Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Derscripes howto setup a webserver for file exchange in a Bit Repository system.

Apache2

Install Apache2, mod_ssl and mod_dav if not pre-installed.

Debian based systems
$ a2enmod dav dav_fs dav_lock # Enable DAV
$ mkdir /path/to/www/dav      # Create directory for DAV
$ chown www-data:wwwdata /path/to/www/dav

$ a2enmod ssl                 # Enable SSL
$ a2ensite default-ssl        # Enable SSL site
RHEL
  1. yum install httpd mod_ssl
  2. mkdir -p /path/to/www/dav/
  3. chown apache:apche /path/to/www/dav/
  4. vim /etc/httpd/conf/httpd.conf (and change ServerName and enable WebDAV)
  5. mkdir /etc/httpd/ssl/
  6. generate self-signed key to /etc/httpd/ssl
  7. vim /etc/httpd/conf.d/ssl.conf
  8. service httpd start
  9. chkconfig httpd on
SSL Setup

Setup the SSL site (on debian /etc/apache2/sites-available/default-ssl, redhat: /etc/httpd/conf.d/ssl.conf) to use the relevant keys and certificates (see Create self signed certificate):

         SSLCertificateFile      /path/to/server.crt
         SSLCertificateKeyFile   /path/to/server.key
         SSLCACertificateFile    /path/to/trusted.crt
         SSLVerifyClient         require
         SSLVerifyDepth          0

SSLCACertificateFile is a concatenation of client certificates in PEM format (i.e. cat trusted_certs/*.crt > trusted.crt).

DAV Setup
        <Location /dav>
                Dav On
        </Location>

$ /etc/init.d/apache2 restart # Finally restart apache
or
$ service httpd restart
Redhat

As with Debian, except some things are done differently, see here.

References:
Apache SSL/TLS Encryption
Apache Module mod_dav

Lighttpd

Enabling upload (WebDAV):

Add "mod_webdav" to server.modules, and configure it:

webdav.activate = "enable"
webdav.is-readonly = "disable"
webdav.sqlite-db-name = "/var/run/lighttpd/lighttpd.webdav_lock.db"

Enabling SSL (HTTPS) on port 443:

$SERVER["socket"] == ":443" {
	ssl.engine = "enable"
	ssl.pemfile = "/path/to/server.pem" # a PEM file is a combination of a key and certificate
	ssl.ca-file = "/path/to/ca.crt"     # This is the CA file used to sign the above key (if needed, which it is for self-signed certificates)
}

To enable client authentication add the following to the configuration:

	ssl.verifyclient.activate = "enable"
	ssl.verifyclient.enforce = "enable"
	#ssl.verifyclient.depth = "1" # Should possibly be enabled in the future
	ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"

References:
Configuring SSL
Redirecting HTTP to HTTPS

Create self signed certificate

# For HTTPS servers remember to put the
# server FQDN in the CN.

KEY="$CN.key"
CSR="$CN.csr"
CRT="$CN.crt"

# Generate key
openssl genrsa -out "$KEY" 1024 || exit 1

# Certificate Signing Request (Remember to modify the signing request subject)
openssl req -new -key "$KEY" -out "$CSR" -subj "/C=DK/O=TestOrganization/OU=TestDepartment/CN=$CN" || exit 1

# Self sign
openssl x509 -req -days 1000 -in "$CSR" -out "$CRT" -signkey "$KEY" || exit 1

Optionally this can be packaged into a web browser friendly pkcs-12 file along with the server certificate:

openssl pkcs12 -export -in browser.crt -inkey browser.key -out browser.p12 -certfile /path/to/server.crt

See also Using SSL in Java

Creating a certificate authority for test

$ mkdir /path/to/ca/                 # CA root
$ mkdir /path/to/ca/ca.db.certs      # Signed certificates
$ touch /path/to/ca/ca.db.index      # Index of signed certificates
$ echo 01 > /path/to/ca/ca.db.serial # Next (sequential) serial number
$ cp ca.conf /path/to/ca/            # Configuration file (see below)

$ cd /path/to/ca
$ openssl genrsa -out ca.key 1024    # Generate CA private key
$ openssl req -new -key ca.key \
                   -out ca.csr       # Create Certificate Signing Request
$ openssl x509 -req -days 10000 \
               -in ca.csr \
               -out ca.crt \
               -signkey ca.key       # Create self-signed certificate

ca.conf:

[ ca ]
default_ca = ca_default

[ ca_default ]
dir = ./ca
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

Creating and signing webserver certificate:

$ openssl genrsa -out server.key 1024 # Create private/public key pair for server
$ openssl req -new -key server.key \
                   -out server.csr    # Create certificate signing request
                                      # (Remember: Common name *MUST* match server address)
$ openssl ca -config ca.conf \
             -in server.csr \
             -cert ca.crt \
             -keyfile ca.key \
             -out server.crt          # Sign certificate request with CA certificate.

# Create PEM file with the server key and certificate for use with lightttpd
$ cat server.key server.crt > server.pem

Creating a client certificate for use with web browsers (remember it will also usually need the CA certificate used in signing):

# openssl genrsa -out client.key 1024 # Generate public/private key for client
# openssl req -new -key client.key \
                   -out client.csr    # Create certificate signing request
# openssl ca -config ca.conf \
             -in client.csr \
             -cert ca.crt \
             -keyfile ca.key \
             -out client.crt          # Sign certificate

# openssl pkcs12 -export -clcerts \
                 -in client.crt \
                 -inkey client.key \
                 -out client.p12      # Create PKCS12 keystore for use with web browsers

References:
Client certificates with apache

  • No labels