https service

Ameii83 · 06-05-2006, 04:01 AM

how to add https service in linux trough ssh client ?? is it https and the http is the same protocol ??

imagineers7 · 06-05-2006, 04:13 AM

Hi ameii83,

Https is http-secure it does not need ssh to tunnel through or anything of that sort.

Have your apache server installed and you get https and http working automatically. The folder containing html files is httpdocs and folder https contains html files for https protocol.

Have fun

Ameii83 · 06-05-2006, 04:20 AM

let i go through with my problem..i have succesful installed the apache server, the http is working well but the https get the problem. The problem is, if i try to surf my website that are using https..it reply "the connection was refused".What i should do ?

thanks for reply

Wim Sturkenboom · 06-05-2006, 06:00 AM

Just some questions to answer your question.

Firewall settings on your server?
Did you generate keys and certificates, sign them and place them in the correct directories?
Is mod_ssl.conf correctly configured?
Do you start apache with SSL support? Check apache log file

Ameii83 · 06-06-2006, 12:20 AM

hii ..again

before this..i detect my firewall has block the https port 433..so i have open it..so it can get through over it. The problem is.. it come out with apache test page..not exactly the website. What i should do?
Is there anything problem with https ??

imagineers7 · 06-06-2006, 03:58 AM

Hi ameii83,

No, there is no problem with apache https. Have you copied all content from httpdocs to httpsdocs?

If so it should show your web site.

Tell me what happens

Ameii83 · 06-06-2006, 11:35 PM

i have cpy all the file to the var/www..but the website is never come out!!Is there anything problem with httpd.conf configuration ??

Wim Sturkenboom · 06-07-2006, 02:34 AM

Please post the whole path (/var/www.. is not enough in this case). Is the problem with https? If so, there's a DocumentRoot in the file mod_ssl.conf. Does it indicate the correct directory?

Ameii83 · 06-07-2006, 09:29 PM

thanks all guy..i have fix them all...dont worry ..if i have the time i will describe all the process..

thank to all

imagineers7 · 06-07-2006, 10:59 PM

Hello Ameii83,

If you really have got rid over your problem, please post how. This will be helpful for the people who may get into the same problem in future.

I hope you'll understand.

ganesh343 · 06-07-2006, 11:32 PM

Hi Ameii83,

Why dont you post the step by step process of "how to enable https on apache"??
That could helpfull to the others.

thanks in advance.
-Ganesh

Ameii83 · 06-13-2006, 11:22 PM

the solution is in the httpd.conf in virtual host section. please see the sample configuration of httpd.conf below
-------------------------------------------------------------------
NameVirtualHost *:443
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

<VirtualHost *:443>
ServerAdmin xxxx@xxx.xxx
DocumentRoot /var/www/html/example
ServerName xxxxx.xxxxx.xxx.xx
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

-----------------------------------------------------------------------

Just change the http= "80" to https ="443" port.

Wim Sturkenboom · 06-14-2006, 01:22 AM

As I did the same exercise a couple of weeks ago, I feel that some info is missing (like the location of keys and certificates). Are you sure that that was all that you did to get it working?

Below the story for a Slackware 10.1 box. It's not said that I did it in a better way, but the instructions might be more complete.
It's based on information in Julie C. Melonie’s book ‘Teach yourself PHP, MySQL and Apache All in One’ (ISBN 0-672-32620-5).

Generating certificate

Step 1 Generate (private) key

Code:

root@btd-techweb01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)

I did not add the option -des3 after genrsa as it will require a password everytime the Apache webserver is restarted. This will prevent automatic restarts (e.g. after power down). Although less secure as the key is not encrypted and a breach in security on the server might reveal the key, this risk is considered acceptable. Just secure the server properly.

Step 2 Generate certificate signing request

Once a key file is generated, a Certificate Signing Request (CSR) can be generated.

Code:

root@btd-techweb01:~# /usr/bin/openssl req -new -key btd-techweb01.key -out btd-techweb01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:mycity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany
Organizational Unit Name (eg, section) []:BTD
Common Name (eg, YOUR name) []:btd-techweb01
Email Address []:wsturkenboom@mycompany.co.za

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:************
An optional company name []:mycompany

Step 3 Signing certificate

The request can now be send to a Certified Authority (CA) to be signed. Examples of CAs are Thawte and Verisign.
As this is a server on the intranet, we will sign it ourselves.

Code:

root@btd-techweb01:~# /usr/bin/openssl x509 -req -days 30 -in btd-techweb01.csr -signkey btd-techweb01.key -out btd-techweb01.cert
Signature ok
subject=/C=ZA/L=mycity/O=mycompany/OU=BTD/CN=btd-techweb01/emailAddress=wsturkenboom@mycompany.co.za
Getting Private key

Configuration

Step 1 Copy files

We now have a certificate. It needs to be copied to the directory /etc/apache/ssl.crt and for security we will make it readable for root only.

Code:

root@btd-techweb01:~# cp btd-techweb01.cert /etc/apache/ssl.crt
root@btd-techweb01:~# chmod 400 /etc/apache/ssl.crt/btd-techweb01.cert

We also need to copy the key to /etc/apache/ssl.key

Code:

root@btd-techweb01:~# cp btd-techweb01.key /etc/apache/ssl.key

To make the story complete, we will copy the csr to /etc/apache/ssl.csr; this step is not necessary.

Code:

root@btd-techweb01:~# cp btd-techweb01.csr /etc/apache/ssl.csr

Step 2 Modify mod_ssl.conf

Code:

#WimS; we have cert extension, not crt
AddType application/x-x509-ca-cert .cert
#AddType application/x-x509-ca-cert .crt

#WimS; our certificate
SSLCertificateFile /etc/apache/ssl.crt/btd-techweb01.cert
#SSLCertificateFile /etc/apache/ssl.crt/server.crt

#WimS; our private key
SSLCertificateKeyFile /etc/apache/ssl.key/btd-techweb01.key

We also have to modify some additional info (like the documentroot as I use a non-standard one).

Code:

#  General setup for the virtual host
#WimS; new location
DocumentRoot "/server/www/htdocs/btd/web"
#DocumentRoot "/var/www/htdocs"
#WimS; new server name
ServerName btd-techweb01
#ServerName new.host.name
#WimS
ServerAdmin wsturkenboom@mycompany.co.za
#ServerAdmin you@your.address

As we use the same directories (I did not feel like bothering about it), we will block port 80 as well so no normal http can be done.

Code:

<IfDefine SSL>
#Listen 80
Listen 443
</IfDefine>

So we have a server now that will only accept https requests

Step 3 Modify httpd.conf

Last step before we can restart the server is to modify httpd.conf and include mod_ssl.conf.

Code:

# ==> mod_ssl configuration settings <==
#
# PACKAGES REQUIRED:  apache (N series) and openssl (N series)
#
#WimS
Include /etc/apache/mod_ssl.conf
#Include /etc/apache/mod_ssl.conf

Restart httpd with ssl support and test

Apache can be compiled with or without SSL support. In the Slackware 10.1 distro, both versions are available and by default the correct one will be started.
With a default Slackware 10.1 installation, the httpd is started from /etc/rc.d/rc.httpd.
To make sure that it starts with ssl, the start option needs to be modified.

Code:

   'start')
#      /usr/sbin/apachectl start ;;
      /usr/sbin/apachectl startssl ;;

To test, use your favorite browser and call up a page on the server. A popup will appear with info about the certificate.

Ameii83 · 06-14-2006, 01:37 AM

please correct me..if i was mistake

you can apply the sll certificed if u want to.. so it can match with ur domain (to have a better secure)-- i think. But in my case..
i only used the default ssl certificed.

Wim Sturkenboom · 06-14-2006, 02:22 AM

Did not say that you were mistaken; neither I wanted to imply that you were wrong. If it works, you basically did not do anything wrong.
I only felt that some stuff was missing (because, as said, I went through the same exercise recently and did different things).
i.e. I did not see a reference to the certificate in your httpd.conf, and that surprised me.

Only thing with regards to standard certificate that you use might be that anybody who uses your distro as well and uses the same standard certificate, will have the same certificate. In a home situation not an issue, but on the web it is.