Site Certificate (HTTPS)

Setting up a certificate for your site.

First some background:

An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.

A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

1) First thing is set the host name. The hostname needs to be what you will be using in the common name (see below) in the certificate.

$ sudo vi /etc/hostname

Once done, check the name with:

$ hostname

It should be the new value. in this case domain.com.

2) Now create your private key file. Change to Apache ssl directory if you want, but do it as root

$ sudo openssl genrsa -des3 -out domain.com.key 2048

Enter a passphrase to keep it safe

3) Create a .csr (Certificate Request)  file. This is a certificate request, that will be sent to a CA (GoDaddy) to verify who you are.

$ sudo openssl req -new -key domain.com.key -out domain.com.csr

Fill in the details with whatever you want. The only important part is the common name. This HAS to be the domain name. If you have done this for a single domain, then use “domain.com” and if you get a wildcard domain use “*domain.com”. HEre is an example:

sudo openssl req -new -key http://www.domain.com.key -out http://www.domain.com.csr

Enter pass phrase for http://www.domain.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:NSW

Locality Name (eg, city) []:Sydney

Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Domain

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:domain.com

Email Address []:support@domain.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4) Next you need to get your certificates from from your provider (GoDaddy in my case). For goDaddy they will ask you for your  CSR (Certificate Request) details. This is the file you generated in step 3 above. Get the certificate request to them as follows:

sudo cat domain.com.csr

Go to the web site. Under certificates, click re-key and paste the detail inclusive of  the “—–BEGIN CERTIFICATE…..” and “…. —-END CERTIFICATE REQUEST——” parts.

5) Once provided you can download you Certificate File (CRT) and their bundle file. This comes in a zip file for the particular server you use. In my case Apache2. Download the file locally.

6) Next upload the Godaddy supplied cert zip file to your server. Put it in the /etc/apache2/ssl directory and unzip.

7) Before starting the server, make sure the new certificate lines up with you key’s public identity. In each file the “modulus” needs to match. Check this by comparing the output of these two commands:

sudo openssl rsa -noout -modulus -in domain.com.key

sudo openssl x509 -noout -modulus -in domain.com.crt

The outputted Modulus value needs to be identical!

8)Remove the password on the private key. This is required so that the server can restart without you having to put in the password each time.

sudo cp domain.com.key domain.com.pass.key

sudo openssl rsa -in domain.com.pass.key -out domain.com.key

9) Change the permissions on all these files now to secure them.

sudo chmod 400 *

10)Edit the /etc/apache2/site-enabled/ssl file and change the following:

SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key
SSLCertificateFile /etc/apache2/ssl/domain.com.crt
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
11) Restart your server and check the error log files
sudo /etc/init.d/apache2 restart; tail -20 /var/log/apache2/error.log
If all went well the server should start without any problems.

Apache2 Website and mod_proxy_ajp

Part 2 of the Apache2/mod_proxy_ajp is not the ajp part at all……

configure a http

Apache2 Tomcat and mod_proxy_ajp

mod_jk is the old way of doing it, so now with Apache 2.2 mod_proxy_ajp and balancing is the way to go. Few things to configure

load the mod_proxy_ajp module and the balancer module

sudo a2enmod proxy_ajp

sudo a2enmod proxy_balancer

Because we are dealing with a Proxy, edit the /etc/apache2/mods-enabled/proxy.conf proxy file. By default it is restrictive and denies everything. Change it to allow any host to communicate

<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.

ProxyRequests Off

<Proxy *>
AddDefaultCharset off
Order deny,allow
#Deny from all
#Allow from .example.com
Allow from all
</Proxy>

# Enable/disable the handling of HTTP/1.1 “Via:” headers.
# (“Full” adds the server version; “Block” removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block

ProxyVia On
</IfModule>

NB. Note the warning about ProxyRequests! Leave it off. It is only used for forward proxies. (not for reverse)

Now configure /etc/apache2/httpd.conf. Here we want to set up a load balance, even if we only have one server. It allows us to set up more servers in the future. Specifically we want to set up the Tomcat server using the ajp protocol. The change is that instead of using mod_jk and communicating with http, we now directly talk ajp to Tomcat.

<Proxy balancer://backtcserver>
BalancerMember ajp://localhost:8009/some_app
</Proxy>
ProxyPass /some_app  balancer://backtcserver/

BalanceMembers are what make up the servers. If you have two servers, add the second one here and Apache will balance the requests between the two servers. There are lots of parameters controlling how this is done, so see the Apache site for details.

The code above sends all requests to “/some_app” to the balancer, that in turn sends all requests to localhost:8009/some_app

GOTCHA’s

Two errors I encountered while figuring this out

403 Forbidden – You have not changed the permissions in the proxy.conf file

404 Not found – the ajp:// URL is not set correctly to find the served file.

“some_app” needs to be on the URL and on the ProxyPass (Caused issues with Flex)

Simple as 😉

PS.

Apache uses this concept of “available” and “enabled” if you check the /etc/apache2″ directory you will see this for sites and for modules. It creates links in the enabled directory for what you use from the avalable directory. a2enmod creates a link and a2dismod disables it.

2010/08/18 Update: Don’t forget to open the 8009 port in tomcat server.xml file. It is commented out by default.

Apache 2.2

ok, few things to get through here, so will split this up into chunks.

Firstly need to get my head around all the pieces that need to be configured.

/etc/apache2 has a few files and directories, where all the config is kept.

/etc/apache2# ls -l
total 76
-rw-r–r– 1 root root 10105 2009-09-23 05:20 apache2.conf
drwxr-xr-x 2 root root  4096 2009-09-11 00:59 conf.d
-rw-r–r– 1 root root   378 2009-08-18 14:24 envvars
-rw-r–r– 1 root root   923 2009-09-23 05:20 httpd.conf
drwxr-xr-x 2 root root  4096 2009-09-11 06:44 mods-available
drwxr-xr-x 2 root root  4096 2009-09-11 06:44 mods-enabled
-rw-r–r– 1 root root   513 2009-08-18 14:24 ports.conf
drwxr-xr-x 2 root root  4096 2009-09-17 06:24 sites-available
drwxr-xr-x 2 root root  4096 2009-09-17 06:24 sites-enabled
drwxr-xr-x 2 root root  4096 2009-09-17 06:37 ssl
-rw-r–r– 1 root root   174 2009-09-11 07:48 workers.properties

First thing to do is to always put configs made in httpd.conf and not directly into apache2.conf. The later references httpd.conf anyway.

/etc/init.d/apache2 restart

is used to make the changes effective

Rest to follow………….

Setting up Apache

ok, so now to set up Apache with SSL

taken from https://help.ubuntu.com/community/forum/server/apache2/SSL

sudo apt-get install apache2

Create a Certificate

sudo apt-get install ssl-cert

sudo mkdir /etc/apache2/ssl

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

(Answer questions)

Install Module

The mod_ssl module adds an important feature to the Apache2 server – the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.

sudo a2enmod ssl
sudo /etc/init.d/apache2 force-reload

Create virtualhost

Make a copy of the default virtualhost

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Modify it so it looks something like this

sudo nano -w /etc/apache2/sites-available/ssl
NameVirtualHost *:443
<virtualhost *:443>
ServerAdmin webmaster@localhost

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride None
</directory>

<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</directory>

</virtualhost>

Enable SSL virtualhost

sudo a2ensite ssl
sudo /etc/init.d/apache2 reload

don’t forget to modify

sudo nano -w /etc/apache2/sites-available/default
NameVirtualHost *:80
<virtualhost *:80>

[2010-08-10] This is not required. The NamedVirtualHost is already set up in ports.conf. This kept giving an error when restarting server:

[warn] NameVirtualHost *:80 has no VirtualHosts

Restart Apache server

sudo /etc/init.d/apache2 restart

Tried it and it kicks out a cert exception, so just accept that and your done. Now to set up Tomcat to work with this