Mediawiki/Force SSL
(→virtual host file) |
|||
(10 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
==Overview== | ==Overview== | ||
'''All instructions done on Oracle Linux 6.5'''<br> | '''All instructions done on Oracle Linux 6.5'''<br> | ||
− | + | http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache | |
==install mod ssl== | ==install mod ssl== | ||
Line 14: | Line 14: | ||
==apache config== | ==apache config== | ||
− | comment | + | comment out the following from /etc/httpd/conf/httpd.conf |
#NameVirtualHost *:443 | #NameVirtualHost *:443 | ||
+ | #Listen 443 | ||
Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf | Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf | ||
#SNI config - tells apache to use named virtual hosts on the secure port | #SNI config - tells apache to use named virtual hosts on the secure port | ||
NameVirtualHost *:443 | NameVirtualHost *:443 | ||
+ | Verify that /etc/httpd/conf.d/ssl.conf has the following in it (uncommented) | ||
+ | Listen 443 | ||
+ | |||
+ | ==create key,csr, and self-signed crt== | ||
+ | http://www.akadia.com/services/ssh_test_certificate.html<br> | ||
+ | =====create directories===== | ||
+ | since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is: | ||
+ | /etc/ssl/certs/ | ||
+ | =====create key===== | ||
+ | ~$ openssl genrsa -des3 -out server.key 2048 | ||
+ | =====generate csr===== | ||
+ | ~$ openssl req -new -key server.key -out server.csr | ||
+ | Country Name (2 letter code) [GB]:CH | ||
+ | State or Province Name (full name) [Berkshire]:Bern | ||
+ | Locality Name (eg, city) [Newbury]:Oberdiessbach | ||
+ | Organization Name (eg, company) [My Company Ltd]:Akadia AG | ||
+ | Organizational Unit Name (eg, section) []:Information Technology | ||
+ | Common Name (eg, your name or your server's hostname) []:public.akadia.com | ||
+ | Email Address []:martin dot zahn at akadia dot ch | ||
+ | Please enter the following 'extra' attributes | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | =====backup & remove passphrase from key===== | ||
+ | unless the passphrase is removed, apache will ask for the passphrase whenever it is started.<br> | ||
+ | ~$ cp server.key server.key.org | ||
+ | ~$ openssl rsa -in server.key.org -out server.key | ||
+ | =====generate self-signed cert===== | ||
+ | ~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | ||
+ | Signature ok | ||
+ | subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information | ||
+ | Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch | ||
+ | Getting Private key | ||
+ | =====add ssl to virtual host===== | ||
+ | add the following to your virtual host config | ||
+ | SSLEngine on | ||
+ | SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt | ||
+ | SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key | ||
+ | |||
+ | ==edit mediawiki LocalSettings.php== | ||
+ | http://www.mediawiki.org/wiki/Manual:$wgServer<br> | ||
+ | Now lets go to LocalSettings.php and edit the site file:<br> | ||
+ | ~$ sudo vi /var/www/html/servername/mediawiki-1.22.6/ | ||
+ | ## The protocol and server name to use in fully-qualified URLs | ||
+ | $wgServer = "//servername.com"; | ||
+ | |||
+ | ## Adding $wgCanonicalServer for locations that don't support protocol relative urls (default if it cannot understand "//servername.com" | ||
+ | $wgCanonicalServer = "https://servername.com"; | ||
+ | |||
+ | ==configure the https redirect== | ||
+ | there are (2) ways to do this, one through the virtualhost config (recommended), or one by using mod_rewrite<br> | ||
+ | https://wiki.apache.org/httpd/RedirectSSL<br> | ||
+ | https://wiki.apache.org/httpd/RewriteHTTPToHTTPS<br> | ||
+ | ====mod_rewrite==== | ||
+ | This way worked best for me with multiple instances of mediawiki hosted from the same server on same ip, but as sub sites rather than sub domains.<br> | ||
+ | open /etc/httpd/conf/httpd.conf and go to line 341 (in my version). Change AllowOverride from '''None''' to '''All''' | ||
+ | ~$ sudo vi /etc/httpd/conf/httpd.conf | ||
+ | # AllowOverride controls what directives may be placed in .htaccess files. | ||
+ | # It can be "All", "None", or any combination of the keywords: | ||
+ | # Options FileInfo AuthConfig Limit | ||
+ | # | ||
+ | AllowOverride All | ||
+ | ====virtual host file==== | ||
+ | <nowiki><VirtualHost *:80> | ||
+ | ServerName http://wiki.r00tedvw.com | ||
+ | Redirect permanent / https://wiki.r00tedvw.com | ||
+ | </VirtualHost> | ||
+ | <VirtualHost *:443> | ||
+ | ServerAdmin [email protected] | ||
+ | ServerName https://wiki.r00tedvw.com | ||
+ | DocumentRoot /var/www/mediawiki | ||
+ | ErrorLog /var/log/apache2/mediawiki-error.log | ||
+ | CustomLog /var/log/apache2/mediawiki-access.log combined | ||
+ | SSLEngine on | ||
+ | SSLCertificateFile /etc/ssl/cert/server.crt | ||
+ | SSLCertificateKeyFile /etc/ssl/private/server.key | ||
+ | <FilesMatch "\.(cgi|shtml|phtml|php)$"> | ||
+ | SSLOptions +StdEnvVars | ||
+ | </FilesMatch> | ||
+ | <Directory /usr/lib/cgi-bin> | ||
+ | SSLOptions +StdEnvVars | ||
+ | </Directory> | ||
+ | BrowserMatch "MSIE [2-6]" \ | ||
+ | nokeepalive ssl-unclean-shutdown \ | ||
+ | downgrade-1.0 force-response-1.0 | ||
+ | BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown | ||
+ | </VirtualHost> | ||
+ | </nowiki> |
Latest revision as of 01:19, 10 June 2017
Contents |
[edit] Overview
All instructions done on Oracle Linux 6.5
http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache
[edit] install mod ssl
~$ sudo yum install mod_ssl
If you cannot find the package, update your cache and search
~$ sudo yum check-update ~$ sudo yum search ssl ... =============================== N/S Matched: ssl =============================== ... mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
[edit] apache config
comment out the following from /etc/httpd/conf/httpd.conf
#NameVirtualHost *:443 #Listen 443
Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf
#SNI config - tells apache to use named virtual hosts on the secure port NameVirtualHost *:443
Verify that /etc/httpd/conf.d/ssl.conf has the following in it (uncommented)
Listen 443
[edit] create key,csr, and self-signed crt
http://www.akadia.com/services/ssh_test_certificate.html
[edit] create directories
since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is:
/etc/ssl/certs/
[edit] create key
~$ openssl genrsa -des3 -out server.key 2048
[edit] generate csr
~$ openssl req -new -key server.key -out server.csr Country Name (2 letter code) [GB]:CH State or Province Name (full name) [Berkshire]:Bern Locality Name (eg, city) [Newbury]:Oberdiessbach Organization Name (eg, company) [My Company Ltd]:Akadia AG Organizational Unit Name (eg, section) []:Information Technology Common Name (eg, your name or your server's hostname) []:public.akadia.com Email Address []:martin dot zahn at akadia dot ch Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[edit] backup & remove passphrase from key
unless the passphrase is removed, apache will ask for the passphrase whenever it is started.
~$ cp server.key server.key.org ~$ openssl rsa -in server.key.org -out server.key
[edit] generate self-signed cert
~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch Getting Private key
[edit] add ssl to virtual host
add the following to your virtual host config
SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
[edit] edit mediawiki LocalSettings.php
http://www.mediawiki.org/wiki/Manual:$wgServer
Now lets go to LocalSettings.php and edit the site file:
~$ sudo vi /var/www/html/servername/mediawiki-1.22.6/ ## The protocol and server name to use in fully-qualified URLs $wgServer = "//servername.com"; ## Adding $wgCanonicalServer for locations that don't support protocol relative urls (default if it cannot understand "//servername.com" $wgCanonicalServer = "https://servername.com";
[edit] configure the https redirect
there are (2) ways to do this, one through the virtualhost config (recommended), or one by using mod_rewrite
https://wiki.apache.org/httpd/RedirectSSL
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
[edit] mod_rewrite
This way worked best for me with multiple instances of mediawiki hosted from the same server on same ip, but as sub sites rather than sub domains.
open /etc/httpd/conf/httpd.conf and go to line 341 (in my version). Change AllowOverride from None to All
~$ sudo vi /etc/httpd/conf/httpd.conf # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride All
[edit] virtual host file
<VirtualHost *:80> ServerName http://wiki.r00tedvw.com Redirect permanent / https://wiki.r00tedvw.com </VirtualHost> <VirtualHost *:443> ServerAdmin [email protected] ServerName https://wiki.r00tedvw.com DocumentRoot /var/www/mediawiki ErrorLog /var/log/apache2/mediawiki-error.log CustomLog /var/log/apache2/mediawiki-access.log combined SSLEngine on SSLCertificateFile /etc/ssl/cert/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>