• Secure Socket Layer with Apache
  • Apache_1.3.22-Mod_SSL_2.8.5-OpenSSL_0.9.6b-WIN32.zip
  • C:\ssl\openssl\bin\openssl.cnf
  • C:\ssl\openssl\bin openssl req -config openssl.cnf -new -out my-server.csr
  • C:\ssl\openssl\bin openssl rsa -in privkey.pem -out my-server.key
  • C:\ssl\openssl\bin openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
  • C:\ssl\openssl\bin openssl x509 -in my-server.cert -out my-server.der.crt -outform DER
  • Listen 443 LoadModule ssl_module modules/mod_ssl.so ServerName myserver.com DocumentRoot "c:/ssl/htdocs"
  • UserDir "c:/ssl/htdocs" And add the following to the end of httpd.conf
  • Robert:ab123 Sarah:mind
  • Group1
  • Secure Socket Layer with IIS
  • Administrative tools
  • Default Web Site
  • Server Side Programming with php cpan542




    Download 0.58 Mb.
    bet1/4
    Sana20.06.2020
    Hajmi0.58 Mb.
      1   2   3   4

    Server Side Programming with PHP CPAN542



    Lecture 14 Security
    When you install a web server, security is one of the main issues that will concern you. How can you transfer data between the server and its clients safely? SSL enables your server to encrypt the data before they are send to the client and decrypt the data it receives from its clients. Beside that you may want to allow certain users access to your web server to perform certain tasks. This can be done by configuring your server to authenticate any user try to make a connection. Any unauthorized user will be denied access.  

    Secure Socket Layer with Apache:

    Apache can be configured to handle HTTPS (HTTP over Secure Sockets Layer). The secure server encrypts the data in transit, making the exchange of information much harder to sniff.

     

    Apache-SSL is a secure web server, based on Apache and SSLLeay/OpenSSL. The following steps describe the installation of the Win32 version of Apache with the mod_ssl extension:

    1-     Download Apache_1.3.22-Mod_SSL_2.8.5-OpenSSL_0.9.6b-WIN32.zip from ftp://ftp.modssl.uli.it/contrib/. Unpack the zip file and store it into a folder called ssl under C drive.

    2-     Copy ssleay32.dll and libeay32.dll from C:\ssl\openssl\bin to C:WINNT\System32

    3-     Download the configuration file openssl.cnf from



    http://tud.at/programm/openssl.cnf (right click and save it to the folder C:\ssl\openssl\bin\openssl.cnf (overwrite the existing one)). If you cannot open it using Internet Explorer, use Netscape Navigator.

     

    Next you have to perform the following instructions that are obtained from http://www.apache-ssl.org/#FAQ



     

    1-     Type the following command:



    C:\ssl\openssl\bin openssl req -config openssl.cnf -new -out my-server.csr

     

    This creates a certificate signing request and a private key.



    When you are asked to “Enter PEM pass phrase”, you can type a 4 or more characters word of your choice. Retype this word when you are asked to “Verifying password - Enter PEM pass phrase”.

    You will be asked for this phrase in the next step.

    You will be asked about the country, province, city, organization name, and organization unit name .

    When asked for "Common Name (your websites domain name)", give the exact domain name of your web server (e.g. localhost). The certificate belongs to this server name and browsers complain if the name doesn't match.

    You will also be asked about the email address and a challenged password.

    2-     Type the following command:

     

    C:\ssl\openssl\bin openssl rsa -in privkey.pem -out my-server.key

    This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.

    You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

     

    3-     Type the following command:



     

    C:\ssl\openssl\bin openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

     

    This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers). Note that this certificate expires after one year, you can increase -days 365 if you don't want this.



     

    4-     If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:

     

    C:\ssl\openssl\bin openssl x509 -in my-server.cert -out my-server.der.crt -outform DER

     

    5-     Move my-server.key and my-server.cert into the C:\ssl\conf\ssl directory (you have to create ssl folder).



     

    6-     Edit httpd.conf and make the following changes:



    • ServerRoot "c:/ssl"

    • Listen 443 

    • LoadModule ssl_module modules/mod_ssl.so 

    • ServerName myserver.com 

    • DocumentRoot "c:/ssl/htdocs" 

    •  
      Options Indexes FollowSymLinks MultiViews 
      Order allow,deny 
      Allow from all 
       


    •  
      UserDir "c:/ssl/htdocs"
       


     

    And add the following to the end of httpd.conf:

     


    # see http://www.modssl.org/docs/2.4/ssl_reference.html for more info 
    SSLMutex sem 
    SSLRandomSeed startup builtin 
    SSLSessionCache none 
    SSLLog logs/SSL.log 
    SSLLogLevel info 
    # You can later change "info" to "warn" if everything is OK 
     
    SSLEngine On 
    SSLCertificateFile conf/ssl/my-server.cert 
    SSLCertificateKeyFile conf/ssl/my-server.key 
     

     

     



    Following is the file httpd.conf after changing the configuration:

    ServerType standalone 
    ScoreBoardFile logs/apache_runtime_status 
    Listen 443 
    Port 80 
    ServerName localhost 
    ServerRoot "c:/ssl" 
    DocumentRoot "c:/ssl/htdocs" 
    Timeout 300 
    ClearModuleList 
    #AddModule mod_vhost_alias.c 
    AddModule mod_env.c 
    AddModule mod_log_config.c 
    #AddModule mod_mime_magic.c 
    AddModule mod_mime.c 
    AddModule mod_negotiation.c 
    #AddModule mod_status.c 
    #AddModule mod_info.c 
    AddModule mod_include.c 
    AddModule mod_autoindex.c 
    AddModule mod_dir.c 
    AddModule mod_isapi.c 
    AddModule mod_cgi.c 
    AddModule mod_asis.c 
    AddModule mod_imap.c 
    AddModule mod_actions.c 
    #AddModule mod_speling.c 
    AddModule mod_userdir.c 
    AddModule mod_alias.c 
    #AddModule mod_rewrite.c 
    AddModule mod_access.c 
    AddModule mod_auth.c 
    #AddModule mod_auth_anon.c 
    #AddModule mod_auth_dbm.c 
    #AddModule mod_auth_digest.c 
    #AddModule mod_digest.c 
    #AddModule mod_proxy.c 
    #AddModule mod_cern_meta.c 
    #AddModule mod_expires.c 
    #AddModule mod_headers.c 
    #AddModule mod_usertrack.c 
    #AddModule mod_unique_id.c 
    AddModule mod_so.c 
    AddModule mod_setenvif.c 
    LoadModule ssl_module modules/mod_ssl.so 
    KeepAlive On 
    MaxKeepAliveRequests 100 
    KeepAliveTimeout 15 
    MaxRequestsPerChild 0 
    ThreadsPerChild 50 
     
    Options FollowSymLinks Indexes 
    AllowOverride None 
     
     
    Options Indexes FollowSymLinks MultiViews 
    Order allow,deny 
    Allow from all 
     
     
    UserDir "c:/ssl" 
     
    DefaultType text/plain 
    ErrorLog logs/error.log 
    LogLevel warn 
    LogFormat "%h %l %u %t \"%r\" %>s %b" common 
    CustomLog logs/access.log common 
    ServerSignature On 
    AccessFileName .htaccess 
    AddIcon /icons/binary.gif .bin .exe 
    AddIcon /icons/layout.gif .html .shtml .htm .pdf 
    AddIcon /icons/bomb.gif core 
    AddIcon /icons/back.gif .. 
    AddIcon /icons/hand.right.gif README 
    AddIcon /icons/folder.gif ^^DIRECTORY^^ 
    AddIcon /icons/blank.gif ^^BLANKICON^^ 
    AddIconByType (TXT,/icons/text.gif) text/* 
    AddIconByType (IMG,/icons/image2.gif) image/* 
    AddIconByType (SND,/icons/sound2.gif) audio/* 
    AddIconByType (VID,/icons/movie.gif) video/* 
    AddIcon /icons/binary.gif .bin .exe 
    AddIcon /icons/binhex.gif .hqx 
    AddIcon /icons/tar.gif .tar 
    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv 
    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip 
    AddIcon /icons/a.gif .ps .ai .eps 
    AddIcon /icons/layout.gif .html .shtml .htm .pdf 
    AddIcon /icons/text.gif .txt 
    AddIcon /icons/c.gif .c 
    AddIcon /icons/p.gif .pl .py 
    AddIcon /icons/f.gif .for 
    AddIcon /icons/dvi.gif .dvi 
    AddIcon /icons/uuencoded.gif .uu 
    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl 
    AddIcon /icons/tex.gif .tex 
    AddIcon /icons/bomb.gif core 
    AddIcon /icons/back.gif .. 
    AddIcon /icons/hand.right.gif README 
    AddIcon /icons/folder.gif ^^DIRECTORY^^ 
    AddIcon /icons/blank.gif ^^BLANKICON^^ 
    DefaultIcon /icons/unknown.gif 
     
    Order allow,deny 
    Deny from all 
    Satisfy All 
     
    UseCanonicalName On 
     
    TypesConfig conf/mime.types 
     
     
    MIMEMagicFile conf/magic 
     
     
    DirectoryIndex index.html 
     
     
    AddLanguage da .dk 
    AddLanguage nl .nl 
    AddLanguage en .en 
    AddLanguage et .ee 
    AddLanguage fr .fr 
    AddLanguage de .de 
    AddLanguage el .el 
    AddLanguage he .he 
    AddCharset ISO-8859-8 .iso8859-8 
    AddLanguage it .it 
    AddLanguage ja .ja 
    AddCharset ISO-2022-JP .jis 
    AddLanguage kr .kr 
    AddCharset ISO-2022-KR .iso-kr 
    AddLanguage nn .nn 
    AddLanguage no .no 
    AddLanguage pl .po 
    AddCharset ISO-8859-2 .iso-pl 
    AddLanguage pt .pt 
    AddLanguage pt-br .pt-br 
    AddLanguage ltz .lu 
    AddLanguage ca .ca 
    AddLanguage es .es 
    AddLanguage sv .se 
    AddLanguage cz .cz 
    AddLanguage ru .ru 
    AddLanguage tw .tw 
    AddLanguage zh-tw .tw 
    AddCharset Big5 .Big5 .big5 
    AddCharset WINDOWS-1251 .cp-1251 
    AddCharset CP866 .cp866 
    AddCharset ISO-8859-5 .iso-ru 
    AddCharset KOI8-R .koi8-r 
    AddCharset UCS-2 .ucs2 
    AddCharset UCS-4 .ucs4 
    AddCharset UTF-8 .utf8 
     
    LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw 
     
    AddType application/x-tar .tgz 
     
     
    BrowserMatch "Mozilla/2" nokeepalive 
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 
    BrowserMatch "RealPlayer 4\.0" force-response-1.0 
    BrowserMatch "Java/1\.0" force-response-1.0 
    BrowserMatch "JDK/1\.0" force-response-1.0 
     
    HostnameLookups on 
    IndexOptions FancyIndexing 
    ReadmeName README 
    SSLMutex sem 
    SSLRandomSeed startup builtin 
    SSLSessionCache none 
    SSLLog logs/SSL.log 
    SSLLogLevel info 
    NameVirtualHost localhost:443 
     
    SSLEngine On 
    SSLCertificateFile conf/ssl/my-server.cert 
    SSLCertificateKeyFile conf/ssl/my-server.key 
     

     

    After that, run the server from the command line:



    C:\ssl\Apache.exe

    If everything was fine, then you have a secure server running. To access this server you need to type the following URL:

     

    https:// localhost:443

     

     



    Authentication under Apache:

    When you have sensitive resources on your site, you may want to prevent unwanted access by using Authentication. The easiest way to use basic authentication under Apache is to use mod_auth module.

     When a user tries to access a specific directory under the server, the browser will prompt a login dialog, and the user must provide a valid user name and password in order to access that directory.

    Assume that we have a directory called store that is saved under htdocs directory. We want to limit the access of store directory to authenticated users only. First we can create a text file called user.txt that contain users’ names and their passwords:

     

    For example users.txt may consist of the following:



    John:mor123

    Robert:ab123

    Sarah:mind

     

    Then we can add the following directive to httpd.conf



     

     
    AuthType Basic 
    AuthName ‘Store users’ AuthUserFile 'c:/ssl/users.txt' 
    require valid-user 
     

     

    Notice that we have stored users.txt under Apache folder, but it can be stored anywhere. Now, only John, Robert, and Sarah can access store directory.



     

    Also we can provide access to groups of users, by providing another text file that contain groups’ names and their members. For example we can create a text file called groups.txt that contain:



    Group1: John Robert

    Group2: Sarah

     

    Then we can have more control to which group can access the specified directory:



     
    AuthType Basic 
    AuthName ‘Store users’ AuthGroupFile 'c:/ssl/groups.txt' 
    AuthUserFile 'c:/ssl/users.txt' 
    require group Group1 valid-user 
     

    Now, only members of Group1 can access the store directory. This include John, and Robert only.  

     

    Notes:  


    • If you have apache installed already, then you can still run it as normal server beside your new secure server.

     

    Secure Socket Layer with IIS:

    IIS is a web server that ships with Microsoft Windows. You can install it during Windows 2000 installation or later as an Add-On Component. The following steps describe how to install  IIS to handle HTTPS requests:



    • From the Administrative tools open the Internet Information Services:



    • Right click the Default Web Site ,select Properties, and click on the Directory Security tab:

     

     



    • Click the Server Certificate button to start the
      Download 0.58 Mb.
      1   2   3   4




    Download 0.58 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Server Side Programming with php cpan542

    Download 0.58 Mb.