5.0-Nano: Enable SSL

Revision as of 19:37, 11 September 2009 by Ric (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

 

How to enable SSL on Uniform Server 5.0-Nano

The server has been pre-configured to run SSL, place any pages/site you wish to be encrypted in the root folder ssl.

Uniform Server does not include a test server certificate/key pair hence a default installation has SSL disabled. The reason is one of security a certificate/key pair must be unique to that server after creating a new server certificate/key pair SSL is automatically enabled in Apache's configuration file.

Top

Creating a new server certificate and key

To create a new server certificate and key use one of the following options:

Top

Apanel option 1

  • Left menu, scroll down to Plugin Manager
  • Click link Server Key & Cert Gen
  • A new page opens Server Certificate and Key Generation
  • Click link Generate.

Top

Apanel option 2

  • Left menu, click link Server Security a new page opens Security Center.
  • Scroll down to section Server Certificate and Key (SSL)
  • To the right the link will display Unsecure click this link
  • It takes you to page Server Certificate and Key Generation as per Apaneloption 1

Top

Manuall option

  • Navigate to folder unicon\key_cert_gen
  • Double click on Run.bat

Top

UniTray option

  • Left or right mouse click on UniTray Icon
  • Mouse-over Advanced and click Server Certificate and key Generator

Top

Common to all options

The certificate and key generation script will prompt for three pieces of information.

If you are running a local test server just press enter to accept the defaults.

If you have a real domain name for example www.fred.com enter that at the CN

Three pieces of information requested:

  • CN (common name prompt) Enter localhost or real domain name
  • OU (organisation unit) Not strictly required hence enter something that meets your requirements
  • O (organisation) Not strictly required hence enter something that meets your requirements

Top

General notes

Note 1:

Once the server certificate and key have been generated re-start the servers for the new configuration to be picked up by Apache.

Note 2:

View secure, pages by typing: https://localhost/ into your browser.

Or if you have a real domain name: https://www.mydomain.com/

Note 3:

You can change the defaults for CN, OU and O edit file: unicon\key_cert_gen\ssl_gen.php

Locate this section:

// Get user input
//********* Edit defaults *****************************************************

$str1 = &prompt_user("  CN Common Name. Your full domain name ", "localhost");
$str2 = &prompt_user("  OU Organization Unit (eg, section)  ", "Secure demo");
$str3 = &prompt_user("  O  Organization Name (eg, company)    ", "UniServer");
print "\n ";

//********* Do not Edit below this line ***************************************

If your site is accessed by typing this into a browser mydomain.net and your company is Fred and has a section Software the lines are as follows:

// Get user input
//********* Edit defaults *****************************************************

$str1 = &prompt_user("  CN Common Name. Your full domain name ", "mydomain.net");
$str2 = &prompt_user("  OU Organization Unit (eg, section)  ", "Fred");
$str3 = &prompt_user("  O  Organization Name (eg, company)    ", "Software");
print "\n ";

//********* Do not Edit below this line ***************************************

Note 4:

It is strongly recommend obtaining a signed certificate by a trusted CA check out Uniform Server’s Wiki for details.

SSL Part 2: CAcert Signing Process

You will require the certificate signing request this is located in folder

unicon\key_cert_gen file name server.csr

Note 5:

If you need to create a new key and certificate repeat the above.

Top

Browser issues and Problems

Using self-signed certificates your browser will issue error messages.

This section looks at two browsers, FireFox 3.0.5 and IE7 which provide examples of the type of error messages and how to resolve them.

FireFox 3.0.11

On viewing a secure page in FireFox you will be greeted with this little chap and the following error message:

 

Secure Connection Failed
The certificate is not trusted because it is self signed.
(Error code: sec_error_ca_cert_invalid)

Solution is to import the certificate into your browser as follows:

  1. Click link Or you can add an exception…
  2. Click link Add Exception (opens new pop-up)
  3. Click link Get Certificate (top right)
  4. Box bottom left Permanently store this exception Check this box
  5. Click link Confirm Security Exception

This saves the Certificate and allows you to view the secure server unrestricted.

Note: to the left of https://localhost
the symbol turns blue. Blue indicates.
a secure encrypted connection.

Click this icon.
A drop down is displayed the information
shows the connection is secure.

What about Which is run by unknown!

 

A standard SSL certificate even signed by a CA will not resolve, “Which is run by unknown” issue. What is required is something known as an Extended Validation (EV) SSL certificate this raises the security level to green. You can purchase this type of signing however it comes at a high price because both the site and site owner require verification.

Top

IE 7

On viewing a secure page in IE you will be greeted with a read sheild and the following error message:

 

There is a problem with this website's security certificate
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

On the alert page click the link Continue to this website (not recommended).
This allows the page to be displayed notice the navigation bar turns "red"

Import the certificate:

  1. Click the icon Certicicate error
    to the right of the navigation bar.
    A pop-up is displayed Untrusted Certificate.
  2. At the bottom of this pop-up Click view Certificates

A new pop-up is displayed Certificate


  1. Click Install Certificate
    Follow the instructions
  2. Either refresh the page or Restart IE
    When page is viewed a normal secure
    navigation bar is display .

 

Top

How to put SSL server on-line

The server has been locked down allowing only local access. You can develop sites while connected to the Internet knowing that external access has been restricted.

To enable external access either on a local network or from the Internet you need to edit file:

UniServer\ssl\.htaccess

Locate the following lines:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

These lines restrict access to localhost (port 127.0.0.1)

  • Order Deny,Allow
  • Deny from all
  • Allow from 127.0.0.1

Comment the lines out by adding a hash "#" as shown

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

There is no need to restart the server, your server is now externally accessible.

Note 1: All lines with a comment are disabled and ignored by Apache.

Note 2: There is a corresponding .htaccess file for the unencrypted server this is located in root folder www edit this file as above to put-this part of the server on-line.

Top

Name/Password protected server

The entire SSL server can be name/password protected as follows:

Edit file UniServer\ssl\.htaccess

Locate the following lines:

#AuthName "Uniform Server - Secure Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/ssl/.htpasswd
#Require valid-user

To enable name/password protection un-comment the lines by removing the hash "#" as shown

AuthName "Uniform Server - Secure Server Access"
AuthType Basic
AuthUserFile /htpasswd/ssl/.htpasswd
Require valid-user

No need to restart the servers .htaccess files are automatically picked up.

Access a secure page on the server, e.g type https://localhost into your browser. If you have a real domain name use that.

You will be challenged for a name and password. The defaults are root and root.

Top

Change name and password

You have two methods of changing the name and password either using Apanal or manually as follows.

Apanel

  1. Start Apanel either from Unicontroller or by typing http://localhost/ananel into your browser.
  2. Using the left menu navigate to section Configurations and click link Private Secure Server Config.
  3. This opens the Private Secure Server Configuration (SSL) page and displays the current name and password, change these and click the Change button.

Manually edit password file

  1. Edit file UniServer\htpasswd\ssl\.htpasswd
  2. Change the current name and password (in that order) to your new values

Note: Use a single colon ":" between name and password do not enter any spaces or carriage returns at the end of the password.

Top

Name/Password protected single folder

To protect a single folder and not the entire SSL server copy the .htaccess file to a folder you want protecting.

Edit the copied .htaccess file as explained above, the four lines look like this

AuthName "Uniform Server - Secure Server Access"
AuthType Basic
AuthUserFile /htpasswd/ssl/.htpasswd
Require valid-user

Make sure you have not changed the .htaccess file in SSL otherwise the entire server will remain under name/password control. Hence the lines must be commented out asshown:

#AuthName "Uniform Server - Secure Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/ssl/.htpasswd
#Require valid-user

Note: The name and password are those used for the main SSL server hence change these as described above.

Top

Name/Password protected multi folders

It is possible to assign a user their own protected folder with a unique name/password pair. For example take these three users John, Mike and Ruth

First create three new folders in UniServer\udrive\htpasswd\ssl

  • UniServer\htpasswd\ssl\john
  • UniServer\htpasswd\ssl\mike
  • UniServer\htpasswd\ssl\ruth

Copy file UniServer\htpasswd\ssl\.htpasswd into each of the above folders.

Edit each copied .htpasswd file to have a new name/password pair you want to assign to each use.

Now create three new folders in UniServer\ssl

  • UniServer\ssl\john
  • UniServer\ssl\mike
  • UniServer\ssl\ruth

Copy the unmodified file UniServer\udrive\ssl\.htaccess to each of these new folders.

Edit each .htaccess file in turn, enable password protection and change path to new location of corresponding .htpasswd file. I have shown an example for john:

AuthName "John please enter your name and password"
AuthType Basic
AuthUserFile /htpasswd/ssl/john/.htpasswd
Require valid-user

Note 1: All files and sub-folder in Johns folder are protected by his name/password pair.

Note 2: John has decided to share the information in his protected area with Ruth but not with Mike. Hence John's .htpasswd file will look similar to this:

John:xxxxxxx
Ruth:yyyyyyy

Note 1: Do not enter any spaces after John's password only a carriage return is allowed. After Ruth's password do not enter any spaces or carriage returns.

Note 2: You can add any number of name/password pairs to a .htpasswd file.

Top

Related Information

Authentication: Introduction -- How to restrict access directories files etc..

SSL Part 2: Generate CSR -- How to obtain a free certificate

Stunnel: SSL Certificate -- Background information

SSL Part 1: Key & Certificate -- Background information

Top

Summary

The above has shown how easy it is to enable SSl on Uniform Server 5.0-Nano a few mouse clicks is all it takes.

Likewise its easy to password protect the server, folders and files.

Next page covers running more than one server on the same PC.

Top