Mini Servers: Apache 2.2.9 Portable - Authentication SSL Standalone

From The Uniform Server Wiki
Revision as of 13:01, 5 November 2011 by Ric (talk | contribs) (→‎Download)
Jump to navigation Jump to search

Mini Servers:  Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems

Mini Servers:
Compact but fully functional.
Apache 2.2.9 Portable - Authentication SSL Standalone
Apache 2.2.9 Portable - Authentication SSL Standalone

Mini Server 5 using Apache 2.2.9 Core and SSL

This server shows how to create a standalone secure server. It is based on mini server 4 several changes have been made. The server no longer uses a virtual host to run SSL this is now part of the main sever configuration.

Protected folders are no longer protected using an htacces file these have been deleted and replaced by appropriate folder directives in the main configuration file. This is not a requirement for a standalone server I have seen numerous statements saying something like "you can use these htaccess commands the main httpd configuration file" and never show how it is done. Hence reason for removing htaccess files.

In a similar vain I have chosen not to use the standard secure port 443 instead I use a non standard port 8085.

Top

Changes made to server 4

The following changes have been made to server 4

  • Deleted root folder www
  • Renamed root folder wwws to www
  • Deleted the htaccess file from both folders secure1 and secure2
  • Deleted the configuration file ssl.conf
  • All Apache directive now reside in the main configuration file httpd.conf
  • Changed the secure port to 8085

Top

Complete configuration file

The following shows the new configuration file httpd.conf

# ================================================= 
# Modules 
# =================================================
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule dir_module modules/mod_dir.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

# ================================================= 
# Basic settings 
# ================================================= 
# Listen 443 
  Listen 8085 
  ServerName localhost
  ServerAdmin fred@www.somedomain.com 
  UseCanonicalName Off 
  ServerSignature Off 
  HostnameLookups Off 
  ServerTokens Prod 
  ServerRoot "/usr/local/apache2"
  DocumentRoot "/www" 
  PidFile /usr/local/apache2/logs/httpd.pid 
<IfModule mod_dir.c> 
   DirectoryIndex index.html index.htm
</IfModule> 

# ================================================= 
# HTTP and performance settings 
# ================================================= 
  Timeout 300 
  KeepAlive On 
  MaxKeepAliveRequests 100 
  KeepAliveTimeout 15 
<IfModule mpm_winnt.c>
   ThreadsPerChild 64
   MaxRequestsPerChild  0
</IfModule>

# ================================================= 
# Access control 
# ================================================= 
<Directory />
  Options None 
  AllowOverride None 
  Order deny,allow 
  Deny from all 
</Directory> 

<Directory "/www"> 
  AllowOverride all
  Order allow,deny 
  Allow from all 
</Directory> 

# ================================================= 
# MIME encoding 
# ================================================= 
DefaultType text/plain 
  TypesConfig /usr/local/apache2/conf/mime.types 

# ================================================= 
# Logs: debug, info, notice, warn, error, crit
# ================================================= 
  LogLevel warn 
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 
  LogFormat "%h %l %u %t \"%r\" %>s %b" common 
  LogFormat "%{Referer}i -> %U" referer 
  LogFormat "%{User-agent}i" agent 
  ErrorLog "logs/error_log" 
  CustomLog "logs/access.log" combined
# ================================================= 

#################### Global SSL ##########################

#== Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#== Pass Phrase Dialog:(`builtin' is a internal terminal dialog)
SSLPassPhraseDialog  builtin

#== Inter-Process Session Cache:
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

#== SSL engine uses internally for inter-process synchronization. 
SSLMutex default

#== Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

#== SSL Engine Switch:
SSLEngine on

#== SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2

#== Server Certificate:
SSLCertificateFile conf/ssl.crt/server.crt

#== Server Private Key:
SSLCertificateKeyFile conf/ssl.key/server.key

#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

# ================================================= 
# Directory specific - Personal pages
# ================================================= 
<Directory "/www/secure1"> 
AuthName "To give you a clue the following are the name:password pairs: John:21, Dave Smith:22 and Mike:23 these will take you to the private pages."
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Options +FollowSymLinks
#Options +Indexes
RewriteEngine On
RewriteBase /

RewriteCond $1 !^John\.html
RewriteCond %{REMOTE_user} ^John$
RewriteRule ^(.*) secure/John.html [R,L]

RewriteCond $1 !^Dave\.html
RewriteCond %{REMOTE_user} ^Dave\ Smith$
RewriteRule ^(.*) secure/Dave.html [R,L]

RewriteCond $1 !^Mike\.html
RewriteCond %{REMOTE_user} ^Mike$
RewriteRule ^(.*) secure/Mike.html [R,L]
</Directory> 

# ================================================= 
# Directory specific - Personal folders
# ================================================= 
<Directory "/www/secure2"> 
AuthName "To give you a clue the following are the name:password pairs: Jane:41, Dawn:42 and Ruth Smith:43 these will take you to the private folders."
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteEngine on
RewriteCond %{REMOTE_user} ^Jane$
#RewriteRule  ^(.*) www/secure2/mpg1/$1 [R,L]
RewriteRule  ^(.*) secure2/mpg1/$1 [R,L]

RewriteCond %{REMOTE_user} ^Dawn$
#RewriteRule  ^(.*) www/secure2/mpg2/$1 [R,L]
RewriteRule  ^(.*) secure2/mpg2/$1 [R,L]

RewriteCond %{REMOTE_user} ^Ruth\ Smith$
#RewriteRule  ^(.*) www/secure2/mpg3/$1 [R,L]
RewriteRule  ^(.*) secure2/mpg3/$1 [R,L]
</Directory> 
# ================================================= 

Top

Summary of changes

  • Modules: no change
  • Basic setting: Entire server listens on port 443
  • HTTP and performance settings: no change
  • Access control: no change
  • MIME encoding: no change
  • Logs: no change
  • Global SSL: New section, copied from ssl.conf removed virtual host
  • Directory specific - Personal pages: New section,
  • Targets this folder <Directory "/www/secure1">
  • Requires authentication
  • Enhanced by mod rewrite
  • Directory specific - Personal folders: New section,
  • Targets this folder <Directory "/www/secure2">
  • Requires authentication
  • Enhanced by mod rewrite

Top

Support files

Each mini server is complete and zipped into a single self-extracting archive file.

Download

Download this server from SourceForge Project Page save the file mini_server_5.exe to any folder of your choice.

Note: Check out the mini server's support and download page detailing how to obtain full binaries for Apache, PHP and Perl.

Top

Extract files

Double click on mini_server_5.exe, starts the extraction process. No need to change the folder destination, click extract, this creates a new folder mini_server_5 containing two files and one folder.

  1. server_start.bat - Double click to start the server
  2. server_stop.bat - Double click to stop server
  3. udrive - Folder containing server and your web site.

Top

Test

Testing is straight forward.

  1. Start the server by double clicking on server_start.bat (automatically detects free drive letter creates new virtual drive and runs the server.)
  2. Start a web browser.
  3. Type https://localhost:8085/ into the browser address bar.
  4. An index page is displayed, check out the secure areas by clicking links secure1 or secure2.
  5. Stop the server by double clicking on server_stop.bat

Note 1: Reason for changing the secure port was to demonstrate you still need to use https. This sets up the secure protocol, if you do not include a port it is assumed you are using the standard port (:443) which is silently added. Including a port (:8085) overrides this.

Note 2: At step 3 your browser will have a moan about incorrect certificate check out this page and train your browser to accept the certificate.

Top

Secure1

From the main index page click on the secure1 link. This takes you to a protected folder where you will be challenged for a name and password. Enter one of the name/password pairs shown, you will be able to view a single personal page. Each page contain cross links to other personal pages see what happens when you click one of these links.

Note 1: To re-log in you must restart your browser.

Note 2: Make sure to change the line AuthName to something like "Please login to your secure page" I included name/password pairs to make it easier to test.

Top

Secure2

From the main index page click on the secure2 link. This takes you to a protected folder where you will be challenged for a name and password. Enter one of the name/password pairs shown, you will be able to view the contents of a personal folder. Each personal index page contain cross links to other personal folders see what happens when you click one of these links.

Note 1: To re-log in you must restart your browser.

Note 2: Make sure to change the line AuthName to something like "Please login to your secure folder" I included name/password pairs to make it easier to test.

Top

Generate new server Certificate and key

The download includes a Server key and certificate you can use for testing however these are compromised (known to anyone that downloads the server) you need to create a new self-signed certificate.

The generation section includes ssl 0.9.8h again taken from the full Apache download. A single batch file z_complete.bat automates the Certificate and Key generation process.

To create a new certificate and key double click on z_complete.bat located in folder *\mini_server_5\udrive\key_cert_gen_ssl_098h\key_cert_gen and follow the instructions.

The file executes the following batch files in turn clean.bat, mpg1.bat, mpg2.bat, mpg3.bat and mpg4.bat for background information check our these pages Stunnel: SSL Certificate and SSL Part 1: Key & Certificate

The following shows a typical run:

1) Removing old files


2) Enter a pass phrase and certificate information

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...........................................++++++
....++++++
writing new private key to 'server.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name or County (full name) [Cambridgeshire]:
Locality Name (eg, city or town) [Cambridge]:
Organization Name (eg, company) [Unicenter]:
Organizational Unit Name (eg, section) [Demo Example: Uniform Server Development
 Team]:
Common Name (eg, your websites domain name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

3) This will remove the past phrase

Enter pass phrase for server.pem:
writing RSA key

4) Creating a self-signed certificate

Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Cambridgeshire/L=Cambridge/O=Unicenter/OU=Demo Example: Uniform
 Server Development Team/CN=localhost
Getting Private key

5) Copying Key and certificate to server

        1 file(s) copied.
        1 file(s) copied.

If you made a mistake run this batch file again

Press any key to continue . . .

1) Removes all old files before starting a new certificate and key generation.

2) Enter PEM pass phrase: This can be anything you like, it is eventually removed so keep it short e.g fred

You are then asked to enter certificate information. With the exception of Common Name I have accepted defaults by pressing the enter key. You can enter your own personal information however for a self-signed certificate it really is insignificant.

Of prime importance is the Common Name you must enter your domain name for example www.fred.com if you do not have a domain enter localhost (this will keep IE happy, especially if you want to save the certificate)

Country Name (2 letter code) [GB]:
State or Province Name or County (full name) [Cambridgeshire]:
Locality Name (eg, city or town) [Cambridge]:
Organization Name (eg, company) [Unicenter]:
Organizational Unit Name (eg, section) [Demo Example: Uniform Server Development Team]:
Common Name (eg, your websites domain name) []:localhost
Email Address []:

Extra attributes: Just press enter, do not enter any values these are never used.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

3) This is where the pass phrase is removed. Enter fred or whatever you decided to use.

4) The self-signed certificate is automatically create.

5) Once created both certificate and key are copied to their server folders.

Note: If you make a mistake not to worry you can run this batch file as many times as you like. Run the server and view your certificate in a browser. If its not what you expected, just run the batch file again. Remember each certificate is unique (Loading 'screen' into random state - done) even if you use the same information.

Top

Change Virtual Drive

The server automatically detects the first free drive letter and uses that to run the server on. You can override this in one of two ways:

  1. Start the server using a drive parameter for example: server_start.bat z this forces the server to use drive z
  2. Edit server_start.bat, locate the following line:
      rem set Disk=w
    Remove the rem and replace w with the letter you want to use for example:
      set Disk=x  Forces the server to use drive letter x

Top

Change server default port

  • Open file: httpd.conf (Located in folder: \mini_server_5\udrive\usr\local\apache2\conf)
  • Locate the lines:
    Listen 8085
    ServerName localhost:8085
  • Change to:
    Listen 443
    ServerName localhost:443

This moves the server to the standard secure server port

Note: Type https://localhost into a browser to view the site. There is no need to include the port it gets silently added.

If port already in use try any value above 2000

Top

Multi Servers

If you wish to run several mini servers at the same time create a new folder for each server and copy the contents of mini_server_5 into each of these.

Change server port for each server to be unique and create a new server certificate and key. The servers may be started in any order.

Note: You can run the mini servers alongside Uniform Server 3.5-Apollo however you must start Uniform Server first.

Top

Conclusion

That concludes this part of the mini-server series. You can add these enhancements to servers 6-10 producing even more flexible servers.

These mini-servers allow you to experiment without all that bloat. Just because the servers are small they are not toys Apache is a battle hardened server continuously being developed and enhanced hence always check for the latest version.

A self-signed certificate offers a reasonable degree of protection however to prevent man in the middle attacks (interception) a signed certificate is required. These servers are for personal use hence the choice is yours. In addition I have shown you are not restricted to using the standard secure port 443.

The next mini server shows how to enable PHP allowing you to create dynamic web sites.

Top


Ric