Real Domain ==== | ||
If you have a real domain name for example '''www.fred.com''' enter that at the CN (common name) prompt. The remaining two parameters OU (organisation unit) and O (organisation) are not strictly required hence feel free enter something that meets your requirements. | If you have a real domain name for example '''www.fred.com''' enter that at the CN (common name) prompt. The remaining two parameters OU (organisation unit) and O (organisation) are not strictly required hence feel free enter something that meets your requirements. | ||
'''''Note:''''' If you have changed the SSL port 443 to say 444 you must add this to your domain name '''www.fred.com:444''' otherwise the certificate will be rejected. | |||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
Line 97: | Line 97: | ||
'''<nowiki>https://www.mydomain.com/</nowiki>''' | '''<nowiki>https://www.mydomain.com/</nowiki>''' | ||
'''''Note'':''' If you changed the SSL port to say 444 this needs to be included hence you would type the following: | |||
'''<nowiki>https://localhost:444/</nowiki>''' | |||
Or if you have a real domain name | |||
'''<nowiki>https://www.mydomain.com:444/</nowiki>''' | |||
One drawback with self-signed certificates browsers rightly complain they cannot be trusted. The next section shows how to resolve these issue. | One drawback with self-signed certificates browsers rightly complain they cannot be trusted. The next section shows how to resolve these issue. | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' |
Revision as of 20:51, 18 February 2009
4-Mona: Introduction | Install | Security features | Enable SSL | Multi-Servers | UniController | UniTray | Security and passwords | Known Issues | Support
|
|
The Uniform Server 4-Mona |
How to enable SSL on Uniform Server 4.0-Mona
Strange as this may sound although Uniform Server 4.0-Mona has integrated SSL support its not enabled by default. Added to this you will find no demo certificates or keys. The reason is quite simple and that’s one of security, you are forced to create your own personal server certificate and key.
So you are not a crypto expert! No problem the whole process has been fully automated. This page covers how to enable SSL, produce a self-signed server certificate and enable password protection to areas of the secure server you want protecting.
Enable SSL
Enable SSL in Apache's configuration file, there’s no need to worry about this it’s automatically enabled after a new server certificate and key are created.
The following is provided for completeness and outlines the manual procedure. After creating a new certificate uncomments a line in Apache’s configuration file, this enables SSL.
File: \UniServer\udrive\usr\local\apache2\conf Changes this line: From: #LoadModule ssl_module modules/mod_ssl.so To: LoadModule ssl_module modules/mod_ssl.so
When Apache is restarted it loads the module ssl.so, this has a knock-on effect and this part of the configuration file becomes active.
<IfModule mod_ssl.c> Include conf/ssl.conf </IfModule>
This loads the configuration file for SSL and sets up Apache accordingly. Before Apache can start it needs to load the server certificate server.crt and key server.key found in these folders respectively:
\UniServer\udrive\usr\local\apache2\conf\ssl.crt\ \UniServer\udrive\usr\local\apache2\conf\ssl.key\
If either of the files server.crt or server.key do not exist Apache will refuse to start. A thing to consider when manually editing the configuration files. Remember this is automatically enabled once a new server certificate and key are created.
Creating a new server certificate and key
Uniform server is very versatile and has several methods to do this, choose one from the following.
Note: Whichever method you choose Apache needs restarting allowing it to pickup the new configuration.
Method 1 Apanel
- From the left menu, scroll down to Plugin Manager and click link Server Key & Cert Gen
- A new page opens “Server Certificate and Key Generation” click link Generate.
- Enter Certificate information see below.
- That’s it, remember to restart the servers.
Method 2 Apanel
- From the left menu, click link Server Security a new page opens Security Center.
- Scroll down to section Server Certificate and Key (SSL) to the right a link will display Unsecure (only when a certificate has not been already created) click this link, it takes you to page Server Certificate and Key Generation
- Click link Generate (Ok! So it’s the same page as above).
- Enter Certificate information see below.
- Remember to restart the servers
Method 3 Manually
- Navigate to folder UniServer\udrive\plugins\key_cert_gen
- Double click on Run.bat (Note it is not necessary to have the servers running)
- Enter Certificate information see below.
- Once complete restart the servers.
Note 1: All methods use Run.bat this batch file runs the Perl script ssl_gen.pl which generates the server certificate, server key, copies these to their correct location and enables SSL in Apache's configuration file.
Note 2: The server-key does not contain a pass phrase this is not supported on Windows and would prevent Apache starting.
Note 3: When run as a service Methods 1 and 2 are unavailable you must manually run the batch file located in folder C:\UniServer\plugins\key_cert_gen.
Certificate information
When the Perl scripts runs you will be prompted for three pieces of information CN, OU and O see below.
Localhost
If you are running a local test server just press enter to accept the defaults. This will allow you to quickly produce a secure server. If you wish; change OU (organisation unit) and O (organisation) to something different however do not change the default CN (common name).
Note: If you have changed the SSL port 443 to say 444 you must change the common name from localhost to localhost:444
Real Domain
If you have a real domain name for example www.fred.com enter that at the CN (common name) prompt. The remaining two parameters OU (organisation unit) and O (organisation) are not strictly required hence feel free enter something that meets your requirements.
Note: If you have changed the SSL port 443 to say 444 you must add this to your domain name www.fred.com:444 otherwise the certificate will be rejected.
Running the secure server
At this stage it’s worth pointing out secure and non-secure servers are completely separate use the appropriate Web root folder:.
Web root folders
The Web root folders are:
- UniServer\udrive\www -- Containing all your non-secure sites and pages
- UniServer\udrive\ssl -- Contains only sites pages that require encryption.
View secure pages
To view secure (encrypted) pages type the following into your browser:
https://localhost/
Or if you have a real domain name
https://www.mydomain.com/
Note: If you changed the SSL port to say 444 this needs to be included hence you would type the following:
https://localhost:444/
Or if you have a real domain name
https://www.mydomain.com:444/
One drawback with self-signed certificates browsers rightly complain they cannot be trusted. The next section shows how to resolve these issue.
Browser issues and Problems
Using self-signed certificates your browser will issue error messages.
This section looks at two browsers, FireFox 3.0.5 and IE7 which provide examples of the type of error messages and how to resolve them.
FireFox 3.0.5
On viewing a secure page in FireFox you will be greeted with this little chap and the following error message:
Secure Connection Failed |
Solution is to import the certificate into your browser as follows:
- Click link Or you can add an exception…
- Click link Add Exception (opens new pop-up)
- Click link Get Certificate (top right)
- Box bottom left Permanently store this exception Check this box
- Click link Confirm Security Exception
This saves the Certificate and allows you to view the secure server unrestricted.
Note: to the left of https://localhost Click this icon. What about Which is run by unknown! |
A standard SSL certificate even signed by a CA will not resolve, “Which is run by unknown” issue. What is required is something known as an Extended Validation (EV) SSL certificate this raises the security level to green. You can purchase this type of signing however it comes at a high price because both the site and site owner require verification.
IE 7
On viewing a secure page in IE you will be greeted with a read sheild and the following error message:
There is a problem with this website's security certificate |
On the alert page click the link Continue to this website (not recommended).
This allows the page to be displayed notice the navigation bar turns "red"
Import the certificate:
A new pop-up is displayed Certificate
|
Truted CA
It is strongly recommend obtaining a signed certificate by a trusted CA check out this Wiki page for details.
You will need the certificate signing request file this is located in folder:
\UniServer\udrive\plugins\key_cert_gen\server.csr
How to put SSL server on-line
The server has been locked down allowing only local access. You can develop sites while connected to the Internet knowing that external access has been restricted.
To enable external access either on a local network or from the Internet you need to edit file:
UniServer\udrive\ssl\.htaccess
Locate the following lines:
Order Deny,Allow Deny from all Allow from 127.0.0.1
These lines restrict access to localhost (port 127.0.0.1)
- Order Deny,Allow
- Deny from all
- Allow from 127.0.0.1
Comment the lines out by adding a hash "#" as shown
#Order Deny,Allow #Deny from all #Allow from 127.0.0.1
There is no need to restart the server, your server is now externally accessible.
Note 1: All lines with a comment are disabled and ignored by Apache.
Note 2: There is a corresponding .htaccess file for the unencrypted server this is located in root folder www edit this file as above to put-this part of the server on-line.
Name/Password protected server
The entire SSL server can be name/password protected as follows:
Edit file UniServer\udrive\ssl\.htaccess
Locate the following lines:
#AuthName "Uniform Server - Secure Server Access" #AuthType Basic #AuthUserFile /htpasswd/ssl/.htpasswd #Require valid-user
To enable name/password protection un-comment the lines by removing the hash "#" as shown
AuthName "Uniform Server - Secure Server Access" AuthType Basic AuthUserFile /htpasswd/ssl/.htpasswd Require valid-user
No need to restart the servers .htaccess files are automatically picked up.
Access a secure page on the server, e.g type https://localhost into your browser. If you have a real domain name use that.
You will be challenged for a name and password. The defaults are root and root.
Change name and password
You have two methods of changing the name and password either using Apanal or manually as follows.
Apanel
- Start Apanel either from Unicontroller or by typing http://localhost/ananel into your browser.
- Using the left menu navigate to section Configurations and click link Private Secure Server Config.
- This opens the Private Secure Server Configuration (SSL) page and displays the current name and password, change these and click the Change button.
Manually edit password file
- Edit file UniServer\udrive\htpasswd\ssl\.htpasswd
- Change the current name and password (in that order) to your new values
Note: Use a single colon ":" between name and password do not enter any spaces or carriage returns at the end of the password.
Name/Password protected single folder
To protect a single folder and not the entire SSL server copy the .htaccess file to a folder you want protecting.
Edit the copied .htaccess file as explained above, the four lines look like this
AuthName "Uniform Server - Secure Server Access" AuthType Basic AuthUserFile /htpasswd/ssl/.htpasswd Require valid-user
Make sure you have not changed the .htaccess file in SSL otherwise the entire server will remain under name/password control. Hence the lines must be commented out asshown:
#AuthName "Uniform Server - Secure Server Access" #AuthType Basic #AuthUserFile /htpasswd/ssl/.htpasswd #Require valid-user
Note: The name and password are those used for the main SSL server hence change these as described above.
Name/Password protected multi folders
It is possible to assign a user their own protected folder with a unique name/password pair. For example take these three users John, Mike and Ruth
First create three new folders in UniServer\udrive\htpasswd\ssl
- UniServer\udrive\htpasswd\ssl\john
- UniServer\udrive\htpasswd\ssl\mike
- UniServer\udrive\htpasswd\ssl\ruth
Copy file UniServer\udrive\htpasswd\ssl\.htpasswd into each of the above folders.
Edit each copied .htpasswd file to have a new name/password pair you want to assign to each use.
Now create three new folders in UniServer\udrive\ssl
- UniServer\udrive\ssl\john
- UniServer\udrive\ssl\mike
- UniServer\udrive\ssl\ruth
Copy the unmodified file UniServer\udrive\ssl\.htaccess to each of these new folders.
Edit each .htaccess file in turn, enable password protection and change path to new location of corresponding .htpasswd file. I have shown an example for john:
AuthName "John please enter your name and password" AuthType Basic AuthUserFile /htpasswd/ssl/john/.htpasswd Require valid-user
Note 1: All files and sub-folder in Johns folder are protected by his name/password pair.
Note 2: John has decided to shate the information in his protected area with Ruth but not with Mike. Hence John's .htpasswd file will look similar to this:
John:xxxxxxx Ruth:yyyyyyy
Note 1: Do not enter any spaces after John's password only a carriage return is allowed. After Ruth's password do not enter any spaces or carriage returns.
Note 2: You can add any number of name/password pairs to a .htpasswd file.
Related Information
SSL Part 2: Generate CSR -- How to obtain a free certificate
Stunnel: SSL Certificate -- Background information
SSL Part 1: Key & Certificate -- Background information
Summary
The above has shown how easy it is to enable SSl on Uniform Server 4.0-Mona and should you wish how to password protect folders.