Difference between revisions of "Secure App Access"

From Amahi Wiki
Jump to: navigation, search
 
(33 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{MessageBox|
 
{{MessageBox|
backgroundcolor = red|
+
backgroundcolor = #faa|
 
image =Warning.png|
 
image =Warning.png|
 
heading =WARNING|
 
heading =WARNING|
 
message = This is recommended only for advanced users, proceed with caution.}}
 
message = This is recommended only for advanced users, proceed with caution.}}
This is an example of how to force an app access via https.  For this example, AjaXplorer will be used but this will work with any app.
+
= Amahi 6 =
 +
This is an example of how to force web app access via HTTPS.  For this example, AjaXplorer will be used but this will work with any web app.
  
* Go to you config file for apache:
+
* Go to your config file for apache:
{{Code|cd /etc/httpd/conf}}
+
cd /etc/httpd/conf
 
* Now it is time to create a key and a crt.  It will ask you a few questions, just make sure that the '''Common Name''' is the domain name:
 
* Now it is time to create a key and a crt.  It will ask you a few questions, just make sure that the '''Common Name''' is the domain name:
{{code|openssl genrsa -out filename.key 1024
+
openssl genrsa -out filename.key 1024
openssl req -new -key filename.key -x509 -days 1000 -out filename.crt}}
+
openssl req -new -key filename.key -x509 -days 1000 -out filename.crt
* Next open up httpd.conf with you favorite editor and add the following to the end:
+
* Next open up '''/etc/httpd/conf/httpd.conf''' and add the following to the end (skip if you implemented [[Access HDA over SSL]]):
{{Text|NameVirtualHost *:443}}
+
NameVirtualHost *:443
* Open terminal and do (needed by apache to make this work):
+
* Open terminal and do (skip if you implemented [[Access HDA over SSL]]):
{{Code|yum -y install mod_ssl}}
+
yum -y install mod_ssl
* Find the file that has ajaxplorer in its name:
+
* Find the file that has ajaxplorer in its name (i.e. '''1026-ajaxplorer.conf'''):
{{Code|cd /etc/httpd/conf.d/}} 
+
cd /etc/httpd/conf.d
* Edit it to like this:
+
* Edit it to like this (change username.yourhda.com):
{{Code|<pre>
+
<pre><VirtualHost *:443>
    <VirtualHost *:443>
 
 
         ServerName ajaxplorer
 
         ServerName ajaxplorer
 
         ServerAlias username.yourhda.com
 
         ServerAlias username.yourhda.com
Line 36: Line 36:
 
         </Directory>
 
         </Directory>
  
     </VirtualHost>
+
     </VirtualHost></pre>
</pre>}}
+
Finally create a file called '''1026-ajaxplorerhttp.conf''' (number may be different for you) and add this code (change username.hda.com):
Finaly create a file called 1026-ajaxplorerhttp.conf (note that the number may change for you) and put in this (also change things like the website name and etc):
+
<pre><VirtualHost *:80>
{{Code|<pre>
+
         ServerName ajaxplorer
    <VirtualHost *:80>
+
        ServerAlias username.yourhda.com
         ServerName username.yourhda.com
 
 
         RewriteEngine On
 
         RewriteEngine On
 
         RewriteCond  %{SERVER_PORT} !^443$
 
         RewriteCond  %{SERVER_PORT} !^443$
Line 50: Line 49:
 
         AddOutputFilterByType DEFLATE text/html text/plain text/xml
 
         AddOutputFilterByType DEFLATE text/html text/plain text/xml
  
     </VirtualHost>
+
     </VirtualHost></pre>
</pre>}}
+
* Now you need to restart apache:
 +
service httpd restart
 +
* And that's all, you now have 128 bit encryption for AjaXplorer.  Note that when you uninstall the app, you will need to manually remove the '''1026-ajaxplorerhttp.conf''' file you created.
 +
 
 +
= Amahi 7  =
 +
These instructions are for advanced users that wish to set up https access to apps on Amahi 7 (Fedora 19).  Use at your own risk.
 +
 
 +
== Set up certificates ==
 +
As a root user, run:
 +
<pre>yum install -y openssl mod_ssl
 +
cd /etc/pki/tls/certs
 +
make server.key</pre>
 +
You should get prompts to enter and confirm a passphrase.  Now we want to remove the passphrase from the private key:
 +
<pre>openssl rsa -in server.key -out server.key </pre>
 +
You'll be prompted to add the passphrase again to confirm.  Now we make a certificate server request file
 +
<pre>make server.csr</pre>
 +
You'll now enter the information that will appear on the certificate request.  Make sure that the "Common Name" matches your server domain.
 +
Once you've entered these, you want to generate your private key:
 +
<pre>openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650</pre>
 +
You should get a message saying Signature ok, with the details for the certificate that you just entered, followed by "Getting private key".
 +
 
 +
== Modify httpd==
 +
Still as root, edit /etc/httpd/conf.d/ssl.conf as follows:
 +
<pre>#Line 59: uncomment
 +
DocumentRoot "/var/www/html"
 +
 
 +
#Line 60: uncomment and specify server name (use your server name)
 +
ServerName www.exampleserver.com:443
  
* Now you need to restart apache:
+
#Line 100: specify certificate
{{Code|service httpd restart}}
+
SSLCertificateFile /etc/pki/tls/certs/server.crt
 +
 
 +
#Line 107: specify certification key
 +
SSLCertificateKeyFile /etc/pki/tls/certs/server.key</pre>
 +
 
 +
== Configure apps==
 +
Go to /etc/httpd/conf.d and edit the conf file for the app you want to move to ssl.  For this example I will use owncloud.  On my HDA the owncloud conf was 1005-owncould8.conf; the number may differ for you.  Remember to back up the original in case you make an error.
 +
<pre>cd /etc/httpd/conf.d
 +
ls -l #check the filename of the relevant conf file.
 +
cp 1005-owncloud8.conf 1006-owncloud8.conf.old
 +
vi 1005-owncloud.conf</pre>
 +
Edit your file to change the virtualhost to port 443, and turn on SSL encryption.  Your files should look something like the following, with appropriate edits to suit your internal and external server names:
 +
<pre><VirtualHost *:443>
 +
 
 +
        ServerName owncloud8
 +
        ServerAlias owncloud8.home.com
 +
        ServerAlias owncloud8.exampleserver.com
 +
 
 +
        SSLEngine On
 +
        SSLCertificateFile /etc/pki/tls/certs/server.crt
 +
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key
 +
 
 +
        DocumentRoot /var/hda/web-apps/owncloud8/html
 +
 
 +
        <Directory "/var/hda/web-apps/owncloud8/html">
 +
                Options Indexes FollowSymLinks MultiViews
 +
AllowOverride All
 +
Require all granted
 +
        </Directory>
 +
 
 +
        ErrorLog  /var/hda/web-apps/owncloud8/logs/error_log
 +
        CustomLog /var/hda/web-apps/owncloud8/logs/access_log combined env=!dontlog
 +
 
 +
</VirtualHost></pre>
 +
 
 +
Now we need to redirect http requests to the new https instance.  Create a new conf file for the redirect:
 +
vi 1006-owncloud8http.conf (number may be different for you)
 +
and add this code (change the example server to match yours):
 +
<pre><VirtualHost *:80>
 +
        ServerName owncloud8
 +
        ServerAlias owncloud8.home.com
 +
        ServerAlias owncloud8.exampleserver.com
 +
        RewriteEngine On
 +
        RewriteCond  %{SERVER_PORT} !^443$
 +
        RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 +
 
 +
        ExpiresDefault "access plus 10 years"
 +
 
 +
        AddOutputFilterByType DEFLATE text/html text/plain text/xml
 +
 
 +
    </VirtualHost></pre>
 +
 
 +
Now you need to restart httpd.  Check that the syntax of your new files is ok before restarting:
 +
httpd -t
 +
If you get an error message, check that the new content in your .conf files matches the information above and make changes as necessary.  Once you get a "Syntax OK" message, run (as root)
 +
systemctl restart httpd.service
 +
 
 +
== Test Access ==
 +
Direct a browser to the app link and you should now get a https link.  Note that your browsers will all give a warning that the certificate is not trusted because it has not been issued by a proper authority. Once you've accepted the warning, you should have an https connection to your app.
  
And that's all, you now have 128 bit encryption for ajaxplorer.
+
= Amahi 8 or greater =
 +
This is untested and not recommended as it may break your HDA.
  
 
= See also =
 
= See also =
 
[[Access HDA over SSL]]
 
[[Access HDA over SSL]]

Latest revision as of 01:17, 2 September 2016

Warning.png WARNING
This is recommended only for advanced users, proceed with caution.


Amahi 6

This is an example of how to force web app access via HTTPS. For this example, AjaXplorer will be used but this will work with any web app.

  • Go to your config file for apache:
cd /etc/httpd/conf
  • Now it is time to create a key and a crt. It will ask you a few questions, just make sure that the Common Name is the domain name:
openssl genrsa -out filename.key 1024
openssl req -new -key filename.key -x509 -days 1000 -out filename.crt
  • Next open up /etc/httpd/conf/httpd.conf and add the following to the end (skip if you implemented Access HDA over SSL):
NameVirtualHost *:443
yum -y install mod_ssl
  • Find the file that has ajaxplorer in its name (i.e. 1026-ajaxplorer.conf):
cd /etc/httpd/conf.d
  • Edit it to like this (change username.yourhda.com):
<VirtualHost *:443>
        ServerName ajaxplorer
        ServerAlias username.yourhda.com
        SSLEngine On
        SSLCertificateFile /etc/httpd/conf/filename.crt
        SSLCertificateKeyFile /etc/httpd/conf/filename.key

        DocumentRoot /var/hda/web-apps/ajaxplorer/html

        <Directory "/var/hda/web-apps/ajaxplorer/html">
                Options Indexes FollowSymLinks +ExecCGI
                AddHandler fcgid-script .fcg
                AllowOverride AuthConfig
                Order allow,deny
                Allow from all
        </Directory>

    </VirtualHost>
  • Finally create a file called 1026-ajaxplorerhttp.conf (number may be different for you) and add this code (change username.hda.com):
<VirtualHost *:80>
        ServerName ajaxplorer
        ServerAlias username.yourhda.com
        RewriteEngine On
        RewriteCond  %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

        ExpiresDefault "access plus 10 years"

        AddOutputFilterByType DEFLATE text/html text/plain text/xml

    </VirtualHost>
  • Now you need to restart apache:
service httpd restart
  • And that's all, you now have 128 bit encryption for AjaXplorer. Note that when you uninstall the app, you will need to manually remove the 1026-ajaxplorerhttp.conf file you created.

Amahi 7

These instructions are for advanced users that wish to set up https access to apps on Amahi 7 (Fedora 19). Use at your own risk.

Set up certificates

As a root user, run:

yum install -y openssl mod_ssl
cd /etc/pki/tls/certs 
make server.key

You should get prompts to enter and confirm a passphrase. Now we want to remove the passphrase from the private key:

openssl rsa -in server.key -out server.key 

You'll be prompted to add the passphrase again to confirm. Now we make a certificate server request file

make server.csr

You'll now enter the information that will appear on the certificate request. Make sure that the "Common Name" matches your server domain. Once you've entered these, you want to generate your private key:

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

You should get a message saying Signature ok, with the details for the certificate that you just entered, followed by "Getting private key".

Modify httpd

Still as root, edit /etc/httpd/conf.d/ssl.conf as follows:

#Line 59: uncomment
DocumentRoot "/var/www/html"

#Line 60: uncomment and specify server name (use your server name)
ServerName www.exampleserver.com:443

#Line 100: specify certificate
SSLCertificateFile /etc/pki/tls/certs/server.crt

#Line 107: specify certification key
SSLCertificateKeyFile /etc/pki/tls/certs/server.key

Configure apps

Go to /etc/httpd/conf.d and edit the conf file for the app you want to move to ssl. For this example I will use owncloud. On my HDA the owncloud conf was 1005-owncould8.conf; the number may differ for you. Remember to back up the original in case you make an error.

cd /etc/httpd/conf.d
ls -l #check the filename of the relevant conf file.
cp 1005-owncloud8.conf 1006-owncloud8.conf.old
vi 1005-owncloud.conf

Edit your file to change the virtualhost to port 443, and turn on SSL encryption. Your files should look something like the following, with appropriate edits to suit your internal and external server names:

<VirtualHost *:443>

        ServerName owncloud8
        ServerAlias owncloud8.home.com 
        ServerAlias owncloud8.exampleserver.com

        SSLEngine On
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key

        DocumentRoot /var/hda/web-apps/owncloud8/html

        <Directory "/var/hda/web-apps/owncloud8/html">
                Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
        </Directory>

        ErrorLog  /var/hda/web-apps/owncloud8/logs/error_log
        CustomLog /var/hda/web-apps/owncloud8/logs/access_log combined env=!dontlog

</VirtualHost>

Now we need to redirect http requests to the new https instance. Create a new conf file for the redirect:

vi 1006-owncloud8http.conf (number may be different for you)

and add this code (change the example server to match yours):

<VirtualHost *:80>
        ServerName owncloud8
        ServerAlias owncloud8.home.com 
        ServerAlias owncloud8.exampleserver.com
        RewriteEngine On
        RewriteCond  %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

        ExpiresDefault "access plus 10 years"

        AddOutputFilterByType DEFLATE text/html text/plain text/xml

    </VirtualHost>

Now you need to restart httpd. Check that the syntax of your new files is ok before restarting:

httpd -t

If you get an error message, check that the new content in your .conf files matches the information above and make changes as necessary. Once you get a "Syntax OK" message, run (as root)

systemctl restart httpd.service

Test Access

Direct a browser to the app link and you should now get a https link. Note that your browsers will all give a warning that the certificate is not trusted because it has not been issued by a proper authority. Once you've accepted the warning, you should have an https connection to your app.

Amahi 8 or greater

This is untested and not recommended as it may break your HDA.

See also

Access HDA over SSL