Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop



Similar documents
Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

APACHE HTTP SERVER 2.2.8

Apache, SSL and Digital Signatures Using FreeBSD

Apache and Virtual Hosts Exercises

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

CloudOYE CDN USER MANUAL

INASP: Effective Network Management Workshops

APACHE WEB SERVER. Andri Mirzal, PhD N

Apache Security with SSL Using Ubuntu

CO Web Server Administration and Security. By: Szymon Machajewski

Lab 3.4.2: Managing a Web Server

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Introduction to Operating Systems

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

Lab - Observing DNS Resolution

Apache Security with SSL Using Linux

Ethical Hacking as a Professional Penetration Testing Technique

Enterprise SSL Support

Setup a Virtual Host/Website

HTTP Fingerprinting and Advanced Assessment Techniques

Host your websites. The process to host a single website is different from having multiple sites.

File Transfer Examples. Running commands on other computers and transferring files between computers

Apache 2.0 Installation Guide

Chapter 27 Hypertext Transfer Protocol

TELNET CLIENT 5.11 SSH SUPPORT

Managing Software and Configurations

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

Network Technologies

LAMP Quickstart for Red Hat Enterprise Linux 4

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Tera Term Telnet. Introduction

The Application Layer. CS158a Chris Pollett May 9, 2007.

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

Apache Configuration

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

SecuritySpy Setting Up SecuritySpy Over SSL

Securing Your Apache Web Server With a Thawte Digital Certificate

LOCKSS on LINUX. Installation Manual and the OpenBSD Transition 02/17/2011

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Installing SQL-Ledger on Windows

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

GeBro-BACKUP. Die Online-Datensicherung. Manual Pro Backup Client on a NAS

Setting Up SSL on IIS6 for MEGA Advisor

FreeBSD OpenVPN Server/Routed - Secure Computing Wiki

How to: Install an SSL certificate

Microsoft Virtual Labs. Administering the IIS 7 File Transfer Protocol (FTP) Server

Installation of PHP, MariaDB, and Apache

GlassFish OpenSSO CAC Authentication Deployment Configuration Guide

Thirty Useful Unix Commands

Security Correlation Server Quick Installation Guide

Configuring MailArchiva with Insight Server

Web Server using Apache. Heng Sovannarith

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

imhosted Web Hosting Knowledge Base

Apache JMeter HTTP(S) Test Script Recorder

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

10gAS SSL / Certificate Based Authentication Configuration

Using TestLogServer for Web Security Troubleshooting

Lab 2: Secure Network Administration Principles - Log Analysis

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Secret Server Installation Windows Server 2012

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Secret Server Installation Windows Server 2008 R2

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

dotdefender v5.12 for Apache Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 11 support@applicure.

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

Load Balancing/High Availability Configuration for neoninsight Server

Apache Usage. Apache is used to serve static and dynamic content

Working With Virtual Hosts on Pramati Server

Hadoop Basics with InfoSphere BigInsights

13. Configuring FTP Services in Knoppix

Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

How To Install Amyshelf On Windows 2000 Or Later

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

MadCap Software. Upgrading Guide. Pulse

Linux FTP Server Setup

World Wide Web. Before WWW

Implementing Secure Sockets Layer on iseries

User guide. Business

AnzioWin FTP Dialog. AnzioWin version 15.0 and later

CN=Monitor Installation and Configuration v2.0

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

The course will be run on a Linux platform, but it is suitable for all UNIX based deployments.

Network Management & Monitoring Request Tracker (RT) Installation and Configuration

MONIT. UNIX Systems Management

Transcription:

14/01/05 file:/data/hervey/docs/pre-sanog/web/ha/security/apache-ssl-exercises.html #1 Exercises Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop 1. Install Apache with SSL support 2. Configure Apache to start at boot 3. Verify Apache and SSL functionality are working 4. Change the default DocumentRoot for Apache 5. View the online Apache documentation January 12, 2005 Note: The text 'pc#' represents your command prompt. Commands are the text after 'pc#'. 1.) Install Apache with SSL support [Top] For this exercise you need to be root user. We are going to install the Apache web server with Secure Socket Layer (ssl ) support. We'll do this by going to the ports collection, finding Apache with the mod_ssl extension, using make and make install to compile the port and install it on your machine. Steps to install Apache pc# cd /usr/ports/www [Apache with ssl port is here] pc# ls more [Look for the Apache port we want] pc# cd apache13-modssl [This is the exact Apache port we want] pc# make At this point you will see multiple screenfulls of information scroll by as the Apache web server with SSL support is being compiled on your machine. The process will take several minutes. The final make message you will see is: ===> Creating Dummy Certificate for Server (SnakeOil) [use 'make certificate' to create a real one] The make process creates an initial digital certficate that is not signed and installs this for use with Apache. Finish installing Apache To complete the Apache with SSL installation process on your machine type: pc# make install The final message you receive indicates that some important Apache files can be found here: /usr/local/sbin/httpd [Apache server binary] /usr/local/etc/rc.d/apache.sh [Apache startup scripts] Type the following: pc# man httpd And read until the end of the man page. At the end is a list are some more files that are important to the Apache web server. These include: /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/srm.conf /usr/local/apache/conf/access.conf /usr/local/apache/conf/mime.types /usr/local/apache/conf/magic /usr/local/apache/logs/error_log /usr/local/apache/logs/access_log /usr/local/apache/logs/httpd.pid At this point Apache is installed, but not running. Our next exercise will be to configure your machine to automatically start Apache at boot, and to start and stop Apache manually. We'll be using some of the files listed above for these

14/01/05 file:/data/hervey/docs/pre-sanog/web/ha/security/apache-ssl-exercises.html #2 exercises. 2.) Configure Apache to start at boot [Top] For this exercise you need to be root. Remember on Day 1 that you learned that third party software might install their startup scripts in /usr/local/etc/rc.d? This is the case for the Apache web server. If you look in /usr/local/etc/rc.d/ you will see a file named "apache.sh". This file is the startup script for the Apache web server. Remember that startup scripts look in your various rc.conf files to see whether they have been enabled. This is the same with the startup script /usr/local/etc/rc.d/apache.sh. First have a look at this script to understand where it is looking to see if it should execute at system startup: pc# less /usr/local/etc/rc.d/apache.sh The first screen of information includes the follwing: # Define these apache_* variables in one of these files: # /etc/rc.conf # /etc/rc.conf.local # /etc/rc.conf.d/apache # # DO NOT CHANGE THESE DEFAULT VALUES HERE # apache_enable="no" apache_flags="-dssl" apache_pidfile="/var/run/httpd.pid" As you can see this script will check in /etc/rc.conf then /etc/rc.conf.local (deprecated), and then /tec/rc.conf.d/apache to see it Apache has been enabled. Now let's edit the file /etc/rc.conf and add the line that will tell Apache to start each time you boot your machine: pc# vi /etc/rc.conf And, in this file you should add a line that reads: apache_enable="yes" To do this move your cursor down to the bottom of your file and add the line. Then save your file and exit. Here are the steps for this beginning after you have typed "vi /etc/rc.conf": 1. Move down to bottom of the file using the DOWN-ARROW 2. Press the "o" key to place yourself in input mode and add a new line 3. Type in "apache_enable="yes" 4. Press the ESCape key 5. Press colon, then 'w' then 'q' then ENTER, or ":wq: [ENTER] Now you should be back at your system prompt (pc#). Now that the file /etc/rc.conf includes the line apache_enable="yes" you should be able to use the script apache.sh in /usr/local/etc/rc.d/ to start, stop, verify, etc. the Apache server. Let's start the Apache web server by doing: pc# /usr/local/etc/rc.d/apache.sh start If you want to see the various things you can do with this script just type: pc# /usr/local/etc/rc.d/apache.sh And you should see: Usage: /usr/local/etc/rc.d/apache.sh [fast force one](start stop restart rcvarstatus poll) 3.) Verify Apache and SSL functionality are working [Top] For this exercise you can use your standard username account. At the most simple level let's verify that the Apache web server daemon appears to be running. We can use the ps

14/01/05 file:/data/hervey/docs/pre-sanog/web/ha/security/apache-ssl-exercises.html #3 command to do this: pc# ps auxw grep httpd Remember that Apache uses the actual binary file /usr/local/sbin/httpd to start the Apache web server as indicated by the final message during installation. That's why we grep'ed on "httpd" instead of "apache". The output you should see will look something like this: root 54884 0.0 0.9 5224 3296?? Ss 12:43PM 0:00.22 /usr/local/sbin/httpd -DSSL www 54885 0.0 0.9 5264 3328?? I 12:43PM 0:00.01 /usr/local/sbin/httpd -DSSL www 54886 0.0 0.9 5264 3328?? I 12:43PM 0:00.01 /usr/local/sbin/httpd -DSSL www 54887 0.0 0.9 5248 3324?? I 12:43PM 0:00.01 /usr/local/sbin/httpd -DSSL www 54888 0.0 0.9 5248 3328?? I 12:43PM 0:00.01 /usr/local/sbin/httpd -DSSL www 54889 0.0 0.9 5248 3324?? I 12:43PM 0:00.01 /usr/local/sbin/httpd -DSSL www 54890 0.0 0.9 5240 3308?? I 12:43PM 0:00.00 /usr/local/sbin/httpd -DSSL root 54951 0.0 0.2 1476 796 p5 S+ 12:59PM 0:00.01 grep httpd Note that Apache runs with multiple instances of the httpd daemon. This is so that the web server can rspond to multiple requests more efficiently. Also notice that the first httpd daemon that starts runs as root, but subsequent daemons use the user "www" - This is to make the web server less vulnerable to attacks that might gain root access. So, this shows you that Apache is running, but is it accessible to users with web browsers? To check for this you can take advantage of the "Lynx" text-based web browser that you installed on the first day. To do this type: pc# lynx 127.0.0.1 To exit from Lynx you press "q" and then you answer "y" to the prompt "Are you sure you want to quit?" You could also type any of the following: pc# lynx localhost pc# lynx pcn.presanog.org.bt pc# lynx 202.144.139.N Where "N" (in both cases) is the number of your machine. The address 127.0.0.1, by definition, is your machine. The name "localhost" should resolve to 127.0.0.1 and should be defined in the file /etc/hosts. The other two addresses work because you have been assigned an IP address and we are using DNS to resolve these addresses to a name. Clearly using "127.0.0.1" removes several layers of complexity and is the easiest to use for initial testing. Now, what if you did not have the Lynx text-based web browser package installed? When you first installed FreeBSD this was not installed. It's possible you might be on a machine in the future and not have a web browser available, even though the machine is running a web server. From your exercises on Tuesday remember you can use telnet to verify if the web server is available. To do this type: pc# telnet 127.0.0.1 80 If you get back something like: Trying 127.0.0.1... Connected to localhost.presanog.org.bt. Escape character is '^]'. This is a good indication that you have a web server working. Still, to be sure that this is not some other server running on port 80 you should go a step further. You could repeat our exercise from yesterday and view the initial page by doing: ^] [press CTRL key and ']' character to exit] pc# cd [to go your home directory] pc# script apache.txt pc# telnet 127.0.0.1 80 GET / HTTP/1.0 host: localhost [press ENTER] [press ENTER twice]

14/01/05 file:/data/hervey/docs/pre-sanog/web/ha/security/apache-ssl-exercises.html #4 pc# exit [to leave your script shell] And you will see the initial Apache welcome page scroll by on your screen. Now that you saved the output of this session to the file ~/apache.txt (the '~' character is short for "home" in Unix) we can get some additional information. Type the file apache.txt to your screen by doing: pc# cd [to go your home directory] pc# less apache.txt In the first page of information presented you should see: HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 05:40:20 GMT Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7d Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Mon, 10 Jan 2005 02:41:25 GMT ETag: "41f6f-a71-41e1eb55;41e1ec2c" Accept-Ranges: bytes Content-Length: 2673 Connection: close Content-Type: text/html Content-Language: en Expires: Tue, 11 Jan 2005 05:40:20 GMT Notice that you can now see exactly what version of Apache is running, that it appears to be ssl-enabled and it is using OpenSSL 0.9.7d and mod_ssl to do this. So, it appears that Apache is ssl-enabled on this machine, but how can we prove this? A web server with ssl support means that you can go to URL addresses that start with "https" (http secure). We could try this: pc# lynx https://localhost/ But, you will receive an error message that reads: Alert!: This client does not contain support for HTTPS URLs. lynx: Can't access startfile https://noc/ That is because we did not install the Lynx package that includes ssl support. We could do this now, but instead we'll use a tool that comes with OpenSSL to allow us to make ssl connections, verify encryption in use, view certificates, etc.you can simply type "openssl" and then you will get a prompt where you can use the multiple openssl tools, or you can combine the command "openssl" with the various tools on your command line. This is what we will do using the openssl s_client tool. Try typing these commands: pc# cd pc# script ssltest.txt pc# openssl s_client -connect localhost:443 pc# exit pc# less ssltest.txt And you will get several screens of information about your Apache web server, the ssl certificate that was installed by default and it's detailed information, what protocols are in use, and more. As you can see a certificate installed by the "Snake Oil" organization has been installed on this server and the protocol in use is TLSv1. Now that we know that Apache is up and running with both secure (SSL/TLS) and insecure support we can make a change to our default configuration, which we'll do in the next exercise.

14/01/05 file:/data/hervey/docs/pre-sanog/web/ha/security/apache-ssl-exercises.html #5 4.) Change the default DocumentRoot for Apache [Top] For this exercise you need to be root. Now that Apache is installed maybe you don't want your web server to use the default directory location and files that come with Apache. By default if you go to http://localhost/ Apache will look in the directory /usr/local/www/data under FreeBSD. If you look in this directory you will see a number of files: pc# ls /usr/local/www/data These files are designed to display the initial Apache welcome page in the language you are using on your machine. Let's use a different directory as the default directory that Apache will use. To do this we need to edit the file /usr/local/etc/apache/httpd.conf and change the location where the configuration setting DocumentRoot points. We'll create a directory /u/apache for this exercise and create an index.html file in this directory. First let's do this: pc# mkdir /u/apache pc# echo "Welcome to my new home page!" > /u/apache/index.html Now let's update the Apache httpd.conf configuration file so that the web server will automatically look in /u/apache and display the file /u/apache/index.html when you go to http://localhost/. pc# vi /usr/local/etc/apache/httpd.conf press "/" and type in "DocumentRoot" then press ENTER Scroll down a few lines and change the line that reads: To read: DocumentRoot "/usr/local/www/data" DocumentRoot "/u/apache" Remeber it's "i" for input mode, ESCape to get out of input mode, and "x" to delete characters. Make sure you don't include a trailing "/". Now you need to save and exit the file: Press ESCape and then ":" then wq and [ENTER] Now you need to restart the Apache web server so that it will read /usr/local/etc/apache/httpd.conf and recognize the change you just made. To do this type: /usr/local/etc/rc.d/apache.sh restart This will restart the server (current connections are dropped). Now go to your machine's new default home page by using Lynx and typing: lynx http://localhost/ And, you should see "Welcome to my new home page!" in your Lynx window. You can exit Lynx by pressing "q" and answering "y" to the prompt Are you sure you want to quit?" 5.) View the online Apache documentation [Top] When Apache is installed it includes a fair amount of documentation that can be quite useful. You can view this documentation in your Lynx web browser by doing this: pc# lynx http://localhost/manual/index.html And, since we have installed SSL you may want to view the online mod_ssl documenation for Apache. You can do this by typing: pc# lynx http://localhost/manual/mod/mod_ssl/ The physical address for the Apache manuals collection is is /usr/local/share/doc/apache/. When you go to http://localhost/manual/index.html you are redirected to this directory. There is a setting in your Apache configuration file (/usr/local/etc/apache/httpd.conf) that tells the web server to map this directory to the URL http://localhost/manual/. If you type this:

14/01/05 file:/data/hervey/docs/pre-sanog/web/ha/security/apache-ssl-exercises.html #6 You will see this: pc# grep manual /usr/local/etc/apache/httpd.conf # This Alias will project the on-line documentation tree under /manual/ Alias /manual/ "/usr/local/share/doc/apache/" This is a configuration setting in Apache known as an "Alias" to redirect a URL directory to a different physical address. Hervey Allen January 2005

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information