Sunday, December 11, 2011

Apache on the Cloud

I will explain step by step how to configure Apache within a Ubuntu server running in the Cloud. In my previous post I explained how to configure the Amazon Web Service in order to have an Ubuntu Server running 7x24. At the end of this tutorial we will have a public html page visible to everybody.

A. Connect into your remote instance and install Apache

ssh -i Ubuntu_10_04_32.pem ubuntu@ec2-46-137-60-179.eu-west-1.compute.amazonaws.com

sudo apt-get update

sudo apt-get install apache2 apache2-utils apache2-threaded-dev

Belive it or not you just created and publish a web page on the Internet. Open your favorite web browser and paste on the url the identifier of your cloud instance (You can find it in your connector command, in my case ec2-46-137-60-179.eu-west-1.compute.amazonaws.com)

Fig.1 Our public page


B. Configure Apache for ssh connection and authentication

Ok, that was pretty impressive, but what happens if you want to transmit and receive all the information encrypted, and actually what if I do not want everybody accessing to my web page. All this can be achieved by configuring apache. We will explain here the steps needed on Ubuntu, but if you are seriously thinking on developing web applications you should get some background on Apache. Here http://www.apache.org/dist/httpd/docs/ you can find the official apache documentation.

On the Ubuntu Server 10.04 the version of apache installed by default is the 2.2

ubuntu@ip-10-48-98-200:~$ apache2ctl -v
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov  3 2011 03:31:27

So the file you are looking for is httpd-docs-2.2.14.en.pdf


That being said here you can find a set of commands that you will use in your daily life with Apache

sudo update-rc.d -f apache2 remove --> Prevent Apache autostart
sudo update-rc.d apache2 defaults   -->  Restore Apache autostart

sudo apache2ctl -k start --> Starts apache
sudo apache2ctl -k stops --> Stop apache
sudo apache2ctl restart --> Restart apache (Needed when you change a configuration file to be took into account)

a2dismod/a2enmod --> Disable/Enable module

a2dissite/a2ensite --> Disable/Enable site


B.1 Configure Apache for ssh connection

Enable the Apache ssl module, the default ssl site and restart Apache:

sudo a2enmod ssl
sudo a2ensite default-ssl
apache2ctl restart



By doing this you should be able to access to your web site via https. By default you are using a Non verified certificate so Firefox will warn you about this. Just add the exception and continue.



If you want to use your own certificates just follow these steps:

Create the directory where you want to store the certificate:

sudo mkdir /etc/apache2/ssl

Generate the certificate (You will have to enter several information that will be attached within the certificate):

sudo openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem

Generating a 1024 bit RSA private key
..............................................................++++++
..++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:PACA
Locality Name (eg, city) []:Antibes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:N/A
Organizational Unit Name (eg, section) []:N/A
Common Name (eg, YOUR name) []:Javier
Email Address []:jbravoc27@hotmail.com

Now you can find your own certificate under /etc/apache2/ssl:

ll  /etc/apache2/ssl
drwxr-xr-x 2 root root 4096 2011-12-11 12:08 ./
drwxr-xr-x 8 root root 4096 2011-12-11 12:07 ../
-rw-r--r-- 1 root root 2136 2011-12-11 12:09 apache.pem 


Finally we have to modify the Apache config file to indicate that it has to use the certificate that we just generated. This is done by editing the file:

/etc/apache2/sites-available/default-ssl

Remove these two lines:

SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

And include this line indicating the path to your certificate (Our certificate include the key itself, so is not needed to include the equivalent second line):

SSLCertificateFile /etc/apache2/ssl/apache.pem 

Once done restart apache:

sudo apache2ctl restart

You will have to add a new exception to Firefox:


If the button to accept is not enables (as it is my case) just clear all the recent history and try again:


The last thing we are going to do is to disable the 'Non-https' access, so everybody trying to access our site will have to do it using https. There is a more elegant solution that is redirecting the request from the 'Non-https' to 'https', again this can be done by manipulating the Apache config files, but this is out of the scope of this post.

To disable the 'Non-http' access just type:

sudo a2dissite 000-default
sudo apache2ctl restart

Now if you try to access to your site without https, (ec2-46-137-60-179.eu-west-1.compute.amazonaws.com) you will receive a nice 'Not Found' mozilla error.

If you want to avoid apache warning when restarting the server, just comment or remove the following lines in the config file /etc/apache2/ports.conf:

NameVirtualHost *:80
Listen 80


B. Enabling Authentication


Now that we have set up a secure conversation by using ssl, we can ask our users for a password and control the access to our site.

The first thing we have to do is create a folder and a file where we are going to store all our users ans its associated password:

sudo mkdir /etc/apache2/passwd
sudo touch /etc/apache2/passwd/passwords

Now we create an user using the apache tool htpasswd

sudo htpasswd -c /etc/apache2/passwd/passwords javier 

You will be asked to introduce your password:

New password:
Re-type new password:
Adding password for user javier

If you have a look to the password file you will see that a new line with the user 'javier' and an encrypted password has been created:

cat /etc/apache2/passwd/passwords
javier:UIkS/YN9TzvSM

Now we just need to configure apache to ask for a password when an user is trying to access to our site.

Open the configuration file:

/etc/apache2/sites-available/default-ssl default

And modify the following section:

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

by:

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                AuthType Basic
                AuthName "Password Required"
                AuthUserFile /etc/apache2/passwd/passwords
                Require valid-user
        </Directory>

and restart Apache again:

sudo apache2ctl restart

Now when you try to access to your site you will be asked to introduce an user and a password (You might need to clear the Firefox history to avoid the browser cache):


And that's all folks!! You have configured (well you have mostly used the default configuration) a secure conversation plus authentication for your web site. This is the basic security access protection for an enormous amount of web sites out there on the Internet.

No comments:

Post a Comment