Derscripes howto setup a webserver for file exchange in a Bit Repository system.
Apache2
Install Apache2, mod_ssl and mod_dav if not pre-installed.
Debian based systems
$ a2enmod dav dav_fs dav_lock # Enable DAV $ mkdir /path/to/www/dav # Create directory for DAV $ chown www-data:wwwdata /path/to/www/dav $ a2enmod ssl # Enable SSL $ a2ensite default-ssl # Enable SSL site
RHEL
- yum install httpd mod_ssl
- mkdir -p /path/to/www/dav/
- chown apache:apche /path/to/www/dav/
- vim /etc/httpd/conf/httpd.conf (and change ServerName and enable WebDAV)
- mkdir /etc/httpd/ssl/
- generate self-signed key to /etc/httpd/ssl (and make sure it's only accessible by apache
chown apache:apache /path/to/server.key && chmod 600 /path/to/server.key
- vim /etc/httpd/conf.d/ssl.conf
- service httpd start
- chkconfig httpd on
SSL Setup
Setup the SSL site (on debian /etc/apache2/sites-available/default-ssl, redhat: /etc/httpd/conf.d/ssl.conf) to use the relevant keys and certificates (see Create self signed certificate):
SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key SSLCACertificateFile /path/to/trusted.crt SSLVerifyClient require SSLVerifyDepth 0
SSLCACertificateFile is a concatenation of client certificates in PEM format (i.e. cat trusted_certs/*.crt > trusted.crt
).
DAV Setup
To enable DAV on a specific location (it's not enabled for any directory by default), edit either ssl.conf
(or default-ssl
for debian) and add the following:
Alias /dav/ /var/www/dav/ <Location /dav> Dav On </Location>
The alias is needed since the directory is outside of the document root.
If the DAV directory should be accessible over HTTP (NOT advisable) add a similar configuration fragment to httpd.conf
(or sites-enabled/000-default
for debian).
If the above doesn't work (or the DAV directory isn't placed in the document root, the following can be used instead:
Alias /dav/ /path/to/dav/ <Directory /path/to/dav> Dav On </Directory>
$ /etc/init.d/apache2 restart # Finally restart apache or $ service httpd restart
Testing
To verify that files can be uploaded to the dav directory, curl can be used:
curl -T <some_file_to_upload> <http://server/dav/>
And over https with client authentication (Note: it should only be possible to access the server over HTTPS if a valid key/certificate pair is presented):
curl --cacert <webserver.crt> --key <clientXX.key> --cert <clientXX.crt> -T <some_file_to_upload> <https://server/dav/>
References:
Apache default directory layuout
Apache SSL/TLS Encryption
Apache Module mod_dav
Lighttpd
Enabling upload (WebDAV):
Add "mod_webdav" to server.modules, and configure it:
webdav.activate = "enable" webdav.is-readonly = "disable" webdav.sqlite-db-name = "/var/run/lighttpd/lighttpd.webdav_lock.db"
Enabling SSL (HTTPS) on port 443:
$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/path/to/server.pem" # a PEM file is a combination of a key and certificate ssl.ca-file = "/path/to/ca.crt" # This is the CA file used to sign the above key (if needed, which it is for self-signed certificates) }
To enable client authentication add the following to the configuration:
ssl.verifyclient.activate = "enable" ssl.verifyclient.enforce = "enable" #ssl.verifyclient.depth = "1" # Should possibly be enabled in the future ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
References:
Configuring SSL
Redirecting HTTP to HTTPS
Create self signed certificate
# For HTTPS servers remember to put the # server FQDN in the CN. KEY="$CN.key" CSR="$CN.csr" CRT="$CN.crt" # Generate key openssl genrsa -out "$KEY" 1024 || exit 1 # Certificate Signing Request (Remember to modify the signing request subject) openssl req -new -key "$KEY" -out "$CSR" -subj "/C=DK/O=TestOrganization/OU=TestDepartment/CN=$CN" || exit 1 # Self sign openssl x509 -req -days 1000 -in "$CSR" -out "$CRT" -signkey "$KEY" || exit 1
Optionally this can be packaged into a web browser friendly pkcs-12 file along with the server certificate:
openssl pkcs12 -export -in browser.crt -inkey browser.key -out browser.p12 -certfile /path/to/server.crt
See also Using SSL in Java
Creating a certificate authority for test
$ mkdir /path/to/ca/ # CA root $ mkdir /path/to/ca/ca.db.certs # Signed certificates $ touch /path/to/ca/ca.db.index # Index of signed certificates $ echo 01 > /path/to/ca/ca.db.serial # Next (sequential) serial number $ cp ca.conf /path/to/ca/ # Configuration file (see below) $ cd /path/to/ca $ openssl genrsa -out ca.key 1024 # Generate CA private key $ openssl req -new -key ca.key \ -out ca.csr # Create Certificate Signing Request $ openssl x509 -req -days 10000 \ -in ca.csr \ -out ca.crt \ -signkey ca.key # Create self-signed certificate
ca.conf:
[ ca ] default_ca = ca_default [ ca_default ] dir = ./ca certs = $dir new_certs_dir = $dir/ca.db.certs database = $dir/ca.db.index serial = $dir/ca.db.serial RANDFILE = $dir/ca.db.rand certificate = $dir/ca.crt private_key = $dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = generic_policy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
Creating and signing webserver certificate:
$ openssl genrsa -out server.key 1024 # Create private/public key pair for server $ openssl req -new -key server.key \ -out server.csr # Create certificate signing request # (Remember: Common name *MUST* match server address) $ openssl ca -config ca.conf \ -in server.csr \ -cert ca.crt \ -keyfile ca.key \ -out server.crt # Sign certificate request with CA certificate. # Create PEM file with the server key and certificate for use with lightttpd $ cat server.key server.crt > server.pem
Creating a client certificate for use with web browsers (remember it will also usually need the CA certificate used in signing):
# openssl genrsa -out client.key 1024 # Generate public/private key for client # openssl req -new -key client.key \ -out client.csr # Create certificate signing request # openssl ca -config ca.conf \ -in client.csr \ -cert ca.crt \ -keyfile ca.key \ -out client.crt # Sign certificate # openssl pkcs12 -export -clcerts \ -in client.crt \ -inkey client.key \ -out client.p12 # Create PKCS12 keystore for use with web browsers
References:
Client certificates with apache