Difference between revisions of "Access HDA over SSL"
Line 113: | Line 113: | ||
If all goes well and you get "'''Syntax OK'''" then you can start your Apache server again. | If all goes well and you get "'''Syntax OK'''" then you can start your Apache server again. | ||
systemctl restart httpd | systemctl restart httpd | ||
− | {{META_BOX_Green||AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1 | + | |
+ | {{META_BOX_Green||AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1<br> | ||
Syntax OK}} | Syntax OK}} | ||
is acceptable and will work. | is acceptable and will work. |
Revision as of 14:20, 27 March 2017
Here I will discuss accessing your Amahi HDA over SSL. This means that you will go to your home page http://hda and it will automatically convert to https://hda.
NOTE: Following this guidance is at your own risk and could break your HDA. This has been tested with Amahi 10, Fedora 25 which is still in development.
Contents
Why is this recommended?
Currently you access your Amahi HDA control panel unsecured. This means that anyone sniffing your network can get the password to your HDA. If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled). So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.
Sag47 00:38, 15 June 2011 (PDT)
NOTE: This may interfere with Hosting a Website tutorial.
Prerequisites
I assume you already have Fedora 23 installed with Amahi up and running.
Instructions
All commands must be run as root user.
Back up apache configurations
Before doing anything be sure to back up your apache configurations!
(cd /etc/httpd/ && tar -czf apache-backup.tar.gz conf.d/)
This way if you accidentally screw something up we can start over.
Install mod_ssl
mod_ssl for Apache2 is required for this functionality. Luckily Fedora makes it easy.
dnf -y install mod_ssl
Generate your own certificates
NOTE: Leaving defaults will not make your server less secure. Make sure that you change "asecretpassword" in the commands below to something else. Otherwise any commands which don't have "asecretpassword" in it can be copied and pasted. This has to do with the challenge password for the private key. If you don't understand what I mean then you should read about public-key cryptography which is essentially what SSL uses.
1. Create a sub-folder of /etc/httpd/ called ssl.crt
mkdir /etc/httpd/ssl.crt
2. Generate a new Secure key file, called server.key.org, and output the file to /etc/httpd/ssl.crt (our newly created folder) **REMEMBER TO CHANGE "asecretpassword" TO A PASSWORD OF YOUR CHOICE**.
openssl genrsa -des3 -passout pass:asecretpassword -out /etc/httpd/ssl.crt/server.key.org 1024
The output should look something like:
3. Create server.crt and server.csr from our newly self-generated key (server.key.org):
openssl req -new -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.csr -days 3650 openssl req -x509 -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -in /etc/httpd/ssl.crt/server.csr -out /etc/httpd/ssl.crt/server.crt -days 3650
The output of these files will look something like:
You should make entries at each stage in the second section (after Country Name...).
4. Create a thrid file, server.key, from from our self-generated key (server.key.org):
openssl rsa -passin pass:asecretpassword -in /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.key
5. Create another sub-folder of /etc/httpd/ called ssl.key, and move our newly created server.key to this folder.
mkdir /etc/httpd/ssl.key mv /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key chmod 400 /etc/httpd/ssl.key/server.key
Modify apache initialization
Modify the apache initialization for allowing SSL virtual hosts. Just in case you decide you want more than one virtual host to be capable of SSL. (NOTE: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1; this section can be ommited).
(cd /etc/httpd/conf.d/ && echo 'NameVirtualHost *:443' >> ./00-init.conf)
Create your HDA SSL virtual host
Now you need your HDA virtual host over SSL. The default configuration is pretty good so let's use that.
cd /etc/httpd/conf.d/ cp 01-platform.conf 01-platform-ssl.conf
You need to modify 01-platform-ssl.conf
<nowiki>nano 01-platfrom-ssl.conf
...replace the line "<VirtualHost *:80>" with the following lines...
<VirtualHost *:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
Leave the rest of the file intact as you found it. This way the server utilizes the SSL certificates you created for yourself.
Create a redirect from HDA to secured HDA
Modify /etc/httpd/conf.d/01-platform.conf
nano 01-platform.conf
Below the last rewrite rule, just above the <location /> section, add:
RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
This will automatically redirect requests from http://hda ((http://192.168.1.10) to https://hda (https://192.168.1.10)...
Restart the Apache2 server
Restart your server to apply the changes you've made. If you did everything right you shouldn't receive any warnings when restarting the server.
systemctl restart httpd
Finished
Now that you're done go ahead and visit http://hda and watch it turn into https://hda! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception.
Troubleshooting
Apache error
If you get an error when you restart Apache (httpd) about a bad configuration then it is probably because you directly copied and pasted from this wiki. When you copy the code then sometimes a null character is also copied which is hidden to most text editors.
A way to solve this is to delete and retype the first an last character of each line which Apache is complaining about. You can then test your configuration again.
service httpd configtest
If all goes well and you get "Syntax OK" then you can start your Apache server again.
systemctl restart httpd
is acceptable and will work.
If all things end badly and you can't figure it out then it is possible to restart this tutorial from scratch. Just start it over.
How do I start over?
Run the following command sequence.
dnf -y erase mod_ssl rm -rf /etc/httpd/ssl.crt rm -rf /etc/httpd/ssl.key (cd /etc/httpd/conf.d/ && rm -f *-ssl.conf) (cd /etc/httpd/ && tar -xzf apache-backup.tar.gz) systemctl restart httpd
Then you can start the instructions again from step one.