Difference between revisions of "Access HDA over SSL"

From Amahi Wiki
Jump to: navigation, search
 
(84 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{MessageBox|
+
Here I will discuss accessing your Amahi HDA over SSL.  This means that you will go to your home page ''<nowiki>http://hda</nowiki>'' and it will automatically convert to ''<nowiki>https://hda</nowiki>''.
backgroundcolor = red|
+
 
image =Warning.png|
+
'''NOTE:'''  Following this guidance is at your own risk and could break your HDA.  This has been tested with Amahi 10, Fedora 25.
heading =WARNING|
 
message = This is recommended only for advanced users, proceed with caution.}}
 
Here I will discuss accessing your Amahi HDA over SSL.  This means that you will go to your home page http://hda and it will automatically convert to https://hda.
 
  
 
= Why is this recommended? =
 
= Why is this recommended? =
 
Currently you access your Amahi HDA control panel unsecured.  This means that anyone sniffing your network can get the password to your HDA.  If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled).  So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.
 
Currently you access your Amahi HDA control panel unsecured.  This means that anyone sniffing your network can get the password to your HDA.  If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled).  So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.
  
[[User:Sag47|Sag47]] 00:38, 15 June 2011 (PDT)
+
[[User:Sag47|Sag47]] 00:38, 15 June 2011 (PDT). Updates and clarifications [[User:Spaceman|spaceman]] 15:23, 27 March 2017 (BST).
 +
[[User:Tamorgen|Tamorgen]] 09:15, 31 Oct 2018 (EST).  Made changes for Subject Alternative Name.
 +
 
 +
'''NOTE:'''  This may interfere with [[Hosting_a_website|Hosting a Website]] tutorial.
  
 
= Prerequisites =
 
= Prerequisites =
I assume you already have Fedora 14 installed with Amahi up and running.
+
I assume you already have Fedora 25 installed with Amahi up and running.
  
I have ran through the instructions here on Fedora 12 and everything works.
+
= Instructions =
 +
All commands must be run as ''root'' user.
 +
== Back up apache configurations ==
 +
Before doing anything be sure to back up your apache configurations!
 +
<pre><nowiki>(cd /etc/httpd/ && tar -czf apache-backup.tar.gz conf.d/)</nowiki></pre>
  
[[User:Guerilla|Guerilla]] 13:31, 16 June 2011 (GMT)
+
This way if you accidentally screw something up we can start over.
  
= Instructions =
 
 
== Install mod_ssl ==
 
== Install mod_ssl ==
mod_ssl for Apache2 is required for this functionality.  Luckily Fedora makes it easy.
+
''mod_ssl'' for Apache2 is required for this functionality.  Luckily Fedora makes it easy.
{{Code|yum -y install mod_ssl}}
+
<pre><nowiki>dnf -y install mod_ssl</nowiki></pre>
  
 
== Generate your own certificates ==
 
== Generate your own certificates ==
NOTE: Leaving defaults will not make your server less secure.  Make sure that you change "asecretpassword" in the commands below to something else.  Otherwise any commands which don't have "asecretpassword" in it can be copied and pasted.  This has to do with the challenge password for the private key.  If you don't understand what I mean then you should read about [http://en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which is essentially what SSL uses.
+
'''NOTE:''' Leaving defaults will not make your server less secure.  If you don't understand what I mean then you should read about [http://en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which is essentially what SSL uses.
{{Code|mkdir /etc/httpd/ssl.crt
 
  
openssl genrsa -des3 -passout pass:asecretpassword -out /etc/httpd/ssl.crt/server.key.org 1024
+
As of Chrome version 58, the Chrome browser requires SSL certificates to use SAN (Subject Alternative Name) and has removed Common Name (CN). Using a CN will produce an error within the Security Overview section of the certificate, telling the user that the SAN is missing. A new method of creating the certificate is required.
  
openssl req -new -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.csr -days 3650
+
1. Change directory to /etc/httpd/, and switch users
 +
<pre><nowiki>
 +
cd /etc/httpd/
 +
sudo -s
 +
</nowiki></pre>
  
openssl req -x509 -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -in /etc/httpd/ssl.crt/server.csr -out /etc/httpd/ssl.crt/server.crt -days 3650
+
2. Create a new file createRootCA.sh using vi, nano, or your favorite text editor.
  
openssl rsa -passin pass:asecretpassword -in /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.key
+
<pre><nowiki>
 +
#!/usr/bin/env bash
 +
mkdir ~/ssl/
 +
openssl genrsa -des3 -out ~/ssl/rootCA.key 2048
 +
openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem
 +
</nowiki></pre>
  
 +
3. Now create another file createselfsignedcertificate.sh:
 +
 +
<pre><nowiki>
 +
#!/usr/bin/env bash
 +
mkdir /etc/httpd/ssl.crt
 
mkdir /etc/httpd/ssl.key
 
mkdir /etc/httpd/ssl.key
 +
openssl req -new -sha256 -nodes -out /etc/httpd/ssl.crt/server.csr -newkey rsa:2048 -keyout /etc/httpd/ssl.crt/server.key -config <( cat /etc/httpd/server.csr.cnf )
 +
openssl x509 -req -in /etc/httpd/ssl.crt/server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out /etc/httpd/ssl.crt/server.crt -days 3650 -sha256 -extfile v3.ext
 +
</nowiki></pre>
 +
 +
4. Create the configuration file server.csr.cnf.
 +
 +
<pre><nowiki>
 +
[req]
 +
default_bits = 2048
 +
prompt = no
 +
default_md = sha256
 +
distinguished_name = dn
 +
 +
[dn]
 +
C=US
 +
ST=Maryland
 +
L=Annapolis
 +
O=Home Administrator
 +
OU=HDA Domain
 +
emailAddress=your-address@your-domain.com
 +
CN = localhost
 +
</nowiki></pre>
 +
 +
5. Now, create a file called v3.ext for the x509 v3 certificate
 +
 +
<pre><nowiki>
 +
authorityKeyIdentifier=keyid,issuer
 +
basicConstraints=CA:FALSE
 +
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 +
subjectAltName = @alt_names
 +
 +
[alt_names]
 +
DNS.1 = localhost
 +
DNS.2 = ''hostname.yourdomain''
 +
DNS.2 = hda
 +
DNS.3 = hda.''yourdomain''
 +
DNS.4 = cockpit.''yourdomain''
 +
</nowiki></pre>
 +
 +
6.  Now it's time to create your certificates.  Run createRootCA.sh.  Follow the prompts
 +
 +
<pre><nowiki>
 +
bash ./createRootCA.sh
 +
</nowiki></pre>
 +
 +
Then createselfsignedcertificate.sh
 +
 +
<pre><nowiki>
 +
bash ./createselfsignedcertificate.sh
 +
</nowiki></pre>
  
mv /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
+
7. Copy your newly created server.key to the ssl.key directory.
 +
<pre><nowiki>
 +
cp /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
 +
chmod 400 /etc/httpd/ssl.key/server.key</nowiki></pre>
  
chmod 400 /etc/httpd/ssl.key/server.key}}
+
8. Copy your rootCA.pem certificate to a network share, so you may import it to your favorite browser, to eliminate the untrusted certificate warning.
 +
<pre><nowiki>
 +
cd ~/ssl/
 +
cp rootCA.pem /var/hda/files/docs/.
 +
</nowiki></pre>
  
== Edit ssl.conf ==
+
9. Import rootCA into your browser. For Chrome, Settings --> Advanced --> Manage Certificates --> Authorities --> Import. Select your root certificate from a locally accessible resource, either directly from, or after copying it from your share.
Edit the current /etc/httpd/conf.d/ssl.conf and change the following lines to match the code below.
 
{{Code|SSLCertificateFile /etc/httpd/ssl.crt/server.crt
 
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key}}
 
  
 
== Modify apache initialization ==
 
== Modify apache initialization ==
Modify the apache initialization for allowing SSL virtual hosts.  Just in case you decide you want more than one virtual host to be capable of SSL.
+
Modify the apache initialization for allowing SSL virtual hosts.  Just in case you decide you want more than one virtual host to be capable of SSL. ('''NOTE''': NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1; this section can be ommited).
{{Code|(cd /etc/httpd/conf.d/ && echo 'NameVirtualHost *:443' >> ./00-init.conf)}}
+
<pre><nowiki>(cd /etc/httpd/conf.d/ && echo 'NameVirtualHost *:443' >> ./00-init.conf)</nowiki></pre>
  
 
== Create your HDA SSL virtual host ==
 
== Create your HDA SSL virtual host ==
 
Now you need your HDA virtual host over SSL.  The default configuration is pretty good so let's use that.
 
Now you need your HDA virtual host over SSL.  The default configuration is pretty good so let's use that.
{{Code|cd /etc/httpd/conf.d/
+
<pre><nowiki>cd /etc/httpd/conf.d/
cp 01-platform.conf 01-platform-ssl.conf}}
+
cp 01-platform.conf 01-platform-ssl.conf</nowiki></pre>
You need to modify 01-platform-ssl.conf and replace the line with "<VirtualHost *:80>" to the following lines...
+
You need to modify 01-platform-ssl.conf  
{{Text|<VirtualHost *:443>
+
<pre><nowiki>nano 01-platfrom-ssl.conf</pre>
 +
...replace the line "<VirtualHost *:80>" with the following lines...
 +
<pre><nowiki><VirtualHost *:443>
 
SSLEngine on
 
SSLEngine on
 
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
 
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key}}
+
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key</nowiki></pre>
 
Leave the rest of the file intact as you found it.  This way the server utilizes the SSL certificates you created for yourself.
 
Leave the rest of the file intact as you found it.  This way the server utilizes the SSL certificates you created for yourself.
  
 
== Create a redirect from HDA to secured HDA ==
 
== Create a redirect from HDA to secured HDA ==
Modify /etc/httpd/conf.d/01-platform.conf and go down to the rewrite rules. Below the last rewrite rule just before the line "# this was only for FCGI" put the following code.
+
Modify /etc/httpd/conf.d/'''01-platform.conf'''
{{Text|<nowiki>RewriteCond %{HTTPS} !=on</nowiki>
+
<pre><nowiki>nano 01-platform.conf</nowiki></pre>
<nowiki>RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]</nowiki>}}
+
Below the last rewrite rule, just above the <location /> section, add:
 +
<pre><nowiki>RewriteCond %{HTTPS} !=on
 +
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]</nowiki></pre>
 +
This will automatically redirect requests from <nowiki>http://hda ((http://192.168.1.10</nowiki>) to <nowiki>https://hda (https://192.168.1.10</nowiki>)...
  
 
== Restart the Apache2 server ==
 
== Restart the Apache2 server ==
 
Restart your server to apply the changes you've made.  If you did everything right you shouldn't receive any warnings when restarting the server.
 
Restart your server to apply the changes you've made.  If you did everything right you shouldn't receive any warnings when restarting the server.
{{Code|service httpd restart}}
+
systemctl restart httpd
 +
 
 +
== Bonus ==
 +
Fedora 27/Amahi 11 provides [http://www.amahi.org/apps/cockpit Cockpit], a powerful browser-based server administration portal.  To eliminate the SSL warning on this page, you need to create a .cert file using files previously created in this walkthrough.  The .cert file consists of the contents of the server.crt and server.key.  To create the file, run the following commands.  This will automatically place the file in the correct directory.
 +
 
 +
<pre><nowiki>
 +
cat /etc/httpd/ssl.crt/server.crt > /etc/cockpit/ws-certs.d/01-self-signed.cert
 +
cat /etc/httpd/ssl.crt/server.key >> /etc/cockpit/ws-certs.d/01-self-signed.cert
 +
</nowiki></pre>
  
 
= Finished =
 
= Finished =
Now that you're done go ahead and visit http://hda and watch it turn into https://hda!  Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception.
+
Now that you're done go ahead and visit '''<nowiki>http://hda</nowiki>''' and watch it turn into '''<nowiki>https://hda</nowiki>'''!
 +
 
 +
= Troubleshooting =
 +
 
 +
== Apache error ==
 +
If you get an error when you restart Apache (httpd) about a bad configuration then it is probably because you directly copied and pasted from this wiki. When you copy the code then sometimes a null character is also copied which is hidden to most text editors.
 +
 
 +
A way to solve this is to delete and retype the first an last character of each line which Apache is complaining about.  You can then test your configuration again.
 +
service httpd configtest
 +
 
 +
If all goes well and you get "'''Syntax OK'''" then you can start your Apache server again.
 +
systemctl restart httpd
 +
 
 +
{{META_BOX_Green||AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1<br>
 +
Syntax OK}}
 +
is acceptable and will work.
 +
 
 +
If all things end badly and you can't figure it out then it is possible to restart this tutorial from scratch.  Just start it over.
 +
 
 +
== How do I start over? ==
 +
Run the following command sequence.
 +
<pre><nowiki>dnf -y erase mod_ssl
 +
rm -rf /etc/httpd/ssl.crt
 +
rm -rf /etc/httpd/ssl.key
 +
(cd /etc/httpd/conf.d/ && rm -f *-ssl.conf​)
 +
(cd /etc/httpd/ && tar -xzf apache-backup.tar.gz)
 +
systemctl restart httpd</nowiki></pre>
 +
Then you can start the instructions again from step one.
  
 
= See also =
 
= See also =
 
[[Secure App Access]]<br />
 
[[Secure App Access]]<br />
 
[[Access Joomla over HTTPS]]
 
[[Access Joomla over HTTPS]]

Latest revision as of 14:33, 17 July 2019

Here I will discuss accessing your Amahi HDA over SSL. This means that you will go to your home page http://hda and it will automatically convert to https://hda.

NOTE: Following this guidance is at your own risk and could break your HDA. This has been tested with Amahi 10, Fedora 25.

Why is this recommended?

Currently you access your Amahi HDA control panel unsecured. This means that anyone sniffing your network can get the password to your HDA. If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled). So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.

Sag47 00:38, 15 June 2011 (PDT). Updates and clarifications spaceman 15:23, 27 March 2017 (BST). Tamorgen 09:15, 31 Oct 2018 (EST). Made changes for Subject Alternative Name.

NOTE: This may interfere with Hosting a Website tutorial.

Prerequisites

I assume you already have Fedora 25 installed with Amahi up and running.

Instructions

All commands must be run as root user.

Back up apache configurations

Before doing anything be sure to back up your apache configurations!

(cd /etc/httpd/ && tar -czf apache-backup.tar.gz conf.d/)

This way if you accidentally screw something up we can start over.

Install mod_ssl

mod_ssl for Apache2 is required for this functionality. Luckily Fedora makes it easy.

dnf -y install mod_ssl

Generate your own certificates

NOTE: Leaving defaults will not make your server less secure. If you don't understand what I mean then you should read about public-key cryptography which is essentially what SSL uses.

As of Chrome version 58, the Chrome browser requires SSL certificates to use SAN (Subject Alternative Name) and has removed Common Name (CN). Using a CN will produce an error within the Security Overview section of the certificate, telling the user that the SAN is missing. A new method of creating the certificate is required.

1. Change directory to /etc/httpd/, and switch users

cd /etc/httpd/
sudo -s

2. Create a new file createRootCA.sh using vi, nano, or your favorite text editor.

#!/usr/bin/env bash
mkdir ~/ssl/
openssl genrsa -des3 -out ~/ssl/rootCA.key 2048
openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem

3. Now create another file createselfsignedcertificate.sh:

#!/usr/bin/env bash
mkdir /etc/httpd/ssl.crt
mkdir /etc/httpd/ssl.key
openssl req -new -sha256 -nodes -out /etc/httpd/ssl.crt/server.csr -newkey rsa:2048 -keyout /etc/httpd/ssl.crt/server.key -config <( cat /etc/httpd/server.csr.cnf )
openssl x509 -req -in /etc/httpd/ssl.crt/server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out /etc/httpd/ssl.crt/server.crt -days 3650 -sha256 -extfile v3.ext

4. Create the configuration file server.csr.cnf.

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=Maryland
L=Annapolis
O=Home Administrator
OU=HDA Domain
emailAddress=your-address@your-domain.com
CN = localhost

5. Now, create a file called v3.ext for the x509 v3 certificate

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = ''hostname.yourdomain''
DNS.2 = hda
DNS.3 = hda.''yourdomain''
DNS.4 = cockpit.''yourdomain''

6. Now it's time to create your certificates. Run createRootCA.sh. Follow the prompts

bash ./createRootCA.sh

Then createselfsignedcertificate.sh

bash ./createselfsignedcertificate.sh

7. Copy your newly created server.key to the ssl.key directory.

cp /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
chmod 400 /etc/httpd/ssl.key/server.key

8. Copy your rootCA.pem certificate to a network share, so you may import it to your favorite browser, to eliminate the untrusted certificate warning.

cd ~/ssl/
cp rootCA.pem /var/hda/files/docs/.

9. Import rootCA into your browser. For Chrome, Settings --> Advanced --> Manage Certificates --> Authorities --> Import. Select your root certificate from a locally accessible resource, either directly from, or after copying it from your share.

Modify apache initialization

Modify the apache initialization for allowing SSL virtual hosts. Just in case you decide you want more than one virtual host to be capable of SSL. (NOTE: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1; this section can be ommited).

(cd /etc/httpd/conf.d/ && echo 'NameVirtualHost *:443' >> ./00-init.conf)

Create your HDA SSL virtual host

Now you need your HDA virtual host over SSL. The default configuration is pretty good so let's use that.

cd /etc/httpd/conf.d/
cp 01-platform.conf 01-platform-ssl.conf

You need to modify 01-platform-ssl.conf

<nowiki>nano 01-platfrom-ssl.conf

...replace the line "<VirtualHost *:80>" with the following lines...

<VirtualHost *:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key

Leave the rest of the file intact as you found it. This way the server utilizes the SSL certificates you created for yourself.

Create a redirect from HDA to secured HDA

Modify /etc/httpd/conf.d/01-platform.conf

nano 01-platform.conf

Below the last rewrite rule, just above the <location /> section, add:

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

This will automatically redirect requests from http://hda ((http://192.168.1.10) to https://hda (https://192.168.1.10)...

Restart the Apache2 server

Restart your server to apply the changes you've made. If you did everything right you shouldn't receive any warnings when restarting the server.

systemctl restart httpd

Bonus

Fedora 27/Amahi 11 provides Cockpit, a powerful browser-based server administration portal. To eliminate the SSL warning on this page, you need to create a .cert file using files previously created in this walkthrough. The .cert file consists of the contents of the server.crt and server.key. To create the file, run the following commands. This will automatically place the file in the correct directory.

cat /etc/httpd/ssl.crt/server.crt > /etc/cockpit/ws-certs.d/01-self-signed.cert
cat /etc/httpd/ssl.crt/server.key >> /etc/cockpit/ws-certs.d/01-self-signed.cert

Finished

Now that you're done go ahead and visit http://hda and watch it turn into https://hda!

Troubleshooting

Apache error

If you get an error when you restart Apache (httpd) about a bad configuration then it is probably because you directly copied and pasted from this wiki. When you copy the code then sometimes a null character is also copied which is hidden to most text editors.

A way to solve this is to delete and retype the first an last character of each line which Apache is complaining about. You can then test your configuration again.

service httpd configtest

If all goes well and you get "Syntax OK" then you can start your Apache server again.

systemctl restart httpd
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1
Syntax OK

is acceptable and will work.

If all things end badly and you can't figure it out then it is possible to restart this tutorial from scratch. Just start it over.

How do I start over?

Run the following command sequence.

dnf -y erase mod_ssl
rm -rf /etc/httpd/ssl.crt
rm -rf /etc/httpd/ssl.key
(cd /etc/httpd/conf.d/ && rm -f *-ssl.conf​)
(cd /etc/httpd/ && tar -xzf apache-backup.tar.gz)
systemctl restart httpd

Then you can start the instructions again from step one.

See also

Secure App Access
Access Joomla over HTTPS