Changes between Version 2 and Version 3 of secureweb

Timestamp:

Nov 23, 2016, 5:28:33 PM (8 years ago)

Author:

admin

Comment:

--

secureweb

@@ -97 +97 @@
 == Enabling Virtual Hosts ==
 
-Before we go further test your domain names are correctly resolving to the same server IP address by issuing Ubuntu dig commands.
-{{{
-dig @192.248.1.161 web1.’yourdomain’.ws.learn.ac.lk
-dig @192.248.1.161 web2.’yourdomain’.ws.learn.ac.lk
-}}}
-Next, create two directories on /var/www/ to host two separate web sites.
+Create two directories on /var/www/ to host two separate web sites.
 {{{
 sudo mkdir /var/www/web1
@@ -156 +151 @@
 sudo a2ensite web2.conf
 }}}
-Now restart the apache and check your browsers for following and see how three websites are hosted in one server.
+Now restart the apache. 
+
+Do a nslookup for www.yourdomain.ws.learn.ac.lkand find the IP Addressof yourweb server and edit your pc host file and include following.(assume your IP is 192.248.X.X)
+{{{
+192.248.X.Xweb1.yourdomain.ws.learn.ac.lk
+192.248.X.Xweb2.yourdomain.ws.learn.ac.lk
+}}}
+'''Note''': 
+For Linux:host file is /etc/host , edit with  nano as sudo.[[br]]
+For Windows:host file is %SystemRoot%\System32\drivers\etc\hosts, open with Notepad in Run As Admin mode.
+
+and restart your pc’s....
+
+check your browsers for following and see how three websites are hosted in one server.
 
 http://www.yourdomain.ws.learn.ac.lk [[br]]
@@ -214 +222 @@
 ServerSignature Off
 ServerTokens Prod
+TraceEnable Off
 }}}
 
@@ -286 +295 @@
 }}}
 Now restart apache and browse to the newly created directory from your browser and check what is changed.
+
+== Enabling HTTPS with self-signed certificates ==
+Create self-signedCertificates on to a directory '''/etc/sslusing opensslsudo openssl''' 
+{{{
+req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache_prv.key -out /etc/ssl/certs/apache_crt.crt
+}}}
+You will be asked series of questions, answer them carefully
+{{{
+Country Name (2 letter code) [AU]:LK
+State or Province Name (full name) [Some-State]:Kandy
+Locality Name (eg, city) []:Peradeniya
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourInst
+Organizational Unit Name (eg, section) []:IT Team
+Common Name (e.g. server FQDN orYOUR name) []:www.yourdomain.ws.learn.ac.lk
+Email Address []:info@yourdomain.ws.learn.ac.lk
+}}}
+Once finished, it will create two files in /etc/ssl. Next create another apacheconfig fileas web1-ssl.conf and include
+{{{
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>S
+         erverAdmin admin@yourdomain.ws.learn.ac.lk
+         ServerName web1.yourdomain.ws.learn.ac.lk
+         DocumentRoot /var/www/web1
+         <Directory /var/www/web1>
+                  Require all granted
+         </Directory>
+         ErrorLog ${APACHE_LOG_DIR}/error.log
+         CustomLog ${APACHE_LOG_DIR}/access.log 
+         combinedSSLEngine on
+         SSLCertificateFile      /etc/ssl/certs/apache_crt.crt
+         SSLCertificateKeyFile /etc/ssl/private/apache_prv.key
+         <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                  SSLOptions +StdEnvVars
+         </FilesMatch>
+         <Directory /usr/lib/cgi-bin>
+                  SSLOptions +StdEnvVars
+         </Directory>
+         </VirtualHost>
+</IfModule>
+}}}
+Now enable this site by
+{{{
+sudo a2enmod ssl
+sudo a2ensiteweb1-ssl.conf
+}}}
+Try browsing https://web1.yourdomain.ws.learn.ac.lk, you will be warned about the untrusted connection as it is a self-signed authentication.
+
+== Something Useful ==
+
+Also as a best practice it is better to disable port 80 or plain HTTP traffic to your server. But if your directly disable Port 80 and allow only 443 then we have to manually type “https://” before your exact url in browsers. Therefore, better to redirect all HTTP traffic to port443 from your server configuration without disabling. So to do that we need to put a redirect in each virtual host conf. files. 
+
+Edit port 80 virtual host configuration files and add these in bottom just before the line </VirtualHost>
+{{{
+RewriteEngine on
+RewriteCond %{SERVER_NAME} = www.yourdomain.ws.learn.ac.lk
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+</VirtualHost>
+}}}
+Then enable mod-rewrite in apache and restart..
+{{{
+sudo a2enmod rewrite
+sudo systemctl reload apache2
+}}}
+Now test your configuration by browsing to http://www.yourdomain.ws.learn.ac.lk and see how it redirects
+== http2 ==
+HTTP/2 support is included in Apache 2.4.17 and upwards. Enable HTTP/2 module by executing,
+{{{
+sudo a2enmod http2
+}}}
+then add below to each individual ssl virtual host files to enable respectively.
+{{{
+Protocols h2 http/1.1
+}}}
+To enable http/2 globally you can add following to the apache.conf
+{{{
+Protocols h2 h2c http/1.1
+}}}
+Once those lines are added restart apache and visit https://tools.keycdn.com/http2-test to check http2 configuration.
+
+== Enable ufw(Ubuntu Firewall) ==
+Before enabling ufw we must allow all outdoing and deny all incoming traffic as default. Also allowing ssh will be a must.
+{{{
+sudo ufw default allow outgoing
+sudo ufw default deny incoming
+sudo ufw allow ssh
+}}}
+Then enable ufw,
+{{{
+sudo ufw enable
+}}}
+Press y when asked:
+{{{
+Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
+Firewall is active and enabled on system startup
+}}}
+and try to access your server from browser.
+
+To enable port 80 and 443 we need,
+{{{
+sudo ufw allow 80/tcp
+sudo ufw allow 443/tcp
+}}}
+Check UFW status by
+{{{
+sudo ufw status
+sudo ufw status verbose
+
+=== Troubleshoot ===
+{{{
+systemctl status apache2.service
+journalctl –xe
+}}}
+Log files:
+{{{
+tail –f /var/log/syslog
+tail –f /var/log/apache2/access.log
+tail –f /var/log/apache2/error.log
+}}}
+
 == HTTPS configuration using Let’s Encrypt ==
+Following are some additional stuff for you to try at your own institute with your own webserver and public IP addresses.
+
+Prerequisites:To deploy Let’sEncrypt ssl certificates you must have public DNS and reachability from Internet
+
 Install letsencrypt client on the server
 {{{
@@ -319 +451 @@
 }}}
 Above command will execute “/usr/bin/letsencrypt renew” on 25 th day in every two months and will write the output to a file called “/var/log/le-renew.log”
-Also as a best practice it is better to disable port 80 or plain HTTP traffic to your server. But if your directly disable Port 80 and allow only 443 then we have to manually type “https://” before your exact url in browsers. Therefore, better to redirect all HTTP traffic to port443 from your server configuration without disabling. So to do that we need to put a redirect in each virtual host conf. files. 
-
-Edit port 80 virtual host configuration files and add these in bottom just before the line </VirtualHost>
-{{{
-RewriteEngine on
-RewriteCond %{SERVER_NAME} = www.yourdomain.ws.learn.ac.lk
-RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
-</VirtualHost>
-}}}
-Then enable mod-rewrite in apache and restart..
-{{{
-sudo a2enmod rewrite
-sudo systemctl reload apache2
-}}}
-Now test your configuration by browsing to http://www.yourdomain.ws.learn.ac.lk and see how it redirects
-== http2 ==
-HTTP/2 support is included in Apache 2.4.17 and upwards. Enable HTTP/2 module by executing,
-{{{
-sudo a2enmod http2
-}}}
-then add below to each individual ssl virtual host files to enable respectively.
-{{{
-Protocols h2 http/1.1
-}}}
-To enable http/2 globally you can add following to the apache.conf
-{{{
-Protocols h2 h2c http/1.1
-}}}
-Once those lines are added restart apache and visit https://tools.keycdn.com/http2-test to check http2 configuration.
+