Apache: Difference between revisions
(→HTTPS) |
(→HTTPS: generate new certificates) |
||
Line 166: | Line 166: | ||
In case of problem, check log file <tt>/var/log/apache2/error.log</tt>. |
In case of problem, check log file <tt>/var/log/apache2/error.log</tt>. |
||
=== Parse and generate new certificates === |
|||
The server private key is located at {{file|/etc/ssl/private/ssl-cert-snakeoil.key}} and the self-signed certificate at {{file|/etc/ssl/certs/ssl-cert-snakeoil.key}}. |
|||
To parse the current private key: |
|||
<source lang=bash> |
|||
sudo openssl rsa -noout -text -in /etc/ssl/private/ssl-cert-snakeoil.key # Show coefficient of private key |
|||
sudo openssl rsa -noout -modulus -in /etc/ssl/private/ssl-cert-snakeoil.key # Show private key modulus |
|||
</source> |
|||
To parse the current self-signed certificate: |
|||
<source lang=bash> |
|||
openssl asn1parse -in /etc/ssl/certs/ssl-cert-snakeoil.pem # Show certificate fields |
|||
</source> |
|||
This produces for instance: |
|||
<source lang=text> |
|||
openssl asn1parse -in /etc/ssl/certs/ssl-cert-snakeoil.pem |
|||
0:d=0 hl=4 l= 698 cons: SEQUENCE |
|||
4:d=1 hl=4 l= 418 cons: SEQUENCE |
|||
8:d=2 hl=2 l= 3 cons: cont [ 0 ] |
|||
10:d=3 hl=2 l= 1 prim: INTEGER :02 |
|||
13:d=2 hl=2 l= 9 prim: INTEGER :C5E28AFC1DC8799C |
|||
24:d=2 hl=2 l= 13 cons: SEQUENCE |
|||
26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption |
|||
37:d=3 hl=2 l= 0 prim: NULL |
|||
39:d=2 hl=2 l= 21 cons: SEQUENCE |
|||
41:d=3 hl=2 l= 19 cons: SET |
|||
43:d=4 hl=2 l= 17 cons: SEQUENCE |
|||
45:d=5 hl=2 l= 3 prim: OBJECT :commonName |
|||
50:d=5 hl=2 l= 10 prim: PRINTABLESTRING :zavcxv0035 |
|||
62:d=2 hl=2 l= 30 cons: SEQUENCE |
|||
64:d=3 hl=2 l= 13 prim: UTCTIME :150605232158Z |
|||
79:d=3 hl=2 l= 13 prim: UTCTIME :250602232158Z |
|||
94:d=2 hl=2 l= 21 cons: SEQUENCE |
|||
96:d=3 hl=2 l= 19 cons: SET |
|||
98:d=4 hl=2 l= 17 cons: SEQUENCE |
|||
100:d=5 hl=2 l= 3 prim: OBJECT :commonName |
|||
105:d=5 hl=2 l= 10 prim: PRINTABLESTRING :zavcxv0035 |
|||
117:d=2 hl=4 l= 290 cons: SEQUENCE |
|||
121:d=3 hl=2 l= 13 cons: SEQUENCE |
|||
123:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption |
|||
134:d=4 hl=2 l= 0 prim: NULL |
|||
136:d=3 hl=4 l= 271 prim: BIT STRING |
|||
411:d=2 hl=2 l= 13 cons: cont [ 3 ] |
|||
413:d=3 hl=2 l= 11 cons: SEQUENCE |
|||
415:d=4 hl=2 l= 9 cons: SEQUENCE |
|||
417:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints |
|||
422:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 |
|||
426:d=1 hl=2 l= 13 cons: SEQUENCE |
|||
428:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption |
|||
439:d=2 hl=2 l= 0 prim: NULL |
|||
441:d=1 hl=4 l= 257 prim: BIT STRING |
|||
</source> |
|||
* The field '''UTCTIME''' is coded as <code>YYMMDDHHmmssZ</code>. |
|||
To generate a new key and certificate: |
|||
<source lang=bash> |
|||
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ssl-cert-$HOSTNAME.key -out ssl-cert-$HOSTNAME.pem |
|||
</source> |
|||
Typically you can leave all request fields, except the '''Common Name''' which should be set to some name, or server FQDN: |
|||
<source lang=text> |
|||
Generating a 2048 bit RSA private key |
|||
..............................................................+++ |
|||
..................................+++ |
|||
unable to write 'random state' |
|||
writing new private key to 'ssl-cert-zavcxl0005.key' |
|||
----- |
|||
You are about to be asked to enter information that will be incorporated |
|||
into your certificate request. |
|||
What you are about to enter is what is called a Distinguished Name or a DN. |
|||
There are quite a few fields but you can leave some blank |
|||
For some fields there will be a default value, |
|||
If you enter '.', the field will be left blank. |
|||
----- |
|||
Country Name (2 letter code) [AU]:. |
|||
State or Province Name (full name) [Some-State]:. |
|||
Locality Name (eg, city) []:. |
|||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:. |
|||
Organizational Unit Name (eg, section) []:. |
|||
Common Name (e.g. server FQDN or YOUR name) []:zavcxl0005.zav.st.com |
|||
Email Address []:. |
|||
</source> |
|||
Then install the key and certificate and update {{file|/etc/apache2/default-ssl.conf}}: |
|||
<source lang=bash> |
|||
sudo mv ssl-cert-$HOSTNAME.pem /etc/ssl/certs |
|||
sudo chmod 640 ssl-cert-$HOSTNAME.key |
|||
sudo chown root:ssl-cert ssl-cert-$HOSTNAME.key |
|||
sudo mv ssl-cert-$HOSTNAME.key /etc/ssl/private |
|||
</source> |
|||
Edit {{file|/etc/apache2/sites-available/default-ssl.conf}}: |
|||
<source lang=diff> |
|||
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
|||
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
|||
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
|||
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
|||
</source> |
Revision as of 09:39, 22 June 2015
References
- Apache Documentation (a bit fuzzy...)
- Apache HTTP Server Wiki (much clearer but incomplete)
Enabling .htaccess files
In case the .htaccess files are ignored (see [1]):
Stop! Don't use htaccess files for mod_rewrite unless you have no other choice. Doing so is slow and confusing.
- Put a nonsense line (such as Wooga) in your htaccess file and try the request again. If you don't see a 500 Internal Server Error message, your htaccess file is being ignored altogether. The solution is to set both AllowOverride FileInfo and Options FollowSymlinks in httpd.conf (on Ubuntu, check apache2/sites-enabled/000-default, or add your own config file in apache2/conf.d) for the directory in question.
- If you think your rules look ok but you still see a 500 Internal Server Error message, make sure mod_rewrite is loaded in the server.
- If you have ensured that mod_rewrite is loaded, and that RewriteRule is enabled for htaccess files, it could be that your rules are looping.
- If none of the above steps help, try a very simple rewrite to check if the module is enabled. For example:
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride FileInfo # Must *NOT* be ''none''
</Directory>
RewriteEngine On
# Redirect all requests to example.com
RewriteRule ^ http://example.com/
Basic Rewrite Rules
- References: [2], [3]
- Rewrite rules are either defined in virtual host configuration (i.e. httpd.conf or similar) or in the .htaccess file, per directory ({{{1}}}discouragedTemplate:/red — I don't
know why exactly; slower...}}
Frequent errors
- Make sure that all files in your /var/www (or any other relevant directory) are owned by www:www-data (if not, rule conditions like
RewriteCond %{REQUEST_FILENAME} -f
may fail!)
sudo chown -R www:www-data /var/www
- If you changed apache config, make sure that you restarted the server
sudo /etc/init.d/apache2 restart
- If you use mod_rewrite in .htaccess files, make sure that these files are indeed read by Apache (see section above).
- Enable rewrite log to ease debugging. Add a file /etc/apache2/conf.d/rewritelog.conf:
RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 8 # Max 9
Some example of rewrite rules
See [4] for more examples, and what-not.
Rewrite URL for missing resource
From [5], rewrite URL for missing resource.
# For each web request (file or directory) that doesn't start with /en-US/,
# serve up the original resource if it exists, otherwise serve up the /en-US/ version.
RewriteCond $0 !^en-US/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .+ en-US/$0 [L]
Rewrite URL for missing resources (advanced)
# Try to replace query for non-existing images to white/black images
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f # true if file exists
RewriteRule (.*) - [L] # Applied if condition above is true, [L] means LAST rule
# 10-0- up to 10-511-
RewriteCond %{REQUEST_URI} /10-[0-9]+-([0-9]|[1-9][0-9]|[1-4][0-9][0-9]|50[0-9]|51[0-1])\.png
RewriteRule (.*) white.png [L]
# 9-0- up to 9-255-
RewriteCond %{REQUEST_URI} /9-[0-9]+-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.png
RewriteRule (.*) white.png [L]
# 8-0- up to 8-127-
RewriteCond %{REQUEST_URI} /8-[0-9]+-([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.png
RewriteRule (.*) white.png [L]
# 7-0- up to 7-63-
RewriteCond %{REQUEST_URI} /7-[0-9]+-([0-9]|[0-5][0-9]|6[0123])\.png
RewriteRule (.*) white.png [L]
# 6-0- up to 6-31-
RewriteCond %{REQUEST_URI} /6-[0-9]+-([0-9]|[0-2][0-9]|3[01])\.png
RewriteRule (.*) white.png [L]
# 5-0- up to 5-15-
RewriteCond %{REQUEST_URI} /5-[0-9]+-([0-9]|1[0-5])\.png
RewriteRule (.*) white.png [L]
# 4-0- up to 4-7-
RewriteCond %{REQUEST_URI} /4-[0-9]+-([0-7])\.png
RewriteRule (.*) white.png [L]
# 3-0- up to 3-3-
RewriteCond %{REQUEST_URI} /3-[0-9]+-([0-3])\.png
RewriteRule (.*) white.png [L]
# 2-0- up to 2-1-
RewriteCond %{REQUEST_URI} /2-[0-9]+-([0-1])\.png
RewriteRule (.*) white.png [L]
# 1-0- up to 1-1-
RewriteCond %{REQUEST_URI} /1-[0-9]+-0\.png
RewriteRule (.*) white.png [L]
RewriteRule (.*) black.png [L]
Tags
DirectoryIndex
- Use DirectoryIndex to change list of default name of index file while browsing directory
DirectoryIndex index.php index.html # Will serve php version first
DirectoryIndex mycustomindex.html # To point to specific file when browsing directory (no directory listing)
HTTPS
From [6]. Assumptions:
- Already a website present at /var/www
- Package ssl-cert installed (that create snakeoil (i.e. self-signed) certificates in /etc/ssl)
# Load and enable SSL module
sudo a2enmod ssl
sudo /etc/init.d/apache2 force-reload
# Edit file
sudo vim /etc/apache2/sites-available/default-ssl
# ... and change lines as follows (for key/cert we use the snakeoil ones):
# SSLEngine on
# SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
#Enable the default SSL site:
sudo a2ensite default-ssl
# Tell Apache to reload its configuration:
sudo /etc/init.d/apache2 reload
To also add user authentication, add the following lines to either
- File .htaccess in website directory
- Section <Directory /> in /etc/apache2/sites-available/default-ssl:
AuthType Basic
AuthName "default"
AuthUserFile /var/www/nxl67002ux.ssl.passwd
Require valid-user
Then create the password file with the command htpasswd
htpasswd -c -s filename.ssl.passwd username # set password, using SHA-1
sudo chown www-data:www-data filename.ssl.passwd # set permission (or get 500 - Internal server error)
Finally, reload apache2:
sudo /etc/init.d/apache2 reload
In case of problem, check log file /var/log/apache2/error.log.
Parse and generate new certificates
The server private key is located at /etc/ssl/private/ssl-cert-snakeoil.key and the self-signed certificate at /etc/ssl/certs/ssl-cert-snakeoil.key.
To parse the current private key:
sudo openssl rsa -noout -text -in /etc/ssl/private/ssl-cert-snakeoil.key # Show coefficient of private key
sudo openssl rsa -noout -modulus -in /etc/ssl/private/ssl-cert-snakeoil.key # Show private key modulus
To parse the current self-signed certificate:
openssl asn1parse -in /etc/ssl/certs/ssl-cert-snakeoil.pem # Show certificate fields
This produces for instance:
openssl asn1parse -in /etc/ssl/certs/ssl-cert-snakeoil.pem
0:d=0 hl=4 l= 698 cons: SEQUENCE
4:d=1 hl=4 l= 418 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :C5E28AFC1DC8799C
24:d=2 hl=2 l= 13 cons: SEQUENCE
26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
37:d=3 hl=2 l= 0 prim: NULL
39:d=2 hl=2 l= 21 cons: SEQUENCE
41:d=3 hl=2 l= 19 cons: SET
43:d=4 hl=2 l= 17 cons: SEQUENCE
45:d=5 hl=2 l= 3 prim: OBJECT :commonName
50:d=5 hl=2 l= 10 prim: PRINTABLESTRING :zavcxv0035
62:d=2 hl=2 l= 30 cons: SEQUENCE
64:d=3 hl=2 l= 13 prim: UTCTIME :150605232158Z
79:d=3 hl=2 l= 13 prim: UTCTIME :250602232158Z
94:d=2 hl=2 l= 21 cons: SEQUENCE
96:d=3 hl=2 l= 19 cons: SET
98:d=4 hl=2 l= 17 cons: SEQUENCE
100:d=5 hl=2 l= 3 prim: OBJECT :commonName
105:d=5 hl=2 l= 10 prim: PRINTABLESTRING :zavcxv0035
117:d=2 hl=4 l= 290 cons: SEQUENCE
121:d=3 hl=2 l= 13 cons: SEQUENCE
123:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
134:d=4 hl=2 l= 0 prim: NULL
136:d=3 hl=4 l= 271 prim: BIT STRING
411:d=2 hl=2 l= 13 cons: cont [ 3 ]
413:d=3 hl=2 l= 11 cons: SEQUENCE
415:d=4 hl=2 l= 9 cons: SEQUENCE
417:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
422:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
426:d=1 hl=2 l= 13 cons: SEQUENCE
428:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
439:d=2 hl=2 l= 0 prim: NULL
441:d=1 hl=4 l= 257 prim: BIT STRING
- The field UTCTIME is coded as
YYMMDDHHmmssZ
.
To generate a new key and certificate:
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ssl-cert-$HOSTNAME.key -out ssl-cert-$HOSTNAME.pem
Typically you can leave all request fields, except the Common Name which should be set to some name, or server FQDN:
Generating a 2048 bit RSA private key
..............................................................+++
..................................+++
unable to write 'random state'
writing new private key to 'ssl-cert-zavcxl0005.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:zavcxl0005.zav.st.com
Email Address []:.
Then install the key and certificate and update /etc/apache2/default-ssl.conf:
sudo mv ssl-cert-$HOSTNAME.pem /etc/ssl/certs
sudo chmod 640 ssl-cert-$HOSTNAME.key
sudo chown root:ssl-cert ssl-cert-$HOSTNAME.key
sudo mv ssl-cert-$HOSTNAME.key /etc/ssl/private
Edit /etc/apache2/sites-available/default-ssl.conf:
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key