Mini Servers: Apache 2.2.9 Portable - Authentication SSL

From The Uniform Server Wiki
Revision as of 18:28, 5 October 2008 by Ric (talk | contribs) (→‎Download)
Jump to navigation Jump to search

Mini Servers:  Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems

Mini Servers:
Compact but fully functional.
Apache 2.2.9 Portable - Authentication SSL
Apache 2.2.9 Portable - Authentication SSL

Mini Server 4 using Apache 2.2.9 Core and SSL

You can enable SSL on any of the mini servers. This writeup uses Mini Server 3 as a starting point, it already has basic authentication enabled and enhanced using mod rewrite making it useful for demonstrating a secure log-in server.

This mini server uses a self-signed certificate which is ideal for a private server. Non standard ports 8084 and 444 are used for the main and secure servers respectively. The following details how to enable SSL and create a self-signed certificate.

Folder structure

SSL serves pages from a virtual host I have mapped this to root folder wwws the main server will continue to server unencrypted pages from folder www.

I have chosen to store the server certificate and key in separate folders ssl.cert and ssl.key respectively create these folders in folder *\udrive\usr\local\apache2\conf.

This folder structure is one of personal preference you are free to choose whatever structure you like, make sure not to store either the server key or certificate inside a root folder.

Configuration file structure

You can place all Apache SSL directives in the main configuration file httpd.conf however I prefer to use a separate configuration file ssl.conf. This makes it easier to test and fault find again your choice.

Top

How to add SSL

SSL is dependent on two modules add the following directives to the modules section in httpd.conf.

LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

From the full Apache package you downloaded copy the the two modules (mod_setenvif.so and mod_ssl.so) to folder *\udrive\usr\local\apache2\modules. Check out the download page for details on how to obtain a full copy of Apache.

I have chosen to use a separate configuration file for SSL directives. This is effectively an extension of the main configuration file. Apache needs to know where to find this file, add the following to the end of httpd.conf:

# Bring in additional module-specific configurations
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

This code is saying if you have enabled the module then pull in the configuration file ssl.conf.

Note: Strictly speaking mod_setenvif.so is not required to enable SSL it is required to correct deficiencies in some browsers see ssl.conf.

Top

ssl.conf

This configuration file is based on the example included with the full Apache download. It has been stripped down removing directives not required for a mini server.

A virtual-host will inherit settings from the main server, I use per-directory settings and need to include the following section to enable htaccess overriding:

#== Server Root folder:
<Directory "/wwws"> 
  AllowOverride All
  Order allow,deny 
  Allow from all 
</Directory> 

Top

Complete configuration files

Enabling SSL on Apache requires few change to the main configuration add a separate SSL config and you are ready to go. I have assumed a server certificate and key are in place. The finished configuration files are shown below.

Top

httpd.conf

# ================================================= 
# Modules 
# =================================================
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule dir_module modules/mod_dir.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

# ================================================= 
# Basic settings 
# ================================================= 
  Listen 8084 
  ServerName localhost:8084
  ServerAdmin fred@www.somedomain.com 
  UseCanonicalName Off 
  ServerSignature Off 
  HostnameLookups Off 
  ServerTokens Prod 
  ServerRoot "/usr/local/apache2"
  DocumentRoot "/www" 
  PidFile /usr/local/apache2/logs/httpd.pid 
<IfModule mod_dir.c> 
   DirectoryIndex index.html index.htm
</IfModule> 

# ================================================= 
# HTTP and performance settings 
# ================================================= 
  Timeout 300 
  KeepAlive On 
  MaxKeepAliveRequests 100 
  KeepAliveTimeout 15 
<IfModule mpm_winnt.c>
   ThreadsPerChild 64
   MaxRequestsPerChild  0
</IfModule>

# ================================================= 
# Access control 
# ================================================= 
<Directory />
  Options None 
  AllowOverride None 
  Order deny,allow 
  Deny from all 
</Directory> 

<Directory "/www"> 
  AllowOverride All
  Order allow,deny 
  Allow from all 
</Directory> 

AccessFileName .htaccess
# The following lines prevent .htaccess and .htpasswd
# files from being viewed by Web clients.

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>
# ================================================= 
# MIME encoding 
# ================================================= 
DefaultType text/plain 
  TypesConfig /usr/local/apache2/conf/mime.types 

# ================================================= 
# Logs: debug, info, notice, warn, error, crit
# ================================================= 
  LogLevel warn 
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 
  LogFormat "%h %l %u %t \"%r\" %>s %b" common 
  LogFormat "%{Referer}i -> %U" referer 
  LogFormat "%{User-agent}i" agent 
  ErrorLog "logs/error_log" 
  CustomLog "logs/access.log" combined
# ================================================= 
# Bring in additional module-specific configurations

<IfModule mod_ssl.c>
  Include conf/ssl.conf
</IfModule>

Top

ssl.conf

#################### Global SSL ##########################
Listen 444
#== Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#== Pass Phrase Dialog:(`builtin' is a internal terminal dialog)
SSLPassPhraseDialog  builtin

#== Inter-Process Session Cache:
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

#== SSL engine uses internally for inter-process synchronization. 
SSLMutex default

#== Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

########### SSL Virtual Host ############################

NameVirtualHost *:444
<VirtualHost _default_:444>

ServerName localhost
DocumentRoot /wwws
ServerAdmin you@example.com

ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

#== SSL Engine Switch:
SSLEngine on

#== SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2

#== Server Certificate:
SSLCertificateFile conf/ssl.crt/server.crt

#== Server Private Key:
SSLCertificateKeyFile conf/ssl.key/server.key

#== Server Root folder:
<Directory "/wwws"> 
  AllowOverride All
  Order allow,deny 
  Allow from all 
</Directory> 

#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

</VirtualHost>                  

Top

Move sites

This server includes the example sites from Mini Server 3 I have moved these from folder www to the secure folder wwws.

For testing I added a new index page to the non secure server (www) and included a few links to cross connect.

Top

Support files

Each mini server is complete and zipped into a single self-extracting archive file.

Download

Download this server from SourceForge Project Page save the file mini_server_4.exe to any folder of your choice.

Note: Check out the mini server's support and download page detailing how to obtain full binaries for Apache.

Top

Extract files

Double click on mini_server_4.exe, starts the extraction process. No need to change the folder destination, click extract, this creates a new folder mini_server_4 containing two files and one folder.

  1. server_start.bat - Double click to start the server
  2. server_stop.bat - Double click to stop server
  3. udrive - Folder containing server and your web site.

Top

Test

Testing is straight forward.

  1. Start the server by double clicking on server_start.bat (automatically detects free drive letter creates new virtual drive and runs the server.)
  2. Start a web browser.
  3. Type http://localhost:8084/ into the browser address bar.
  4. An index page is displayed, check out the secure areas by clicking links secure1 or secure2.
  5. Stop the server by double clicking on server_stop.bat

Note: At step 4 your browser will have a moan about incorrect certificate check out this page and train your browser to accept the certificate.

Top

Authentication

I have added two examples to demonstrate the use of htaccess files to protect folders using basic authentication which in turn are enhanced by mod rewrite. A full write-up of this concept can be found on this page Basic authentication and redirection

Top

Secure1

From the main index page click on the secure link. This takes you to a protected folder where you will be challenged for a name and password. Enter one of the name/password pairs shown, you will be able to view a single personal page. Each page contain cross links to other personal pages see what happens when you click one of these links.

Note: To re-log in you must restart your browser.

Folder secure is protected by the the following htaccess file:

AuthName "To give you a clue the following are the name:password pairs: John:21, Dave Smith:22 and Mike:23 these will take you to the private pages."
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Options +FollowSymLinks
#Options +Indexes
RewriteEngine On
RewriteBase /

RewriteCond $1 !^John\.html
RewriteCond %{REMOTE_user} ^John$
RewriteRule (.*) /secure/John.html [R,L]

RewriteCond $1 !^Dave\.html
RewriteCond %{REMOTE_user} ^Dave\ Smith$
RewriteRule (.*) /secure/Dave.html [R,L]

RewriteCond $1 !^Mike\.html
RewriteCond %{REMOTE_user} ^Mike$
RewriteRule (.*) /secure/Mike.html [R,L]

Note: Make sure to change the line AuthName to something like "Please login to your secure page" I included name/password pairs to make it easier to test.

Top

Secure2

From the main index page click on the secure2 link. This takes you to a protected folder where you will be challenged for a name and password. Enter one of the name/password pairs shown, you will be able to view the contents of a personal folder. Each personal index page contain cross links to other personal folders see what happens when you click one of these links.

Note: To re-log in you must restart your browser.

Folder secure2 is protected by the the following htaccess file:

AuthName "To give you a clue the following are the name:password pairs: Jane:41, Dawn:42 and Ruth Smith:43 these will take you to the private folders."
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteEngine on
RewriteCond $1 !^mpg1/
RewriteCond %{REMOTE_user} ^Jane$
RewriteRule  ^(.*) secure2/mpg1/$1 [R,L]

RewriteCond $1 !^mpg2/
RewriteCond %{REMOTE_user} ^Dawn$
RewriteRule  ^(.*) secure2/mpg2/$1 [R,L]

RewriteCond $1 !^mpg3/
RewriteCond %{REMOTE_user} ^Ruth\ Smith$
RewriteRule  ^(.*) secure2/mpg3/$1 [R,L]

Note: Make sure to change the line AuthName to something like "Please login to your secure folder" I included name/password pairs to make it easier to test.

Top

Generate new server Certificate and key

The download includes a Server key and certificate you can use for testing however these are compromised (known to anyone that downloads the server) you need to create a new self-signed certificate.

The generation section includes ssl 0.9.8h again taken from the full Apache download. A single batch file z_complete.bat automates the Certificate and Key generation process.

To create a new certificate and key double click on z_complete.bat located in folder *\mini_server_4\udrive\key_cert_gen_ssl_098h\key_cert_gen and follow the instructions.

The file executes the following batch files in turn clean.bat, mpg1.bat, mpg2.bat, mpg3.bat and mpg4.bat for background information check our these pages Stunnel: SSL Certificate and SSL Part 1: Key & Certificate

The following shows a typical run:

1) Removing old files


2) Enter a pass phrase and certificate information

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...........................................++++++
....++++++
writing new private key to 'server.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name or County (full name) [Cambridgeshire]:
Locality Name (eg, city or town) [Cambridge]:
Organization Name (eg, company) [Unicenter]:
Organizational Unit Name (eg, section) [Demo Example: Uniform Server Development
 Team]:
Common Name (eg, your websites domain name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

3) This will remove the past phrase

Enter pass phrase for server.pem:
writing RSA key

4) Creating a self-signed certificate

Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Cambridgeshire/L=Cambridge/O=Unicenter/OU=Demo Example: Uniform
 Server Development Team/CN=localhost
Getting Private key

5) Copying Key and certificate to server

        1 file(s) copied.
        1 file(s) copied.

If you made a mistake run this batch file again

Press any key to continue . . .

1) Removes all old files before starting a new certificate and key generation.

2) Enter PEM pass phrase: This can be anything you like, it is eventually removed so keep it short e.g fred

You are then asked to enter certificate information. With the exception of Common Name I have accepted defaults by pressing the enter key. You can enter your own personal information however for a self-signed certificate it really is insignificant.

Of prime importance is the Common Name you must enter your domain name for example www.fred.com if you do not have a domain enter localhost (this will keep IE happy, especially if you want to save the certificate)

Country Name (2 letter code) [GB]:
State or Province Name or County (full name) [Cambridgeshire]:
Locality Name (eg, city or town) [Cambridge]:
Organization Name (eg, company) [Unicenter]:
Organizational Unit Name (eg, section) [Demo Example: Uniform Server Development Team]:
Common Name (eg, your websites domain name) []:localhost
Email Address []:

Extra attributes: Just press enter, do not enter any values these are never used.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

3) This is where the pass phrase is removed. Enter fred or whatever you decided to use.

4) The self-signed certificate is automatically create.

5) Once created both certificate and key are copied to their server folders.

Note: If you make a mistake not to worry you can run this batch file as many times as you like. Run the server and view your certificate in a browser. If its not what you expected, just run the batch file again. Remember each certificate is unique (Loading 'screen' into random state - done) even if you use the same information.

Top

Change Virtual Drive

The server automatically detects the first free drive letter and uses that to run the server on. You can override this in one of two ways:

  1. Start the server using a drive parameter for example: server_start.bat z this forces the server to use drive z
  2. Edit server_start.bat, locate the following line:
      rem set Disk=w
    Remove the rem and replace w with the letter you want to use for example:
      set Disk=x  Forces the server to use drive letter x

Top

Change server default port

Main Server

  • Open file: httpd.conf (Located in folder: \mini_server_4\udrive\usr\local\apache2\conf)
  • Locate the lines:
    Listen 8084
    ServerName localhost:8084
  • Change to:
    Listen 8080
    ServerName localhost:8080

This moves the server to the standard secondary web server port

Note: To view the site type http://localhost:8080 into a browser.

If port already in use try any value above 2000

Secure Server

  • Open file: ssl.conf (Located in folder: \mini_server_4\udrive\usr\local\apache2\ssl.conf)
  • Locate the lines:
    Listen 444
    NameVirtualHost *:444
    <VirtualHost _default_:444>
  • Change to:
    Listen 443
    NameVirtualHost *:443
    <VirtualHost _default_:443>

This moves the server to the standard web server secure port

Note: To view the site type https://localhost into a browser.

Top

Multi Servers

If you wish to run several mini servers at the same time create a new folder for each server and copy contents of mini_server_4 into each of these.

Change the server port for each server to be unique including the secure port 444. The servers may be started in any order.

Note: You can run the mini servers alongside Uniform Server 3.5-Apollo however you must start Uniform Server first.

Top

Summary

These mini-servers are indented to show you how to build in functionality as and when required, primarily to remove bloat and increase security. You now have a basic server with the capability of of mod rewrite and basic authentication to protect individual folders. With encryption (SSL) passwords and data are secured.

The next server is a dedicated (standalone) server using SSL there is no main insecure server.

Top


Ric