A. Connect into your remote instance and install Apache
ssh -i Ubuntu_10_04_32.pem ubuntu@ec2-46-137-60-179.eu-west-1.compute.amazonaws.com
sudo apt-get update
sudo apt-get install apache2 apache2-utils apache2-threaded-dev
Belive it or not you just created and publish a web page on the Internet. Open your favorite web browser and paste on the url the identifier of your cloud instance (You can find it in your connector command, in my case ec2-46-137-60-179.eu-west-1.compute.amazonaws.com)
Fig.1 Our public page
B. Configure Apache for ssh connection and authentication
Ok, that was pretty impressive, but what happens if you want to transmit and receive all the information encrypted, and actually what if I do not want everybody accessing to my web page. All this can be achieved by configuring apache. We will explain here the steps needed on Ubuntu, but if you are seriously thinking on developing web applications you should get some background on Apache. Here http://www.apache.org/dist/httpd/docs/ you can find the official apache documentation.
On the Ubuntu Server 10.04 the version of apache installed by default is the 2.2
ubuntu@ip-10-48-98-200:~$ apache2ctl -v
Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 3 2011 03:31:27
Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 3 2011 03:31:27
So the file you are looking for is httpd-docs-2.2.14.en.pdf
That being said here you can find a set of commands that you will use in your daily life with Apache
sudo update-rc.d -f apache2 remove --> Prevent Apache autostart
sudo update-rc.d apache2 defaults --> Restore Apache autostart
sudo apache2ctl -k start --> Starts apache
sudo apache2ctl -k stops --> Stop apache
sudo apache2ctl restart --> Restart apache (Needed when you change a configuration file to be took into account)
a2dismod/a2enmod --> Disable/Enable module
a2dissite/a2ensite --> Disable/Enable site
B.1 Configure Apache for ssh connection
Enable the Apache ssl module, the default ssl site and restart Apache:
sudo a2enmod ssl
sudo a2ensite default-ssl
apache2ctl restart
By doing this you should be able to access to your web site via https. By default you are using a Non verified certificate so Firefox will warn you about this. Just add the exception and continue.
If you want to use your own certificates just follow these steps:
Create the directory where you want to store the certificate:
sudo mkdir /etc/apache2/ssl
Generate the certificate (You will have to enter several information that will be attached within the certificate):
sudo openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
Generating a 1024 bit RSA private key
..............................................................++++++
..++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:PACA
Locality Name (eg, city) []:Antibes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:N/A
Organizational Unit Name (eg, section) []:N/A
Common Name (eg, YOUR name) []:Javier
Email Address []:jbravoc27@hotmail.com
..............................................................++++++
..++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:PACA
Locality Name (eg, city) []:Antibes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:N/A
Organizational Unit Name (eg, section) []:N/A
Common Name (eg, YOUR name) []:Javier
Email Address []:jbravoc27@hotmail.com
Now you can find your own certificate under /etc/apache2/ssl:
ll /etc/apache2/ssl
drwxr-xr-x 2 root root 4096 2011-12-11 12:08 ./
drwxr-xr-x 8 root root 4096 2011-12-11 12:07 ../
-rw-r--r-- 1 root root 2136 2011-12-11 12:09 apache.pem
drwxr-xr-x 2 root root 4096 2011-12-11 12:08 ./
drwxr-xr-x 8 root root 4096 2011-12-11 12:07 ../
-rw-r--r-- 1 root root 2136 2011-12-11 12:09 apache.pem
Finally we have to modify the Apache config file to indicate that it has to use the certificate that we just generated. This is done by editing the file:
/etc/apache2/sites-available/default-ssl
Remove these two lines:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
And include this line indicating the path to your certificate (Our certificate include the key itself, so is not needed to include the equivalent second line):
SSLCertificateFile /etc/apache2/ssl/apache.pem
Once done restart apache:
sudo apache2ctl restart
You will have to add a new exception to Firefox:
If the button to accept is not enables (as it is my case) just clear all the recent history and try again:
The last thing we are going to do is to disable the 'Non-https' access, so everybody trying to access our site will have to do it using https. There is a more elegant solution that is redirecting the request from the 'Non-https' to 'https', again this can be done by manipulating the Apache config files, but this is out of the scope of this post.
To disable the 'Non-http' access just type:
Now if you try to access to your site without https, (ec2-46-137-60-179.eu-west-1.compute.amazonaws.com) you will receive a nice 'Not Found' mozilla error.
If you want to avoid apache warning when restarting the server, just comment or remove the following lines in the config file /etc/apache2/ports.conf:
B. Enabling Authentication
Now that we have set up a secure conversation by using ssl, we can ask our users for a password and control the access to our site.
The first thing we have to do is create a folder and a file where we are going to store all our users ans its associated password:
Now we create an user using the apache tool htpasswd
You will be asked to introduce your password:
If you have a look to the password file you will see that a new line with the user 'javier' and an encrypted password has been created:
Now we just need to configure apache to ask for a password when an user is trying to access to our site.
Open the configuration file:
And modify the following section:
by:
and restart Apache again:
Now when you try to access to your site you will be asked to introduce an user and a password (You might need to clear the Firefox history to avoid the browser cache):
And that's all folks!! You have configured (well you have mostly used the default configuration) a secure conversation plus authentication for your web site. This is the basic security access protection for an enormous amount of web sites out there on the Internet.
If the button to accept is not enables (as it is my case) just clear all the recent history and try again:
The last thing we are going to do is to disable the 'Non-https' access, so everybody trying to access our site will have to do it using https. There is a more elegant solution that is redirecting the request from the 'Non-https' to 'https', again this can be done by manipulating the Apache config files, but this is out of the scope of this post.
To disable the 'Non-http' access just type:
sudo a2dissite 000-default
sudo apache2ctl restart
Now if you try to access to your site without https, (ec2-46-137-60-179.eu-west-1.compute.amazonaws.com) you will receive a nice 'Not Found' mozilla error.
If you want to avoid apache warning when restarting the server, just comment or remove the following lines in the config file /etc/apache2/ports.conf:
NameVirtualHost *:80
Listen 80
Listen 80
B. Enabling Authentication
Now that we have set up a secure conversation by using ssl, we can ask our users for a password and control the access to our site.
The first thing we have to do is create a folder and a file where we are going to store all our users ans its associated password:
sudo mkdir /etc/apache2/passwd
sudo touch /etc/apache2/passwd/passwords
Now we create an user using the apache tool htpasswd
sudo htpasswd -c /etc/apache2/passwd/passwords javier
You will be asked to introduce your password:
New password:
Re-type new password:
Adding password for user javier
Re-type new password:
Adding password for user javier
If you have a look to the password file you will see that a new line with the user 'javier' and an encrypted password has been created:
cat /etc/apache2/passwd/passwords
javier:UIkS/YN9TzvSM
javier:UIkS/YN9TzvSM
Now we just need to configure apache to ask for a password when an user is trying to access to our site.
Open the configuration file:
/etc/apache2/sites-available/default-ssl default
And modify the following section:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
by:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user
</Directory>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user
</Directory>
and restart Apache again:
sudo apache2ctl restart
Now when you try to access to your site you will be asked to introduce an user and a password (You might need to clear the Firefox history to avoid the browser cache):
And that's all folks!! You have configured (well you have mostly used the default configuration) a secure conversation plus authentication for your web site. This is the basic security access protection for an enormous amount of web sites out there on the Internet.
No comments:
Post a Comment