Posts Tagged ‘CentOS’

How to setup Apache HTTP and HTTPS virtual hosts

Virtual hosting is a way of hosting several servers on a single machine. This technique is widely used in shared web hosting, because it greatly reduces hosting costs, since multiple customers use one server.

There are three types of virtual hosting:

  • Name-based – when the virtual hosts is determined by its domain. A problem with this approach is that it is completely dependent on the DNS.
  • IP-based – when each site is differentiated via his IP. A natural complication is that this requires a different IP for each site.
  • Port-based – when each site is described with the same domain, but different port. Naturally, the problem that users don’t generally use ports arises. Additionally, some firewalls block uncommon ports.

Using Apache, we will setup two name-based virtual hosts – an HTTP one and an HTTPS one. Both will work on the standard ports 80 for HTTP and 443 for HTTPS. Naturally we will see how to set port-based hosts.

Note: This tutorial assumes standard file places and settings for Apache on CentOS.

Note: The goal of this tutorial is not to provide extensive knowledge on configuring virtual hosts, but to provide a general-purpose working configuration. For more find-tuned configurations refer to the Apache documentation on virtual hosts.

We assume that <domain> is the domain for our virtual host. In the httpd/conf.d directory (usually /etc/httpd/conf.d) create a file called <domain>.conf

Note: It is not necessary to call your file <domain>.conf, but it’s a sort of a convention and makes editing hosts easier. The file for the HTTP virtual host should contain:

# <domain> HTTP Virtual Host
<VirtualHost *:80>
    # General
    ServerAdmin <administrator_e_mail>
    DocumentRoot /var/www/html/<domain>
    ServerName www.<domain>
    ServerAlias <domain>
 
    # Logging
    ErrorLog logs/<domain>-error_log
    CustomLog logs/<domain>-access_log common
</VirtualHost>

<administrator_e_mail> is the e-mail of the site administrator. After you set this file restart the HTTP Server daemon:

service httpd restart

To setup an HTTPS virtual host, again create the <domain>.conf file in the /httpd/conf.d. Again we assume <domain> is the domain-name:

# <domain> HTTPS Virtual Host
<VirtualHost *:443>
    # General
    ServerAdmin <administrator_e_mail>
    DocumentRoot /var/www/html/<domain>
    ServerName www.<domain>
    ServerAlias <domain>
 
    # Logging
    ErrorLog logs/<domain>-ssl_error_log
    TransferLog logs/<domain>-ssl_access_log
    CustomLog logs/<domain>-ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    LogLevel warn
 
    # SSL Engine
    SSLEngine on
 
    # SSL Protocol
    SSLProtocol all –SSLv2
 
    # SSL Cipher Suite
    SSLCipherSuite LL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 
    # Server Certificate
    SSLCertificateFile <path_to_certificate>
 
    # Server Private Key
    SSLCertificateKeyFile <path_to_private_key>
 
    # SSL Engine Options
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
 
    # SSL Protocol Adjusments
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown owngrade-1.0 force-response-1.0
</VirtualHost>

Of course, after setting this, restart the HTTP daemon:

service httpd restart

It is easily noticeable, that you can setup port-based virtual hosts quite easy, by using the same domain, but different ports in the .conf file.

Naturally this tutorial is not exhaustive, as such tutorial will be pretty much equal to documentation (which you can find here).

VN:F [1.9.18_1163]
Rating: 7.0/10 (2 votes cast)

Create your own Certificate Authority using OpenSSL on CentOS

OpenSSL is an implementation of the SSL and TLS protocols. It is open-source and is the de-facto standard toolkit for Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It is written in C and also contains a general purpose cryptography library. Being written in C allows for various wrappers for other programming languages to exist.

Installing OpenSSL on CentOS is actually quite easy. All you have to do is enter the following command:

yum install openssl

Note: Depending on your installation configurations OpenSSL may already be installed on your system.

Note: This tutorial uses OpenSSL 1.0.0.

After we install OpenSSL, we need to setup our own Certificate Authority. To do so we first navigate to /etc/pki/CA:

cd /etc/pki/CA

Now we will make a directory where our certificates will be stored:

mkdir certs

Another necessary directory is for the revocation list:

mkdir crl

Note: crl stands for Certificate Revocation List.

Now we must create a directory for storing the unencrypted certificates:

mkdir newcerts

Next, create an empty file index.txt (you may use touch). The index.txt file is the database for certificates. Additionally, create two files containing the next serial number for a certificate and the next serial number for the revocation list:

echo ’01’ > serial

echo ’01’ > crlnumber

Almost ready. Copy the standard openssl config file to you current directory:

cp /etc/pki/tls/openssl.cnf openssl.cnf

And edit the config file (the one stored at /etc/pki/CA/openssl.cnf):

Change this line:

dir             = /etc/pki/CA           # Where everything is kept

to

dir             = .           # Where everything is kept

Change this line:

certificate     = $dir/cacert.pem       # The CA certificate

to

certificate     = $dir/certs/ca.crt       # The CA certificate

And this line:

private_key     = $dir/private/cakey.pem# The private key

to

private_key     = $dir/private/ca.key # The private key

And last, but certainly not least, make /etc/pki/CA/openssl.cnf readable only for you:

chmod 0600 openssl.cnf

After that, the process of creating a certificate authority is actually quite easy. Navigate to /etc/pki/CA:

cd /etc/pki/CA

Enter the following command:

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650

if you want to create a CA valid for 10 years. You will be prompted:

Generating a 2048 bit RSA private key
........+++
.......+++
writing new private key to 'private/ca.key'
Enter PEM pass phrase:<password>
Verifying - Enter PEM pass phrase:<password>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<country>
State or Province Name (full name) []:<state>
Locality Name (eg, city) [Default City]:<city>
Organization Name (eg, company) [Default Company Ltd]:<organization>
Organizational Unit Name (eg, section) []:<department>
Common Name (eg, your name or your server's hostname) []:<common_name>
Email Address []:<email>

Where common_name is usually formed like ca.<your_domain>, and <email> is usually ca@<your_domain>

Finally, don’t forget to restrict the access to your private key:

chmod 0400 private/ca.key

For more on OpenSSL checkout how to create and sign certificates.

VN:F [1.9.18_1163]
Rating: 10.0/10 (3 votes cast)

yum via authentication proxy in Fedora/CentOS/RHEL5

This tutorial we will teach you something that most may need to use just for a few times in their Linux experience but will be very happy that such functionality actually exists at first place. Common Linux users, including me, are not so used to get updates through a proxy. Maybe used a proxy server once or twice some time ago but I have totally forgotten that proxies even existed in the Internet.

However if one day it happens that you find yourself in a corporate network and need to update a package as it currently doesn”t work as expected (unfortunately we all have to admit that this is something common for Linux distributions, not only under RedHat based systems) you will have to pass through a proxy.

For such cases after you finish reading this tutorial you will know how to configure yum for using proxy with basic authentication.

The configuration file for yum is located in /etc directory Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 1.3/10 (11 votes cast)