5.0-Nano: Enable SSL: Difference between revisions
(New page: {{Nav 5.0-Nano}} '''How to enable SSL on Uniform Server 5.0-Nano''' The server has been pre-configured to run SSL, place any pages/site you wish to be encrypted in the root folder '''ssl'...) |
mNo edit summary |
||
Line 32: | Line 32: | ||
=== UniTray option === | === UniTray option === | ||
* Left or right mouse click on UniTray Icon | * Left or right mouse click on UniTray Icon | ||
* | * Mouse-over Advanced and click '''Server Certificate and key Generator''' | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
Line 80: | Line 80: | ||
//********* Do not Edit below this line *************************************** | //********* Do not Edit below this line *************************************** | ||
</pre> | |||
If your site is accessed by typing this into a browser mydomain.net and your | If your site is accessed by typing this into a browser mydomain.net and your | ||
company is Fred and has | company is Fred and has a section Software the lines are as follows: | ||
<pre> | |||
// Get user input | // Get user input | ||
//********* Edit defaults ***************************************************** | //********* Edit defaults ***************************************************** | ||
Line 309: | Line 309: | ||
Note 1: All files and sub-folder in Johns folder are protected by his name/password pair. | Note 1: All files and sub-folder in Johns folder are protected by his name/password pair. | ||
Note 2: John has decided to | Note 2: John has decided to share the information in his protected area with Ruth but not with Mike. Hence John's .htpasswd file will look similar to this: | ||
<pre> | <pre> | ||
John:xxxxxxx | John:xxxxxxx | ||
Line 334: | Line 334: | ||
The above has shown how easy it is to enable SSl on Uniform Server 5.0-Nano a few mouse clicks is all it takes. | The above has shown how easy it is to enable SSl on Uniform Server 5.0-Nano a few mouse clicks is all it takes. | ||
Likewise its easy to password protect the server, folders and files. | Likewise its easy to password protect the server, folders and files. | ||
[[5.0-Nano: Multi-Servers | '''Next page''']] covers running more than one server on the same PC. | |||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' |
Latest revision as of 19:37, 11 September 2009
5-Nano: Introduction | Install and Run | Control | DtDNS | Cron| Security features | Enable SSL | Multi-Servers | Perl | UniTray | Security and passwords | Known Issues | Support
|
|
How to enable SSL on Uniform Server 5.0-Nano
The server has been pre-configured to run SSL, place any pages/site you wish to be encrypted in the root folder ssl.
Uniform Server does not include a test server certificate/key pair hence a default installation has SSL disabled. The reason is one of security a certificate/key pair must be unique to that server after creating a new server certificate/key pair SSL is automatically enabled in Apache's configuration file.
Creating a new server certificate and key
To create a new server certificate and key use one of the following options:
Apanel option 1
- Left menu, scroll down to Plugin Manager
- Click link Server Key & Cert Gen
- A new page opens Server Certificate and Key Generation
- Click link Generate.
Apanel option 2
- Left menu, click link Server Security a new page opens Security Center.
- Scroll down to section Server Certificate and Key (SSL)
- To the right the link will display Unsecure click this link
- It takes you to page Server Certificate and Key Generation as per Apaneloption 1
Manuall option
- Navigate to folder unicon\key_cert_gen
- Double click on Run.bat
UniTray option
- Left or right mouse click on UniTray Icon
- Mouse-over Advanced and click Server Certificate and key Generator
Common to all options
The certificate and key generation script will prompt for three pieces of information.
If you are running a local test server just press enter to accept the defaults.
If you have a real domain name for example www.fred.com enter that at the CN
Three pieces of information requested:
- CN (common name prompt) Enter localhost or real domain name
- OU (organisation unit) Not strictly required hence enter something that meets your requirements
- O (organisation) Not strictly required hence enter something that meets your requirements
General notes
Note 1: |
Once the server certificate and key have been generated re-start the servers for the new configuration to be picked up by Apache. |
Note 2: |
View secure, pages by typing: https://localhost/ into your browser. Or if you have a real domain name: https://www.mydomain.com/ |
Note 3: |
You can change the defaults for CN, OU and O edit file: unicon\key_cert_gen\ssl_gen.php Locate this section: // Get user input //********* Edit defaults ***************************************************** $str1 = &prompt_user(" CN Common Name. Your full domain name ", "localhost"); $str2 = &prompt_user(" OU Organization Unit (eg, section) ", "Secure demo"); $str3 = &prompt_user(" O Organization Name (eg, company) ", "UniServer"); print "\n "; //********* Do not Edit below this line *************************************** If your site is accessed by typing this into a browser mydomain.net and your company is Fred and has a section Software the lines are as follows: // Get user input //********* Edit defaults ***************************************************** $str1 = &prompt_user(" CN Common Name. Your full domain name ", "mydomain.net"); $str2 = &prompt_user(" OU Organization Unit (eg, section) ", "Fred"); $str3 = &prompt_user(" O Organization Name (eg, company) ", "Software"); print "\n "; //********* Do not Edit below this line *************************************** |
Note 4: |
It is strongly recommend obtaining a signed certificate by a trusted CA check out Uniform Server’s Wiki for details. SSL Part 2: CAcert Signing Process You will require the certificate signing request this is located in folder unicon\key_cert_gen file name server.csr |
Note 5: |
If you need to create a new key and certificate repeat the above. |
Browser issues and Problems
Using self-signed certificates your browser will issue error messages.
This section looks at two browsers, FireFox 3.0.5 and IE7 which provide examples of the type of error messages and how to resolve them.
FireFox 3.0.11
On viewing a secure page in FireFox you will be greeted with this little chap and the following error message:
Secure Connection Failed |
Solution is to import the certificate into your browser as follows:
- Click link Or you can add an exception…
- Click link Add Exception (opens new pop-up)
- Click link Get Certificate (top right)
- Box bottom left Permanently store this exception Check this box
- Click link Confirm Security Exception
This saves the Certificate and allows you to view the secure server unrestricted.
Note: to the left of https://localhost Click this icon. What about Which is run by unknown! |
A standard SSL certificate even signed by a CA will not resolve, “Which is run by unknown” issue. What is required is something known as an Extended Validation (EV) SSL certificate this raises the security level to green. You can purchase this type of signing however it comes at a high price because both the site and site owner require verification.
IE 7
On viewing a secure page in IE you will be greeted with a read sheild and the following error message:
There is a problem with this website's security certificate |
On the alert page click the link Continue to this website (not recommended).
This allows the page to be displayed notice the navigation bar turns "red"
Import the certificate:
A new pop-up is displayed Certificate
|
How to put SSL server on-line
The server has been locked down allowing only local access. You can develop sites while connected to the Internet knowing that external access has been restricted.
To enable external access either on a local network or from the Internet you need to edit file:
UniServer\ssl\.htaccess
Locate the following lines:
Order Deny,Allow Deny from all Allow from 127.0.0.1
These lines restrict access to localhost (port 127.0.0.1)
- Order Deny,Allow
- Deny from all
- Allow from 127.0.0.1
Comment the lines out by adding a hash "#" as shown
#Order Deny,Allow #Deny from all #Allow from 127.0.0.1
There is no need to restart the server, your server is now externally accessible.
Note 1: All lines with a comment are disabled and ignored by Apache.
Note 2: There is a corresponding .htaccess file for the unencrypted server this is located in root folder www edit this file as above to put-this part of the server on-line.
Name/Password protected server
The entire SSL server can be name/password protected as follows:
Edit file UniServer\ssl\.htaccess
Locate the following lines:
#AuthName "Uniform Server - Secure Server Access" #AuthType Basic #AuthUserFile /htpasswd/ssl/.htpasswd #Require valid-user
To enable name/password protection un-comment the lines by removing the hash "#" as shown
AuthName "Uniform Server - Secure Server Access" AuthType Basic AuthUserFile /htpasswd/ssl/.htpasswd Require valid-user
No need to restart the servers .htaccess files are automatically picked up.
Access a secure page on the server, e.g type https://localhost into your browser. If you have a real domain name use that.
You will be challenged for a name and password. The defaults are root and root.
Change name and password
You have two methods of changing the name and password either using Apanal or manually as follows.
Apanel
- Start Apanel either from Unicontroller or by typing http://localhost/ananel into your browser.
- Using the left menu navigate to section Configurations and click link Private Secure Server Config.
- This opens the Private Secure Server Configuration (SSL) page and displays the current name and password, change these and click the Change button.
Manually edit password file
- Edit file UniServer\htpasswd\ssl\.htpasswd
- Change the current name and password (in that order) to your new values
Note: Use a single colon ":" between name and password do not enter any spaces or carriage returns at the end of the password.
Name/Password protected single folder
To protect a single folder and not the entire SSL server copy the .htaccess file to a folder you want protecting.
Edit the copied .htaccess file as explained above, the four lines look like this
AuthName "Uniform Server - Secure Server Access" AuthType Basic AuthUserFile /htpasswd/ssl/.htpasswd Require valid-user
Make sure you have not changed the .htaccess file in SSL otherwise the entire server will remain under name/password control. Hence the lines must be commented out asshown:
#AuthName "Uniform Server - Secure Server Access" #AuthType Basic #AuthUserFile /htpasswd/ssl/.htpasswd #Require valid-user
Note: The name and password are those used for the main SSL server hence change these as described above.
Name/Password protected multi folders
It is possible to assign a user their own protected folder with a unique name/password pair. For example take these three users John, Mike and Ruth
First create three new folders in UniServer\udrive\htpasswd\ssl
- UniServer\htpasswd\ssl\john
- UniServer\htpasswd\ssl\mike
- UniServer\htpasswd\ssl\ruth
Copy file UniServer\htpasswd\ssl\.htpasswd into each of the above folders.
Edit each copied .htpasswd file to have a new name/password pair you want to assign to each use.
Now create three new folders in UniServer\ssl
- UniServer\ssl\john
- UniServer\ssl\mike
- UniServer\ssl\ruth
Copy the unmodified file UniServer\udrive\ssl\.htaccess to each of these new folders.
Edit each .htaccess file in turn, enable password protection and change path to new location of corresponding .htpasswd file. I have shown an example for john:
AuthName "John please enter your name and password" AuthType Basic AuthUserFile /htpasswd/ssl/john/.htpasswd Require valid-user
Note 1: All files and sub-folder in Johns folder are protected by his name/password pair.
Note 2: John has decided to share the information in his protected area with Ruth but not with Mike. Hence John's .htpasswd file will look similar to this:
John:xxxxxxx Ruth:yyyyyyy
Note 1: Do not enter any spaces after John's password only a carriage return is allowed. After Ruth's password do not enter any spaces or carriage returns.
Note 2: You can add any number of name/password pairs to a .htpasswd file.
Related Information
Authentication: Introduction -- How to restrict access directories files etc..
SSL Part 2: Generate CSR -- How to obtain a free certificate
Stunnel: SSL Certificate -- Background information
SSL Part 1: Key & Certificate -- Background information
Summary
The above has shown how easy it is to enable SSl on Uniform Server 5.0-Nano a few mouse clicks is all it takes.
Likewise its easy to password protect the server, folders and files.
Next page covers running more than one server on the same PC.