How-To IPC-Webinterface via SSL (massima sicurezza!!!)

[meister85]

In questo How-To vi voglio spiegare come possiamo massimizzare la sicurezza del nostro IPC-Webinterface usando SSL.

1. Installare OpenSSL con questo commando in Putty:

apt-get install openssl

2. Creare il certificato di sicurezza:

openssl req $@ -new -x509 -days [COLOR=#ff0000]365[/COLOR] -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

365 = Certificato a una validita di 365 giorni!

Per creare il certificato bisogno mettere alcuni parametri

Country Name (2 letter code) [AU]:IT

State or Province Name (full name) [Some-State]:ITALIA
Locality Name (eg, city) []:Roma
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ci potete mettere qualcosa di fantasia
Organizational Unit Name (eg, section) []:.
[COLOR=#ff0000][B]Common Name (eg, YOUR name)[/B][/COLOR] []:[B]vostrodyndns.com[/B] [B]oppure l´IP dell server[/B]
Email Address []:blablabla@blabla.de

!!! Importante: Il CN-Name bisogno mettere il vero IP oppure il DYNDNS, altrimenti vi viene proibito l´accesso sul server !!!

3. Dobbiamo settare l´attributi per il certificato:

chmod 600 /etc/apache2/apache.pem

4. Ora dobbiamo modificare la config per apache2:

cd /etc/apache2/sites-available

cp -f /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

5. Apriamo il file per modificare la configurazione SSL:

nano /etc/apache2/sites-available/ssl

Il contenuto dovrebbe essere simile questa:

<VirtualHost [COLOR=#ff0000][B]vostro_IP_del_Server[/B][/COLOR]:443>
    ServerAdmin [COLOR=#ff0000][B]vostro_Email[/B][/COLOR]
    
    DocumentRoot /var/www/
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
[COLOR=#ff0000][B]        SSLEngine on
        SSLCertificateFile /etc/apache2/apache.pem[/B][/COLOR]
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

6. Attivare SSL:

a2enmod ssl

7. Ora apriamo la ports.conf per modificare la porta per l´accesso:

nano /etc/apache2/ports.conf

Il contenuto dovrebbe essere simile questa:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost [COLOR=#ff0000][B]vostro_IP_del_Server[/B][/COLOR]:443
[COLOR=#ff0000][B]#Listen 80[/B][/COLOR]

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
   [COLOR=#ff0000][B] Listen 443[/B][/COLOR]
</IfModule>

<IfModule mod_gnutls.c>
#    Listen 443
</IfModule>

8. Riavviamo apache2:

/etc/init.d/apache2 restart

Da ora in poi vostro IPC-Webinterface viene cryptato via SSL.

[COLOR=#ff0000][SIZE=3][B]https[/B][/SIZE][/COLOR]://[COLOR=#000000]vostro_IP_del_Server[/COLOR]

Se vi volete connetere esterno, dovete aprire la porta 443 nel router!

>>>>> Per domande clicca qui <<<<<
​

 

[meister85]

AW: IPC-Webinterface via SSL (massima sicurezza!!!)

Per chi se lo vuole fare piu facile puo usare anche la configurazione standard:

1. attivare SSL:

a2enmod ssl

2. settare la configuratione standard del debian:

a2ensite default-ssl

3. modificare la ports.conf:

nano /etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost [COLOR=#ff0000]*:443[/COLOR]
[COLOR=#ff0000]#Listen 80[/COLOR]

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

4. riavviare apache2:

/etc/init.d/apache2 restart