I am trying to implement encryption a Tomcat Server on AWS Elastic Beanstalk.
I follow this advise, and in the .ebextensions directory, I add the following files:
https-instance.config, which contains the certificate file and private key contents.
ssl.conf, which contains:
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCertificateChainFile "/etc/pki/tls/certs/gd_bundle.crt"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
but on the server in /etc/pki/tls/certs:
(In ssl.conf I tried changing "/etc/pki/tls/certs/gd_bundle.crt" to "/etc/pki/tls/certs/ca-bundle.crt", but no difference)
https-instance-single.config, which contains:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
I then try deploy my war file, but get:
Error
[Instance: i-04a9fa826b9d8e0a3] Command failed on instance. Return
code: 1 Output: httpd: no process found. container_command killhttpd
in .ebextensions/https-instance.config failed. For more detail, check
/var/log/eb-activity.log using console or EB CLI.
eb-activity.log
[Application update
thewhozoo-1.0.0.39#121/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_theWhoZoo_java/Command
killhttpd] : Activity execution failed, because: httpd: no process
found (ElasticBeanstalk::ExternalInvocationError)
As you can see, it's complaining about in https-instance.config there is httpd: no process found. Which suggests that there is a problem with:
...
-----END RSA PRIVATE KEY-----
container_commands:
killhttpd:
command: "killall httpd"
waitforhttpddeath:
command: "sleep 3"
i.e. there is no httpd process.
I then read that I need to set up a proxy server on Tomcat, so I follow these instructions, Extending the Default nginx Configuration.
So I add the following:
.ebextensions/nginx/conf.d/https.conf
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:80;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
But I still get the same above error (no httpd process).
More info
I don't really know what this means, but it looks like something is running on the server:
and
where on the server /etc/httpd/conf.d/ssl.conf:
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv3 access by default:
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
(Unfortunately I cannot deploy to the server and I am under time pressure - should I delete the entire environment and start again on AWS?)
UPDATE
On the advise below, I add Elastic Load Balancing to my server, set up https with a certificate issued by Amazon. I test my app, and the url is accessible under https...Yay!
However, when I access it, it shows:
Why is it "Not Secure"?
If you're using Elastic Beanstalk I'd totally recommend you to use the Elastic Load balancer to take care of the encryption. Use HTTP layer between the VM and ELB and then from the ELB to the client, use HTTPS.
You can generate the certificates for free on AWS and upload them in the ELB.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
Related
I am trying to set ssl on local host i have follwed the http://madurad.wordpress.com/2014/04/25/redirect-http-to-https-with-wamp-server/ and many others but unable to get success. i stuck in the syntax of httpd-ssl.conf. my apache server get down when i set the
<Directory "c:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
SSLOptions +StdEnvVars
</Directory>
i have tried many others like
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
</Directory>
what is issue not able to get....
How to Configure WAMPServer to use HTTPS SSL
This is not a trivial process. This tutorial will, hopefully, get SSL working for you.
However getting it configured correctly once it is working is TOTALLY DOWN TO YOU.
Additional reading for all who travel this road
Ok,
I have based this tutorial on the creation of a site called www.wamphelpers.dev So whereever you see that name change it to the site name you are trying to secure.
I started by creating a unsecured site, in \wamp\www\wamphelpers
added a Virtual Host for that site, in \wamp\bin\apache\apache{version}\conf\extra\httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "c:/wamp/www"
ServerName localhost
ServerAlias localhost
<Directory "c:/wamp/www">
AllowOverride All
Require local
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev
ServerAlias www.wamphelpers.dev
<Directory "c:/wamp/www/wamphelpers">
AllowOverride All
Require local
</Directory>
</VirtualHost>
Added its domainname to the C:\windows\system32\drivers\etc\hosts
Some virus checkers block access to the HOSTS file so you may need to disable your virus checker, or configure it not to block the hosts file temporarily.
127.0.0.1 wamphelpers.dev www.wamphelpers.dev
::1 wamphelpers.dev www.wamphelpers.dev
Now restart the dnscache as follows from a command windows launched using 'Run as Administrator'
ipconfig /flushdns
Then created a simple script in \wamp\www\wamphelpers\index.php
<?php
echo 'Hello, this is the WAMPHELPERS.DEV site homepage';
?>
Now to activate the new Virtual Hosts you have defined, edit \wamp\bin\apache\apache{version}\conf\httpd.conf and find this line
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
and remove the # comment character like so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
Save the file.
Now restart Apache and make sure that your simple unsecured Virtually Hosted site is working before continuing.
The openssl toolkit.
The openssl.exe, ssleay32.dll and libeay32.dll come with, and are located in, the C:\wamp\bin\apache\apachex.y.z\bin folder
This should be all you need to create your self signed certificate !!
HOWEVER: These did not work for me on any of the versions of Apache that I had installed.
I always got this error message.
Where the ordinal number changed depending on the apache version folder I was in.
If you get this error dont worry this is what you need to do.
install the latest version of the OPENSSL TOOLKIT
This can be obtained from here
NOTE: Dont use the V1.1 version yet, the PHP team have not yet compiled PHP with these new linkages, so stick to the V1.0.? versions until they do.
Pick the Latest version of 'Win32 OpenSSLv xxx Light' or 'Win64 OpenSSLv xxx Light' to match your installed version of WAMPServer, as this is all you need.
This will download an .exe file which you can run to install this toolkit.
It will ask the following question, I suggest you answer it like this so you dont end up installing something into C:\windows\system32.
Afterall this is a toolkit and it changes reasonably often. Best to keep these things seperate and not make them system global.
Once that is installed ( to whichever folder you specified in the install )you should be ready to start the process of generating keys and certificates!
Generate keys and Certificates.
STEP 1: Generate an RSA Private Key
First we need to create ourselves a certificate.
The normal (paid for) process is to create your certificate and then pass it to a signing authority.
This is why it costs money, as they have to do, due dilligence, to check that you are who you say you are and that site that you will use the certificate on is real and legitimate.
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request) to be used for our Certificate.
The first step is to create your RSA Private Key.
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
Open up a Command window (Dos box) using [b]Run as Administrator[/b]
Change Directory to where you installed the OpenSSL Toolkit above.
In my case this is
CD c:\apps\OpenSSL-Win32\bin
Make a folder for the output to be put in ( to keep the bin folder tidy ) I used website
md website
Now enter this command:
openssl genrsa -out website\server.key 2048
This should have created a file in the website folder called server.key, without a pass phrase key, check it exists.
Step 2: Generate a CSR (Certificate Signing Request)
During the generation of the CSR, you will be prompted for several pieces of information.
These are the X.509 attributes of the certificate.
One of the prompts will be for "Common Name (e.g. server FQDN or YOUR name) []:".
It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
So if the website to be protected will be https://www.wamphelpers.dev, then enter www.wampheplers.dev at this prompt. I used wamphelper.dev as my ServerName is ServerName wamphelpers.dev
Do not enter anything to the question: A challenge password []:] Just press Enter.
If you do enter a passphrase here when you come to start Apache with SSL configured Apache will not start and will give this error message :-
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32
Basically if you do enter a passphrase Apache is supposed to challenge you for that passphrase each time it starts.
This is obviously not going to make your life any easier but primarily on windows it does not actually work and will
cause Apache to crash when it attempts to ask for the passphrase, with the above error.
The command to generate the CSR is as follows:
openssl req -new -key website\server.key -out website\server.csr
Example question and answers:
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]: Hampshire
Locality Name (eg, city) []: Portsmouth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Wamp Helpers Ltd
Organizational Unit Name (eg, section) []: Information Technology
Common Name (e.g. server FQDN or YOUR name) []: wamphelpers.dev
Email Address []: me#wamphelpers.dev
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ( leave blank just hit the enter key )
An optional company name []: ( leave blank just hit the enter key )
Step 3: Generating a Self-Signed Certificate
At this point you will need to generate a self-signed certificate because
you either don't plan on having your certificate signed by a CA, or you wish to test
your new SSL implementation while the CA is signing your certificate.
PRE - WARNING
This certificate will generate an error in the client browser to the effect that
the signing certificate authority is unknown and not trusted.
This is unavoidable as we are signing the certificate ourselves, but of course the web of trust does not know who we are.
See example later in this document showing how to tell your browser that you actually trust this certificate
openssl x509 -req -days 365 -in website\server.csr -signkey website\server.key -out website\server.crt
Example output:
Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Hampshire/L=Portsmouth/O=WampHelpers Ltd/OU=Information Technology/CN=www.wamphelpers.dev/emailAddress=riggsfolly#wamphelpers.dev
Getting Private key
Step 4: Installing the Private Key and Certificate
Create these 2 directories under the version of Apache you are using.
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
And copy the file we have just generated into them like so:
copy website\server.crt c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
copy website\server.key c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
Step 5: Configure Apache to activate SSL
Edit httpd.conf, Check that this line is uncommented
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Remove the comment '#' from this line also
Include conf/extra/httpd-ssl.conf
Then move that line after this block .... like so
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Step 6: Configure PHP to activate SSL
Edit your php.ini ( use the wampmanager menus so you edit the correct one )
Remove the comment ';' from this line
extension=php_openssl.dll
Step 7: Configure your secure sites Virtual Host
Yup for all you Virtual Host nay sayers, now you cannot avoid the process.
Edit \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf
This file is released by Apache and contains some default file location.
We can leave most of this file as it is, but we need to configure the virtual host in here to match our actual sites location and a few other things so:
find these lines
DocumentRoot "c:/Apache2/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "c:/Apache2/logs/error.log"
TransferLog "c:/Apache2/logs/access.log"
and change them to
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev:443
ErrorLog "c:/wamp/logs/ssl_error.log"
TransferLog "c:/wamp/logs/ssl_access.log"
Find
SSLCertificateFile "c:/Apache2/conf/server.crt"
and change to
SSLCertificateFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.crt/server.crt"
Find
SSLCertificateKeyFile "c:/Apache2/conf/server.key"
and change to
SSLCertificateKeyFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.key/server.key"
Find
<Directory "c:/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
and change to
Apache 2.2 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 localhost ::1
</Directory>
Apache 2.4 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
Find
SSLSessionCache "shmcb:c:/Apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
and change it to
SSLSessionCache "shmcb:c:/wamp/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Find
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
and change to
CustomLog "c:/wamp/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Basically look through the conf file and any command that is not commented out, but has a reference to a file or folder
should be changed to reference the WAMPServer folder structure and not 'C:/Apache2....'
Now make sure all these files we have changed are saved, and restart Apache using the wampmanager menus.
First test that the unprotected site is still working.
Then try using your new protected site by adding the 'https://' to the front of the domain name
i.e. https://www.wamphelpers.dev without the single quotes of course.
If Apache does not restart you have probably spelt something wrong. Test the configs like so :-
Open a command window
cd \wamp\bin\apache\apachex.y.z\bin
httpd -t
This will parse all the config files and should give you a file name and a line number where an error has been found.
Fix it and try again.
First access to your site will generate a message page something like this.
This is using FireFox, others will be slightly different, but the concept it the same.
This is because your certificate is not signed by a trusted authority, DONT PANIC, this is supposed to happen.
Click on, 'I Understand the risk' and that will show you a button saying 'Add Exception'
Press the Add Exception button, after checking that the certificates site details are in fact yours,
and you will not see this message again unless you clear the exception list.
BIG NOTE
As of Apache v2.2.12 and OpenSSL v0.9.8j it is now possible to secure more than one site per Apache instance.
This tutorial does not cover that process.
See here for more details:
Here
and Here
and Here
And like I said at the top, now you need to do some reseach on all the options available in the SSL config and make thing work as you want rather than using the default.
It is necessary activate the module LoadModule socache_shmcb_module modules/mod_socache_shmcb.so in the file httpd.conf in wampserver 2.5. If not apache throws the next message:
AH00526: Syntax error on line 75 of C:/wamp/bin/apache/apache2.4.9/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
If you have the error something like this:
Cannot load modules/mod_ssl.so into server: The specified module could
not be found.
You may want to try to searching libeay32.dll in your wamp folder, you probably find it in {wamp folder}/bin/php/php{version 7}/
Copy libeay32.dll and ssleay32.dll and paste them into {wamp folder}/bin/apache/apache{version 2.x}/bin/ AND {wamp folder}/bin/php/php{verion 5.x}. MAKE SURE you backup anything you are placing.
run httpd -t and test the syntax
NOTE: I believe it is due to the mistake in apache openssl part for wamp 3.0.6. Fortunately in php7 folder those dlls are compatible for the apache and php5.
#RiggsFolly:
some small errors/typos/additions in your tutorial. Below is used in combination with WAMPServer 2.5 64bits (Apache 2.4.9 and PHP 5.5.12) on Windows 7 SP1 64bits:
-httpd-vhosts.conf is located in extra/httpd-vhosts.conf
-when you try to edit your hosts file be sure to disable any virusscanner. Some of them block access to hosts file.
-be sure to open your texteditor as administrator when editing your hosts file or else you get an error trying to save.
-don't forget to remove # at the beginning of the host line if any
-if you use WAMPServer 64bit be sure to download the 64bit version of OpenSSL
-the step openssl genrsa -out website\server.key 2048
creates a server.key file and not a privkey.pem!
-file \wamp\bin\apache\apachex.y.z\conf\httpd-ssl.conf is located at \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf (maybe this depends on the WAMPServer version)
-I had to use different ports for http (80->8080) and https(443->444) as these ports where used by I think Skype. When you use different ports be sure to use these everywhere you see 80 or 443 in this tutorial
-I also had to enable socache_shmcb_module. The "httpd -t" also mentioned this.
#RiggsFolly: Self-signed certificate with key could be easily generated for example here... http://www.selfsignedcertificate.com/, so I could start the tutorial from step 4 (I also had standard :80 virtual server running).
Anyways some mentioned things were already enabled in default WAMP installation (I guess it changes from version to version), but the rest helped me a lot. And actually one thing was missing... I also had to uncomment the following line in "httpd.conf"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
If you have the error :
Cannot load modules/mod_ssl.so into server: The operating system
cannot run %1
Then you have to :
Install Win32 OpenSSL here http://slproweb.com/products/Win32OpenSSL.html
Copy / paste libeay32.dll, ssleay32.dll into your wamp php bin folder (C:\wamp64\bin\php\php5.6.19)
Restart apache
Note: Tested on Wamp server 3
Before all:
1).Shutdown WAMP and proceed to C:\wamp\scripts\config.inc.php move from array libeay32.dll,ssleay32.dll, lines 133,139
2).Install OpenSSL from official site,pay attention on version of the your OS x64 or not.
Command prompt:
3).cd C:\wamp\bin\apache\apache2.4.23\bin
4). openssl req -new > localhost.csr
5). openssl rsa -in privkey.pem -out localhost.key
6). openssl x509 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 365 -sha256 -extfile v3.ext
Update: from Chrome 58 we will need to provide Subject Alternative Name.
This name we can obtain from extension file v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = 127.0.0.1
DNS.2 = localhost
Very important in Common Name to insert 'localhost'
7).Grab localhost.key and localhost.crt and put them to C:\wamp\bin\apache\apache2.4.23\conf\key (sure,before create appropriate directory)
Configuration:
8).enable in C:\wamp\bin\apache\apache2.4.23\bin\php.ini and
C:\wamp\bin\php\php5.6.25\php.ini extension=php_openssl.dll
9).proceed to C:\wamp\bin\apache\apache2.4.23\conf\httpd.conf and uncomment:
LoadModule ssl_module modules/mod_ssl.so,
Include conf/extra/httpd-ssl.conf,
Include conf/extra/httpd-vhosts.conf,
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
10). proceed to C:\wamp\bin\apache\apache2.4.23\conf\extra\httpd-ssl.conf
and make changes :
SSLSessionCache "shmcb:c:/wamp/bin/apache/apache2.4.23/logs/ssl_scache(512000)" ,
SSLSessionCacheTimeout 300,
VirtualHost _default_:443,
DocumentRoot "c:/wamp/www/",
ServerName localhost:443,
ErrorLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_error.log"
, (create file if not exists)
TransferLog "c:/wamp/bin/apache/apache2.4.23/logs/access.log",
SSLCertificateFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.crt",
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.key",
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
,
CustomLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_request.log"
Certificate handling:
11).press Win+R and insert 'certmgr.msc',import servercert.crt into 'Trusted Root Certificated Authorities'
12). Check your server in command prompt 'httpd -t' should be 'Syntax OK'
13). Launch Wamp and proceed to link https://localhost
I am hope this will help
Note: please read this article about Mozilla behavior :
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
I and my team of developers have Vagrant machines running on our Windows 10 computers that have local file systems which contain our scripts to run a developer version of our web application.
We connect to an AWS RDS DB, but the connection is extremely slow to the database.
If we use our database IDE (dbforge) and run SQL queries, then they run fast.
Is there anything we can do to our vagrant boxes or setup that would speed this connection up?
Here are the contents of our Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing. Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For acomplete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "hcp" config.vm.network "private_network", ip:
"10.23.45.30" config.vm.synced_folder "etc/", "/etc/hcp"
config.vm.synced_folder "html/", "/var/www/html"
config.vm.synced_folder "html_data/", "/var/www/html/_data"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
#config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host:8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
# config.vm.provider "virtualbox" do |vb|
#
# Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
#
# Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
# documentation for more information about their specific syntax and use.
# config.vm.provision "shell", inline:<<-SHELL
# apt-get update
# apt-get install -y apache2
#
SHELL end
Solution
Always make sure you reserve your IPs when using a Static IP
Versions
VirtualBox Version: 6.0.0 ( I think )
Vagrant Version: 2.2.3
CentosBox: "centos/7"
Nginx Version: 1.16.1
uWSGI Version: 2.0.18
Django Version: 2.2.1
Background
I have two vagrant boxes running, a test and a production. The only difference is IP and core count. I've set up both so I can ssh directly into the boxes, instead of having to ssh into the host machine and then run 'vagrant ssh'
General Issue
The production version will randomly boot me out of the ssh (Connection reset by IP port 22) and then i'll get Connection Refused. If I ssh into the Host machine and then 'vagrant ssh' I can still get in and everything seems to be fine, I can even still ping other computers on the network. But I can't access it from outside the host, this goes for the nginx server as well (IP refused to connect.) on chrome
The issue will occasionally fix itself in a couple minutes, but the majority of the time requires a 'vagrant destroy' and 'vagrant up --provision' / recreate the box. I also occasionally get booted out of the Host Machine and well as the test box, but both I can still access externally after (even the nginx server on test) I'm working over a VPN and I also occasionally get booted out of that as well, but i can reconnect when I notice
VagrantFile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Please don't change it unless you know what you're doing.
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.hostname = "DjangoProduction"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
config.vm.network "public_network", ip: "IP"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
config.vm.synced_folder "./", "D:/abcd", type: "sshfs", group:'vagrant', owner:'vagrant'
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
config.vm.provider "virtualbox" do |v|
v.name = "DjangoProduction"
# test has these two commented out
v.memory = 6000
v.cpus = 4
end
#
# View the documentation for the provider you are using for more
# information on available options.
## Keys
### For SSH directly into the Box
# Work Laptop Key
config.vm.provision "file", source: ".provision/keys/work.pub", destination: "~/.ssh/work.pub"
config.vm.provision "shell", inline: "cat ~vagrant/.ssh/work.pub >> ~vagrant/.ssh/authorized_keys"
# Personal Laptop Key
config.vm.provision "file", source: ".provision/keys/msi.pub", destination: "~/.ssh/msi.pub"
config.vm.provision "shell", inline: "cat ~vagrant/.ssh/msi.pub >> ~vagrant/.ssh/authorized_keys"
##
required_plugins = %w( vagrant-sshfs )
required_plugins.each do |plugin|
exec "vagrant plugin install #{plugin};vagrant #{ARGV.join(" ")}" unless Vagrant.has_plugin? plugin || ARGV[0] == 'plugin'
end
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision :shell, path: ".provision/boot.sh"
end
boot.sh
# networking
sudo yum -y install net-tools
ifconfig eth1 IP netmask 255.255.252.0
route add -net 10.1.0.0 netmask 255.255.252.0 dev eth1
route add default gw 10.1.0.1
# I manually set the gateway so It can be accessed through VPN
## install, reqs + drop things to places - gonna leave all that out
Error messages
Django
This issue starting popping up earlier this week with django sending me error emails saying. it's always random URLs there's no consistency
OperationalError at /
(2003, 'Can\'t connect to MySQL server on \'external-ip\' (110 "Connection timed out")')
I used to get this email once every other day and paid it no attention, but currently it's sending me at least 20 a day and the site is almost unusable- it's either really slow or I get chrome errors: 'ERR_CONNECTION_TIMED_OUT' or 'ERR_CONNECTION_REFUSED' or 'ERR_CONNECTION_RESET' .. it will be fine for an hour and then everything hits the fan
I originally thought it was an issue with the db or uwsgi or django, but working with it yesterday I realized there was a correlation with the timed out and getting kicked out of ssh.
Nginx Server Settings ( I have't changed nginx.conf )
upstream django {
server unix:///vagrant/abcd.sock;
}
server{
listen 8080;
return 301 https://$host$request_uri;
}
server{
charset utf-8;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
uwsgi_pass django;
include /vagrant/project/uwsgi_params;
uwsgi_read_timeout 3600;
uwsgi_ignore_client_abort on;
}
location /static {
alias /vagrant/static;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /vagrant/templates/core;
}
}
UWSGI command used
uwsgi --socket abcd.sock --module project.wsgi --chmod-socket=664 --master --processes 8 --threads 4 --buffer-size=65535 --lazy
Nginx Error Logs
Nothing.
Messages file
only shows the '(110 "Connection timed out")' dump when it happens
Can you test the behaviour but commenting the line "config.vm.synced_folder..."?
I got this cmd:
sudo certbot --apache -d pushupteam.dev -d www.pushupteam.dev
and this is. what I got :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pushupteam.dev
http-01 challenge for www.pushupteam.dev
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.pushupteam.dev (http-01): urn:ietf:params:acme:error:un
authorized :: The client lacks sufficient authorization :: Invalid response from http://www
.pushupteam.dev/.well-known/acme-challenge/j4gaJn6vX6tvEGu0HQagjT69Oc3R7l_VJ8CgaluAnLk [34.
89.161.114]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>40
4 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", pushupteam.dev (http-01): urn:
ietf:params:acme:error:dns :: No valid IP addresses found for pushupteam.dev
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: pushupteam.dev
Type: None
Detail: No valid IP addresses found for pushupteam.dev
- The following errors were reported by the server:
Domain: www.pushupteam.dev
Type: unauthorized
Detail: Invalid response from
http://www.pushupteam.dev/.well-known/acme-challenge/j4gaJn6vX6tvEGu0HQagjT69Oc3R7l_VJ8C
galuAnLk
[34.89.161.114]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I have the Domain from Namecheap & I use google cloud DNS.
what is the Problem? I have only interest in ipv4 so no AAAA record;
also, my ufw is disabled (like all google VMs)
Edit:
my etc/apache2/sites-available/srv.conf
<VirtualHost *:80>
ServerAdmin admin#pushupteam.dev
DocumentRoot /var/www/html/
ServerName pushupteam.dev
<Directory /var/www/html/>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/codeigniter-error_log
CustomLog /var/log/apache2/codeigniter-access_log common
</VirtualHost>
I use Ubuntu 18.04 LTS and Apache
Edit 2:
pushupteam.dev. NS 3600 ns-cloud-b1.googledomains.com.
ns-cloud-b2.googledomains.com.
ns-cloud-b3.googledomains.com.
ns-cloud-b4.googledomains.com.
pushupteam.dev. SOA 3600 ns-cloud-b1.googledomains.com.
cloud-dns-hostmaster.google.com.
1 21600 3600 259200 300
www.pushupteam.dev. A 60 34.89.161.114
should I reconfig my DNS?
Edit 3:
I encountered this error when trying to set up SSL for an application running in a DigitalOcean droplet.
When I run the command:
sudo certbot --nginx -d example.com -d www.example.com
I get the error:
No valid IP addresses found for www.example.com
OR
During secondary validation: No valid IP addresses found for www.example.com
Here's how I solved it:
Confirm that you have an A record pointing to your server’s public/floating/elastic/static IP address for the domain names that you are having issues with.
Say you want to obtain a certificate for example.com and www.example.com, ensure that they both have an A record pointing to your server’s public/floating/elastic/static IP address.
If you confirm that they are correctly set and you're still having the errors, then give it sometime, say, 30 mins to 1 hour and then try again, or better still run the certificate generation for the eligible domains, say :
sudo certbot --nginx -d example.com
once it becomes successful, run it again with all the domains you want to use to expand/modify it:
sudo certbot --nginx -d example.com -d www.example.com
Resources: No valid IP address found for domain when trying to get SSL certificate?
That's all.
I hope this helps
In order to run this command:
sudo certbot --apache -d pushupteam.dev -d www.pushupteam.dev
Then you need to add a DNS A resource record in your DNS server:
pushupteam.dev A 3600 34.89.161.114
Note: Do not set short TTL values for NS records. Typically this should be one day (86,400 seconds). For A records, one hour (3600 seconds) is normal. You can set these values to just about anything. Consider performance, cache timeouts, and cost.
For the Apache configuration file: /etc/apache2/sites-available/srv.conf add the line:
ServerAlias www.pushupteam.dev
and restart the Apache server:
sudo systemctl restart apache2
I am assuming that you correctly enabled srv.conf by running a command similar to a2ensite srv. Normally the configuration filename is the hostname.
To double check enabled virtual hosts, run this command:
apache2ctl -S
Make sure that both hostnames pushupteam.dev and www.pushupteam.dev are responding to normal web browser requests.
Add a line in your Apache configuration file after the ServerName;
ServerAlias *.pushupteam.dev
and try again.
If that doesn't work also change the "A" type record - from www.pushupteam.dev to just pushupteam.dev.
For me after setting the A/AAAA records the config continued failing so I've restarted nginx first:
sudo systemctl reload nginx
and then reexecuted the command
sudo certbot --nginx -d example.com -d www.example.com
And voilà.
Preamble
I have a django application set up to run under uwsgi proxy passed by nginx. In Iceland we have a smart card client certificate system in place, embedded in debet cards, distributed free by the debet card issuers, i.e. banks. I am attempting to support this environment for authentication, while retaining the ability to issue logic when authenticating, making the process interactive for the user. Currently we use Apache/mod_wsgi to host the application and use a location directive /auth/smartcard where we require client certificate handshakes. The root of the site is just plain https. This relegates the process to the server only, denying us the ability to interact with the user in a constructive manner.
The configuration so far
uWSGI ini:
[uwsgi]
chdir=/home/vagrant/gimli/src
socket=localhost:5000
processes=1
module=application_name.wsgi:application
env DJANGO_SETTINGS_MODULE=application_name.settings
max-requests=5000
home=/home/vagrant/virtualenvs/gimli
py-autoreload=True
nginx settings
server {
<snip>
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_certificate ssl/host.domain.is.crt;
ssl_certificate_key ssl/host.domain.is.key;
ssl_client_certificate ssl/ca_chain.crt;
ssl_verify_client optional;
ssl_verify_depth 2;
error_log /var/log/nginx/host.domain.error.log debug; # debug for debugging ssl
access_log /var/log/nginx/host.domain.is.access.log;
location / {
include uwsgi_params;
# Client cert support
uwsgi_param SSL_CLIENT_ID $ssl_client_s_dn;
# Bind parameters
uwsgi_pass localhost:5000;
}
</snip>
} # /server
These configurations enable SSL and optional client certificates if supplied to the browser by the smartcard reader (usb dongle). Therefore the ssl_verify_client optional directive. We are not married to Nginx, though we would prefer not to run uwsgi naked.
The question
Is it possible - at runtime - to issue a directive back from the application to the server to elevate the ssl connection to require a client certificate, using either uwsgi or nginx? Is it possible, essentially, to alter the state of the ssl_verify_client setting, renegotiating the ssl handshake?