Monday, April 5, 2010
Ubuntu, LAMP, SSL, CGI and password protection
I'll setup a minimal install of Ubuntu 9.10, Apache webserver, MySQL database and make it PHP compatible. I'll be using a self signed SSL certificate, create a Virtual Host and password protect the space. I'll also make the Virual Host ready to run CGI scripts.
1. Install LAMP environment:
Login as "root"
change memory_limit = 16M to memory_limit = 32M
From another PC type http://yourserverip/info.php in your browser and you should see some nice info about your PHP installation. After we've seen this page, we know PHP works and "info.php" can be removed:
#NameVirtualHost *:80
#Listen 80
2. Configure a SSL and CGI ready Virtual Host:
Change ServerAdmin webmaster@localhost to ServerAdmin youremail@address
Add ServerName www.mydomain.com:443 under ServerAdmin line
Change DocumentRoot /var/www to DocumentRoot /var/www/www.mydomain.com/public_html
Change AllowOverride None to AllowOverride AuthConfig
Change <Directory /var/www/> to <Directory /var/www/www.mydomain.com/>
Change AllowOverride None to AllowOverride AuthConfig
Change ScriptAlias to ScriptAlias /cgi-bin/ /var/www/www.mydomain.com/cgi-bin/
Change <Directory "/usr/lib/cgi-bin"> to <Directory "/var/www/www.mydomain.com/cgi-bin">
Change ErrorLog /var/www/www.mydomain.com/logs/error.log
Change CustomLog to CustomLog /var/www/www.mydomain.com/logs/ssl_access.log combined
Change, under </FilesMatch>, <Directory /usr/lib/cgi-bin> to <Directory /var/www/www.mydomain.com/cgi-bin>
3. Create my own self-signed certificate:
The following will create a self-signed certificate and private key file in one file:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
to
SSLCertificateFile /etc/ssl/certs/www.mydomain.com.pem
and
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
SSLCertificateKeyFile /etc/ssl/private/www.mydomain.com.key
4. Password protect the Virtual host:
NOTE: To add more usernames and passwords to the same file you must:
htpasswd -s .htpasswd anotherusername
The .htaccess file must exist in the directory that you want to protect:
AuthUserFile /var/www/www.mydomain.com/.htpasswd
AuthType Basic
AuthName "Enter Login Details"
Require valid-user
1. Install LAMP environment:
Login as "root"
apt-get update
apt-get install mysql-server mysql-client apache2 ssl-cert php5 libapache2-mod-php5 php5-mysql php5-mcrypt php5-memcache php5-snmp php5-xmlrpc php5-xsl php5-suhosin apache2-suexec libapache2-mod-ruby libapache2-mod-perl2 libapache2-mod-python python-mysqldb
Insert your MySQL "root" user passwordecho "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn
echo "<?php phpinfo(); ?>" > /var/www/info.php
nano /etc/php5/apache2/php.ini
change upload_max_filesize = 16M to upload_max_filesize = 32Mchange memory_limit = 16M to memory_limit = 32M
/etc/init.d/apache2 restart
From another PC type http://yourserverip in your browser and make sure you get the "It works!" message.From another PC type http://yourserverip/info.php in your browser and you should see some nice info about your PHP installation. After we've seen this page, we know PHP works and "info.php" can be removed:
rm -rf /var/www/info.php
I am not going to use the default port 80 site, so I'll disable it:nano /etc/apache2/ports.conf
and comment out the following two lines:#NameVirtualHost *:80
#Listen 80
2. Configure a SSL and CGI ready Virtual Host:
a2enmod ssl
/etc/init.d/apache2 restart
mkdir -p /var/www/www.mydomain.com/public_html
mkdir /var/www/www.mydomain.com/cgi-bin
mkdir /var/www/www.mydomain.com/logs
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.mydomain.com
nano /etc/apache2/sites-available/www.mydomain.com
Change <VirtualHost _default_:443> to <VirtualHost youripaddress:443>Change ServerAdmin webmaster@localhost to ServerAdmin youremail@address
Add ServerName www.mydomain.com:443 under ServerAdmin line
Change DocumentRoot /var/www to DocumentRoot /var/www/www.mydomain.com/public_html
Change AllowOverride None to AllowOverride AuthConfig
Change <Directory /var/www/> to <Directory /var/www/www.mydomain.com/>
Change AllowOverride None to AllowOverride AuthConfig
Change ScriptAlias to ScriptAlias /cgi-bin/ /var/www/www.mydomain.com/cgi-bin/
Change <Directory "/usr/lib/cgi-bin"> to <Directory "/var/www/www.mydomain.com/cgi-bin">
Change ErrorLog /var/www/www.mydomain.com/logs/error.log
Change CustomLog to CustomLog /var/www/www.mydomain.com/logs/ssl_access.log combined
Change, under </FilesMatch>, <Directory /usr/lib/cgi-bin> to <Directory /var/www/www.mydomain.com/cgi-bin>
a2dissite default-ssl
a2ensite www.mydomain.com
/etc/init.d/apache2 restart
3. Create my own self-signed certificate:
The following will create a self-signed certificate and private key file in one file:
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.mydomain.com.crt
cat /etc/ssl/private/www.mydomain.com.crt
The .crt file needs to be split in two, .key and .pem:nano /etc/ssl/private/www.mydomain.com.key
Copy the part beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and paste it into your .key file and save.nano /etc/ssl/certs/www.mydomain.com.pem
Copy the part beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- and paste it into your .pem file and save.rm -f /etc/ssl/private/www.mydomain.com.crt
nano /etc/apache2/sites-available/www.mydomain.com
Change these two lines to match your server name:SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
to
SSLCertificateFile /etc/ssl/certs/www.mydomain.com.pem
and
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
SSLCertificateKeyFile /etc/ssl/private/www.mydomain.com.key
/etc/init.d/apache2 restart
> /var/www/index.html
Now your secured Virtual Host can be accessed at https://yourservername.4. Password protect the Virtual host:
cd /var/www/www.mydomain.com
NOTE: This directory is not a web accessible directory.htpasswd -c -s .htpasswd yourusername
Enter new passwordNOTE: To add more usernames and passwords to the same file you must:
htpasswd -s .htpasswd anotherusername
The .htaccess file must exist in the directory that you want to protect:
nano /var/www/www.mydomain.com/public_html/.htaccess
and paste the following:AuthUserFile /var/www/www.mydomain.com/.htpasswd
AuthType Basic
AuthName "Enter Login Details"
Require valid-user
/etc/init.d/apache2 restart
If you go to https://yourservername now, you will be asked to enter your password, created earlier, to enter the site.