Fork me on GitHub

pe_pplog demo page

Main menu

heartbleed

No comments
Just a reminder to everyone who is running this blog on a server with openssl check their version and see if they are affected by the heartbleed bug. Info here.
If you do not have SSL enabled and set as required in the config file, you really should!
Posted on - Categories: security


Security tips

No comments
Use the captcha or security question for comments or automatic spambots will find you and flood your blog (I learned that the hard way)

Use https for the admin page, especially when using an open wifi connection (the next version of the blog will have an automatic redirect when $config_useHTTPSlogin = 1;

Log out when done (as this will delete your cookie and the server side session file)
Posted on - Categories: security


reverse proxies

1 Comment
if you are using a reverse proxy, the registered ip address from users visiting your site will always seem to be localhost (127.0.0.1), which affects the following features:

Users online is always 1 or 0

Banning is simply not possible

The login cookie being ip dependent is simply redundant

all of this will be fixed in the upcoming bugfixed version


How to create a self signed ssl certificate

No comments
In the newest version of the blog one can chose for the login to require a ssl (https) connection. This is obviously the safer option, especially if using the blog on a public wifi.

As the certificate generated in this how-to is not verified by a Certificate Authority such as Thawte or Verisign, your browser will notice an error inform you that the signing certificate authority is unknown and not trusted. Bear in mind that this is your self-signed certificate. So, you should ignore that error message.

Generating this certification does not mean that your site will automatically use https. You will have to manually type in https://yoursite.com

Here is how to create a ssl certificate for the Hiawatha server (for Apache see below):

1. Open a terminal/console at local or do it remotely through SSH access

2. The first thing that need to do is, create a RSA Private Key by using the below command.

#openssl genrsa -des3 -out server.key 2048


Generating RSA private key, 2048 bit long modulus
.........................................................++++++
.........................................................++++++
...........+
e is 65537 (0x10001)

3. The next step is to create a Certificate Signing Request (CSR). CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. User will be prompt to enter an information that related to CSR certificate. To create a CSR, enter the below command.

#openssl req -new -x509 -days 3650 -key serverkey.pem -out server.crt


Country Name (2 letter code) [GB]:type your 2 letter country code
State or Province Name (full name) [Berkshire]:type your state or province name
Locality Name (eg, city) [Newbury]:type your city name
Organization Name (eg, company) [My Company Ltd]:type your company name
Organizational Unit Name (eg, section) []:type your department
Common Name (eg, your name or your server's hostname) []:type your server hostname
Email Address []:type your email address

4. The next steps:

#echo "" >> serverkey.pem

#cat server.crt >> serverkey.pem
#echo "" >> serverkey.pem
#rm -f server.crt


5. Installing the Private Key and Certificate is simple. All you need to do is to know where are your hiawatha configuration files. I assume that, we are using /etc/hiawatha, but it might be /usr/local/etc/hiawatha. So, copy the serverkey.pem file to the directory and make it only readable for root.

#cp serverkey.pem /etc/hiawatha

# chmod 400 /etc/hiawatha/serverkey.pem


When you are being asked to overwritten the file, just type yes and hit Enter.

6. Add a ssl binding to the hiawatha config file. Open /etc/hiawatha/hiawatha.conf. Add the following after
Binding {
Port = 80
....
}

Binding {

Port = 443
SSLcertFile = /etc/hiawatha/serverkey.pem
}


7. Restart Hiawatha and test to access your site using https://. Check the certificate and make sure the information that you have inserted is correct.

8. Finish! Your configuration is done. Good luck :-)

And now for Apache
1. Open a terminal/console at local or do it remotely through SSH access

2. The first thing that need to do is, create a RSA Private Key by using the below command.

#openssl genrsa -des3 -out server.key 1024


Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase: enter the desired pass phrase
Verifying password - Enter PEM pass phrase: same as a above

3. The next step is to create a Certificate Signing Request (CSR). CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. User will be prompt to enter an information that related to CSR certificate. To create a CSR, enter the below command.

#openssl req -new -key server.key -out server.csr


Country Name (2 letter code) [GB]:type your 2 letter country code
State or Province Name (full name) [Berkshire]:type your state or province name
Locality Name (eg, city) [Newbury]:type your city name
Organization Name (eg, company) [My Company Ltd]:type your company name
Organizational Unit Name (eg, section) []:type your department
Common Name (eg, your name or your server's hostname) []:type your server hostname
Email Address []:type your email address
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:type your password
An optional company name []:type your company name

4. The next step is to remove the passphrase key. It is because if you enable the passphrase, Apache will ask for the pass-phrase each time the web server is started. It will be a problem if the server is restarted as the user always need to type the passphrase. The below command will remove the passphrase.

#cp server.key server.key.org

#openssl rsa -in server.key.org -out server.key



5. To generate a Self-Signed Certificate, enter the below command. 

#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


6. Installing the Private Key and Certificate is simple. All you need to do is to know where are your XAMPP Apache directory. I assume that, we are using the default XAMPP directory, /opt/lampp. So, copy the two below files, ssl.crt and ssl.key to the XAMPP directory.

#cp server.crt /opt/lampp/etc/ssl.crt

#cp server.key /opt/lampp/etc/ssl.key/server.key


When you are being asked to overwritten the file, just type yes and hit Enter.

7. Restart Apache and test to access your site using https://. Check the certificate and make sure the information that you have insert is correct.

8. Finish! Your configuration is done. Good luck :-)

Adapted from: http://shahpunyerblog.blogspot.com



Pages: [1]