Archive for the ‘ Apache ’ Category

How to enable HTTPS on your web server

Enabling https will allow for an encrypted connection between the user’s browsers and the server, meaning data passing back and forth cannot be intercepted by third parties. This is particularly useful for data collection and login processes.

  1. Create a new directory and go there to work: 
    mkdir /root/Certs ; cd $_
  2. Create a CA key or import the EWEA CA key. If creating one from scratch, use: 
    openssl genrsa -out ca.key 2048
  3. Generate a Certificate Signing Request (CSR): 
    openssl req -new -key ca.key -out ca.csr
  4. Create a server key for the local machine: 
    openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out <servername>.crt
  5. Create the following folders if they don’t exist: 
    mkdir -p /etc/httpd/ssl/certs /etc/httpd/ssl/private
  6. Copy the keys to the following folders: 
     cp -a <servername>.crt /etc/httpd/ssl/certs/ ; cp -a ca.* /etc/httpd/ssl/private/
  7. Edit the apache config to use the new certificate: 
    vi /etc/httpd/conf.d/ssl.conf
  8. Find and edit these two lines: 
    SSLCertificateFile /etc/httpd/ssl/certs/<servername>.crt
SSLCertificateKeyFile /etc/httpd/ssl/private/ca.key
  9. Make sure the firewall is open: 
    vi /etc/sysconfig/iptables
-A INPUT -p tcp -m tcp --dport 443   -m state --state NEW -j ACCEPT
  10. Restart the firewall and Apache: 
    service iptables restart && service httpd restart
  11. Go to https://<servername> and see if it works!

 

More information here:

wiki.centos.org/HowTos/Https
www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-centos-6

Multiple virtual hosts examples here:

http://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

 

2013
05/02
CATEGORY
Apache
https
Write comment

EWEA Official Certificate Authority (CA) Key


-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJALXlIk7jFoUqMA0GCSqGSIb3DQEBBQUAMIGeMQswCQYD
VQQGEwJCRTERMA8GA1UECBMIQnJ1c3NlbHMxETAPBgNVBAoTCGV3ZWEub3JnMSEw
HwYDVQQLExhDb21tdW5pY2F0aW9uIERlcGFydG1lbnQxIzAhBgNVBAMTGkVXRUEg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJ3ZWJtYXN0ZXJA
ZXdlYS5vcmcwHhcNMTEwNTA2MTU1NTE4WhcNMTYwNTA0MTU1NTE4WjCBnjELMAkG
A1UEBhMCQkUxETAPBgNVBAgTCEJydXNzZWxzMREwDwYDVQQKEwhld2VhLm9yZzEh
MB8GA1UECxMYQ29tbXVuaWNhdGlvbiBEZXBhcnRtZW50MSMwIQYDVQQDExpFV0VB
IENlcnRpZmljYXRlIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSd2VibWFzdGVy
QGV3ZWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxz5f+oCD
MnMWarNomjEXJVcKjGUP3I2snBGuUR2kpUF8wUx1ufxnXjkkNcrKSTxOQt453eIn
tmhIk5YunZTyu0UXX2+BHAmbsfWXpWqFpmTbmh/txftDyLaq1d0tgF8Y6iponD4N
4ou3Ej34ssh9TFYgWWOXWDlPl2GmuxBFwAP828f+tnGORbomON3i5JCDTbAqB3/M
n3A0UxQ9zDjQbv8CbepeeaT/VrCjCwpToLnzXEH+TVMjaN6nSmGzLp78XHGmR73F
ie77iWRvCdWC9hVDKm4lrhjK7G80aR/6ljsWd0M8z+3I+coiJnxetzkwQdALWaBl
JVJ3dLK9360acwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFLhgr+hPoyJITo/szKpv
R3S9RnPdMIHTBgNVHSMEgcswgciAFLhgr+hPoyJITo/szKpvR3S9RnPdoYGkpIGh
MIGeMQswCQYDVQQGEwJCRTERMA8GA1UECBMIQnJ1c3NlbHMxETAPBgNVBAoTCGV3
ZWEub3JnMSEwHwYDVQQLExhDb21tdW5pY2F0aW9uIERlcGFydG1lbnQxIzAhBgNV
BAMTGkVXRUEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJ3
ZWJtYXN0ZXJAZXdlYS5vcmeCCQC15SJO4xaFKjAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4IBAQCxhtRRDXT8cbHFyCkHyH66xhYVfVO972Nh2hzGdOwHhSpk
PHrhS+zRtMZMdfJORAOj/s+pmVWxRJqcCS7U+mc8Cbm5ONQERIF61i0oyR8zURUa
k+PFb940/SFVYP1RDAosPStNMD7a6FSbhpUcN+G7DaMfevyufx/enfkAQcwOPbL3
7vHoCPPjfXsGnWHdDUxHhg3tt9B/w4VHtD/ejs5eTDeyRiw0BMPAo+WU4d4ntkli
moT24mXrMIU+nafCcHiQnciikliRlc6tGnhJ1857uCXuOaP7HyTCHowxQFKFVnlk
tTaaxFICAfBitUgGRwxm9SmFSZBg+TWa6SLBXVC7
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxz5f+oCDMnMWarNomjEXJVcKjGUP3I2snBGuUR2kpUF8wUx1
ufxnXjkkNcrKSTxOQt453eIntmhIk5YunZTyu0UXX2+BHAmbsfWXpWqFpmTbmh/t
xftDyLaq1d0tgF8Y6iponD4N4ou3Ej34ssh9TFYgWWOXWDlPl2GmuxBFwAP828f+
tnGORbomON3i5JCDTbAqB3/Mn3A0UxQ9zDjQbv8CbepeeaT/VrCjCwpToLnzXEH+
TVMjaN6nSmGzLp78XHGmR73Fie77iWRvCdWC9hVDKm4lrhjK7G80aR/6ljsWd0M8
z+3I+coiJnxetzkwQdALWaBlJVJ3dLK9360acwIDAQABAoIBABtlHSdBUki2gEeN
gX1p8IfGzwF8x9CIfko7OB+ZFtFODsw5Khq3dLME4lCvIF8vdodFLOmwNcujzQ7V
4HT0TOeo2Uza9QKY45p1bTNmURgO2A76AuRs5uYLD7Q2JBJ5gOB5kkahVaFnmnVc
pfxXCrtbQDlqMx4DS0lCOP2RgDWlWH3ej3lvQvGOh+P2Ty6mlARJ7TeRqweLf98H
9YM/LqIOaZOAiLWXQmzIMByRg+pb5C7+zBqF3Axqfg9vEIQMGHAEv7rsHDrjMA0E
iqHxwaizhkNTCuZaonG5dIPrON0sTM0Ld/IdGwPWoazInLBnHu1x/87skez/vM2G
GyATinkCgYEA8GX9lZQcLjH4YScbV4X/BBIgUb58QSa1L11nFCpG7i6mSQfl8jT7
wLVp003fmHchNAtyztlsHAo8KyxJY0AFBofgoTnIx6vwDYZFlHvIFT6rqDQxmywY
lVVtBZMHWeFHQePpkiOe/Rlu5TtefvmaFsMoDoNCnCjZDfVjlLfETm0CgYEA1Cyi
V9xz/YAnqascJQKkK/Brd08KO4VFyf6Sz7XBTnxRdjZB5UL8XvzLmf6iLiPkTUD8
U1qBVYueznN2b2DgWIXAq4Qz6jUsYxUzYB+kJ0aXoU0woYlt0dyO8kGT4BPkocTq
5b+uiJNKdi49n2RrnJ4xbTp4sYDuEWt0EzCkAF8CgYB1TK7Bj7V4bPWPIi/bMwzO
BbIzcMjcWXDLHb4wPrjBe42z0ODIoEW/MEXkzvitQmO3K2bnu3te6zeUsVVV0mUh
XKekw7dOhnzpfHzzCLsGcr/7oQwbdRbBtx8tOyK5Ho1Qf072+d6YDRLpU2C2gEBJ
nwwqmK2l2OCgSP5AELL+uQKBgGIBO/vZmLo/uBJnN1jhH3QsWXeCyvczWEk1jhrj
mabnRbmU1ltP1cMKggFf3QnzCkGlAuh9pcAd/fze2JYZ6Yb6QUT4jAJjDV23LUP5
WZnKwb+AKDZ1hISrnFvKbsPSbIlMrDPzlmr/niV4tn4ppItzhuEtYRKcu1rQh41V
qmuBAoGAK2Lp+h74nNinjnrrpRCpYCLlt1d7EhcuVHPQncyJkXUoX+x0BeoPnagE
W0hbjQjzAf4jxnpg6p5FwLHRYkdB89dLo8+VKJqbxcNK5OI+sO0NPLtwTIMT+QbN
obBkl27GxFEOWMtcNMksjeFJapycgqOASrb8sjoG1zyeBA9MJ6o=
-----END RSA PRIVATE KEY-----

2013
05/02
CATEGORY
Apache
https
Write comment

Redirecting sub-domain to sub-directory

Recently I moved the EWEA blog from the sub-domain into the sub-directory of the EWEA website.

Before: http://blog.ewea.org/
After: http://www.ewea.org/blog/

To handle the redirect I put in the following into /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>
# EWEA BLOG
ServerName blog.ewea.org
Redirect 301 / http://www.ewea.org/blog/
RedirectMatch 301 /(.+) http://www.ewea.org/blog/$1
ErrorLog  logs/blog.ewea.org-error_log
CustomLog logs/blog.ewea.org-access_log common
</VirtualHost>

The Redirect clause redirects all the traffic from the sub-domain to the sub-directory.
The RedirectMatch is to remap existing URLs to the sub-directory to avoid broken links.

(Taken from http://stackoverflow.com/questions/9397089/redirect-blog-mydomain-com)

2012
11/09
CATEGORY
Apache
Write comment

Prevent Hot Linking and Bandwidth Leeching

What if another web site owner is stealing your images and your bandwidth by linking directly to your image files from his web site? You can prevent this by adding this to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

Replace mydomain.com with your actual domain name. With this code in place, your images will only display when the visitor is browsing http://mydomain.com. Images linked from other domains will appear as broken images.

If you’re feeling particularly nasty, you can even provide an alternative image to display on the hot linked pages — for example, an image that says “Stealing is Bad … visit http://mydomain.com to see the real picture that belongs here.” Use this code to accomplish that:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/dontsteal.gif [R,L]

This time, replace mydomain.com with your domain name, and replace dontsteal.gif with the file name of the image you’ve created to discourage hot linking.

2010
03/11
CATEGORY
.htaccess
Apache
Write comment

Creating a new Centos 5 server

Step by Step Guide to Installing on Centos 5.2 64bit
Last modified by kevin.connor on Mon, December 7, 2009 15:16
Source|Old Revisions

How to install Centos 5.2, PHP 5.2x, Mysql 5.1x and Magento 1.2.x Assuming that this is a server behind a firewall

Install Centos 5.2 (64bit) with correct IP settings and no packages selected except “base” restart and login

Update the system and download kernel headers in case they are needed for future software

yum update
yum install kernel*
reboot

Set the hosts file and disable ip6

nano /etc/hosts
Add IP and a hostname
nano /etc/modprobe.conf
Add 'alias ipv6 off'
Add 'net-pf-10 off'
Reboot

Disable un-needed services (look them up if you are interested)

chkconfig NetworkManager off
chkconfig NetworkManagerDispatcher off
chkconfig anacron off
chkconfig atd off
chkconfig bluetooth off
chkconfig cpuspeed off
chkconfig cups off
chkconfig gpm off
chkconfig hidd off
chkconfig ip6tables off
chkconfig iptables off
chkconfig irda off
chkconfig mdmonitor off
chkconfig mdmpd off
chkconfig pcscd off
chkconfig portmap off
chkconfig yum-updatesd off
chkconfig smartd off
service smartd stop
service NetworkManager stop
service NetworkManagerDispatcher stop
service anacron stop
service atd stop
service bluetooth stop
service cpuspeed stop
service cups stop
service gpm stop
service hidd stop
service ip6tables stop
service iptables stop
service irda stop
service mdmonitor stop
service mdmpd stop
service pcscd stop
service portmap stop
service yum-updatesd stop

Install Apache and OpenSSL

yum install httpd
yum install openssl
yum install httpd

Install the remi repositories for updated versions of PHP and MySQL not offered by Centos

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
wget http://rpms.famillecollet.com/el5.i386/remi-release-5-7.el5.remi.noarch.rpm
rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm

Install php and required php extensions for Magento

yum --enablerepo=remi install php-common
yum --enablerepo=remi install php
yum install gd gd-devel
yum --enablerepo=remi install php-mcrypt php-xml php-xml php-devel php-imap php-soap php-mbstring php-mysql
yum --enablerepo=remi install php-mhash php-simplexml php-dom php-gd

(php-mhash extension no longer required as of php5.3(which is what you’ll get following these commands)-replaced by HASH Message Digest Framework in php core)

Install/Configure newest Mysql and Php extensions and enable in php.ini

yum --enablerepo=remi install mysql mysql-server
yum --enablerepo=remi install php-mysql php-pdo
nano /etc/php.ini
Add 'extension=pdo.so'
Add 'extension=pdo_mysql.so'
mysql_install_db
mysqladmin -u root password SOMEPASSWORD

2010
02/12
CATEGORY
Apache
Linux
MySQL
Write comment