Difference between revisions of "Access HDA over SSL"
Line 73: | Line 73: | ||
= Finished = | = Finished = | ||
Now that you're done go ahead and visit http://hda and watch it turn into https://hda! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception. | Now that you're done go ahead and visit http://hda and watch it turn into https://hda! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception. | ||
+ | |||
+ | = Troubleshooting = | ||
+ | |||
+ | == Apache error == | ||
+ | If you get an error when your restart Apache (httpd) about a bad configuration the it is probably because you directly copy and pasted from this wiki. When you copy the code then a null character is also copied which is hidden to most text editors. | ||
+ | |||
+ | A way to solve this is to delete and retype the first an last character of each line which Apache is complaining about. You can then test your configuration again. | ||
+ | {{Code|service httpd configtest}} | ||
+ | |||
+ | If all goes well and you get "Syntax OK" then you can start your Apache server again. | ||
+ | {{Code|service httpd start}} | ||
+ | |||
+ | == How do I start over? == | ||
+ | Run the following command sequence. | ||
+ | {{Code| | ||
+ | yum -y remove mod_ssl | ||
+ | rm -rf /etc/httpd/ssl.crt | ||
+ | rm -rf /etc/httpd/ssl.key | ||
+ | cd /etc/httpd/conf.d/ | ||
+ | echo 'NameVirtualHost *:80' > 00-init.conf | ||
+ | rm -f *-ssl.conf | ||
+ | }} | ||
+ | Then you can start the instructions again from step one. | ||
= See also = | = See also = | ||
[[Secure App Access]]<br /> | [[Secure App Access]]<br /> | ||
[[Access Joomla over HTTPS]] | [[Access Joomla over HTTPS]] |
Revision as of 07:19, 6 August 2011
WARNING | |
---|---|
This is recommended only for advanced users, proceed with caution. |
Here I will discuss accessing your Amahi HDA over SSL. This means that you will go to your home page http://hda and it will automatically convert to https://hda.
Contents
Why is this recommended?
Currently you access your Amahi HDA control panel unsecured. This means that anyone sniffing your network can get the password to your HDA. If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled). So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.
Sag47 00:38, 15 June 2011 (PDT)
Prerequisites
I assume you already have Fedora 14 installed with Amahi up and running.
I have ran through the instructions here on Fedora 12 and everything works.
Guerilla 13:31, 16 June 2011 (GMT)
Instructions
Install mod_ssl
mod_ssl for Apache2 is required for this functionality. Luckily Fedora makes it easy.
bash code |
---|
yum -y install mod_ssl
|
Generate your own certificates
NOTE: Leaving defaults will not make your server less secure. Make sure that you change "asecretpassword" in the commands below to something else. Otherwise any commands which don't have "asecretpassword" in it can be copied and pasted. This has to do with the challenge password for the private key. If you don't understand what I mean then you should read about public-key cryptography which is essentially what SSL uses.
bash code |
---|
mkdir /etc/httpd/ssl.crt openssl genrsa -des3 -passout pass:asecretpassword -out /etc/httpd/ssl.crt/server.key.org 1024 openssl req -new -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.csr -days 3650 openssl req -x509 -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -in /etc/httpd/ssl.crt/server.csr -out /etc/httpd/ssl.crt/server.crt -days 3650 openssl rsa -passin pass:asecretpassword -in /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.key mkdir /etc/httpd/ssl.key mv /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key chmod 400 /etc/httpd/ssl.key/server.key
|
Edit ssl.conf
Edit the current /etc/httpd/conf.d/ssl.conf and change the following lines to match the code below.
Text |
---|
SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
|
Modify apache initialization
Modify the apache initialization for allowing SSL virtual hosts. Just in case you decide you want more than one virtual host to be capable of SSL.
bash code |
---|
(cd /etc/httpd/conf.d/ && echo 'NameVirtualHost *:443' >> ./00-init.conf)
|
Create your HDA SSL virtual host
Now you need your HDA virtual host over SSL. The default configuration is pretty good so let's use that.
bash code |
---|
cd /etc/httpd/conf.d/ cp 01-platform.conf 01-platform-ssl.conf
|
You need to modify 01-platform-ssl.conf and replace the line with "<VirtualHost *:80>" to the following lines...
Text |
---|
<VirtualHost *:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
|
Leave the rest of the file intact as you found it. This way the server utilizes the SSL certificates you created for yourself.
Create a redirect from HDA to secured HDA
Modify /etc/httpd/conf.d/01-platform.conf and go down to the rewrite rules. Below the last rewrite rule just before the line "# this was only for FCGI" put the following code.
Text |
---|
RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
|
Restart the Apache2 server
Restart your server to apply the changes you've made. If you did everything right you shouldn't receive any warnings when restarting the server.
bash code |
---|
service httpd restart
|
Finished
Now that you're done go ahead and visit http://hda and watch it turn into https://hda! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception.
Troubleshooting
Apache error
If you get an error when your restart Apache (httpd) about a bad configuration the it is probably because you directly copy and pasted from this wiki. When you copy the code then a null character is also copied which is hidden to most text editors.
A way to solve this is to delete and retype the first an last character of each line which Apache is complaining about. You can then test your configuration again.
bash code |
---|
service httpd configtest
|
If all goes well and you get "Syntax OK" then you can start your Apache server again.
bash code |
---|
service httpd start
|
How do I start over?
Run the following command sequence.
bash code |
---|
yum -y remove mod_ssl rm -rf /etc/httpd/ssl.crt rm -rf /etc/httpd/ssl.key cd /etc/httpd/conf.d/ echo 'NameVirtualHost *:80' > 00-init.conf rm -f *-ssl.conf
|
Then you can start the instructions again from step one.