Apache Web Server and HTTPS on Linux

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I'm going to demonstrate setting up the Apache web server inside some Linux machines on VirtualBox and including setting up HTTPS and the use of digital certificates so currently I have running three Linux machines in VirtualBox a client a router and a server I'm going to install Apache on the server and then use the client to test web browsing on that there are many different instructions online we're using Ubuntu 1604 one set of instructions for setting up Apache on a bug to the digitalocean has some basic instructions so you can browse through there to see the steps that are quite simple to setup Apache it's a little bit more complicated to set up the digital certificates so let's go through it and I have my window for my server here basically bug to install the first thing we're going to do is install using apt apache and it's actually a patchy version too so sudo apt install Apache and I have my password and ask me do I really want to continue there's a bunch of software that's going to be installed and yes I meant to continue and it would download and install Apache and setup and in fact the web server will be up and running once it's complete and I'll bring up my client and my client is connected to the server via router and for that we're going to use a text-based web browser so I'll actually to just test install links links is a simple text-based web browser and it's useful for quick testing when we only have the command line so that we can run links and specify the URL and in this case we're going to use the IP address of the server and I'll run I have conflict on the server and in my internal network the IP address is 192 168 2.22 so that's the address all connected and it brings me to the Apache to default or a bunch of default page the this is the page served by Apache by default if you want to set up website you need to change those this index dot HTML file and set up all your files in the appropriate directory so it's up and running that was simple there's a couple of things we need to do to make it a little bit more convenient but before we do that there are many directories relevant to Apache for setting it up on the server or not explain them all now the different documentation will explain them for example if we scroll through we can see this explains the default web page which we saw but only the text version and in step five year talks about the different directories which are relevant and files for configuration of the Apache server for example VAR w w HTML stores the actual web content a lot of the configuration of the server are under the ETCs Apache 2 directory I will not go through those now we'll look at setting up a few other features in their server so we can test them one thing of course what we do to access with a client is and I'll just quit out of links music you listen equip we needed to supply the IP address which is not much fun sometimes we'd like to use a domain name in my small internal network I don't have a DNS server but I can cheat a little bit by manually setting mappings of domain names to IP addresses in particular on the client one way I could do that I'm on the client and I hit a file called ET c / closest and I could insert a map in here insert the IP address of the server and we'll say let's create a domain name for our server so this says on my client if I ever try and access www.example.com it'll be redirected to one 92168 2.22 which is my actual web server so this is a local version with respect to decline of a DNS settings we can add more in here to the same IP address or to other IP addresses if we have them on our internal network and this is only for the clients so we can in effect use any domain name that we choose Oh save that escape right and quit what that means is we can now use links but we can specify a domain name and my local host file will map that to the actual IP address of the server and we get the same web page so that's useful for testing when we want to test with domains and it's only in our internal network inside VirtualBox quit out of that so that's it week and we've installed the Apache web server and we can access that from a client so now let's go back to our server and have a look at in a bit more depth about the configuration and again the website here lists the different directories and files of relevance so we'll go through some of those not all of them this is on the server first if we change in the VAR www HTML and LS we see this is where the web pages are stored and we can have subdirectories images and so on in here so this is the web content in this directory and it's got a default template web page which says welcome to Apache on a bun to the Apache to Ubuntu a default page so when we create a website we'll put our files inside here the next directory of relevance and I'll just clear and go to the top is Apache - under the EGC directory and the main configuration of the web server is done via files within this directory and that primarily text files and there's multiple files usually configuration files and you're in kampf and there's further files or modules in some of the sub directories the first one or the main one is Apache - Kampf we will not make any edits to it you can browse through and read some of the comments um of the how it works comments but the main idea is that the web server is configured by directives for example although this one's commented out the server root is the the parameter and the value given here is EDC Apache - if you want to change those values you can remove the hash of the start and modify this farm initially we don't need to modify the default parameters are sufficient if you really want to optimize or a specialized Apache you may go into here and change some parameters and it refers to other files including ports comp and files available in the subdirectories there's links into those one of them which is of relevance is in the sites available subdirectory and it's the default configuration of Apache web server and its name zero zero default calm and we'll open that up and note it's read-only we need to use sudo to make changes to that at this stage I'm just viewing the configuration file here is where you're more likely to make the first configuration changes to your web server for example server admin gives the email address of the administrator a default to an apt localhost but if you have a real domain you would put the real email address of the admin here and it specifies where the root of your web directory is and that can be changed of course the location of error logs access or custom logs and that's it in this case this is in this virtual post set of directives we can actually have on the same physical server multiple virtual hosts or multiple different websites for different domains we'll see that there's another file in here this default ssl.com this is the configuration for setting up HTTPS which we'll go to a shortly we'll come back and we'll need to edit that file Apache has extra features which are available in modules and the mods available list some of those modules currently in installed and there are different ways to enable those modules we will enable the SSL module at a later stage the other directory is the initial interest is where the logs are stored and that's under viable and there's a lot of operating system and software logs in here the one of interest is Apache - subdirectory and there's normally an access dot log and an error log and the access log is one of of interest it logs by default all accesses to the website and it logs it in a standard format where it keeps a record of who accessed the website at what date and time what page they deployed a path name they tried to get and the response the HTTP response code 200 the response size and some information about the the browser to access the website we'll see over time as multiple people access the website this log can be quite useful for learning about how people access it the error log is useful with those things that go wrong in your web server so there are the main locations where you get started with configuring Apache we're now going to set up Apache to support HTTPS so web browsers can connect to it in a secure manner using HTTPS and it's not too hard to enable that on Apache but the more complicated procedure is making sure Apache has a valid digital certificate in the normal procedure in a real server what we would do is create a certificate for us and then go to an external certificate of authority to get that certificate signed however when were using our internal network in VirtualBox and we want to do everything inside VirtualBox we are not going to go out to an external Authority instead what I'm going to do is I'm going to create my own authority on my server and get that to sign the certificate from my web server so I'm going to go through the steps of creating a certificate for the authority generating the authority and then we'll create a certificate for the server and get the authority to sign that so the first step here is creating a certificate for the authority and I'm not going to explain the details of the algorithms like RSA and even the house certificates provide security that should be covered in a separate security unit we're going to use common software for security operations called open SSL and it provides all the features we need to generate certificates generate the authority and sign certificates and the mode we're going to use is we want to generate a public key pair for a Authority and we're going to use the algorithm which is common which is RSA and I'm going to choose two options for the RSA algorithm and public key first one is the RSA when we generate a key pair the length is important normally we can choose between a thousand and 24 bits 2048 or 4096 where the longer the more secure although the slower it is to do operations cryptographic operations it is another option that I'm going to choose is in RSA it has a public exponent and I'm going to choose it to be this magic value six five five three seven and really you need to go and study that details of the RSA algorithm to understand the significance of the public exponent and what the bits to 2048 bits refer to but this should generate our key pair and I'm going to output that key pair to a file and this is my key pair for the certificate authority so I'll call the power C a key and file format we use a stock pen pm and there is generated a key pair and we would go away and have a look at the details of that for now or leave it we'll see another example later that's our certificate authority keep it when you set up a server in the real case you would normally not need to do that you would go to an external CA but we need to do it internally now my authority needs to sign their own certificate again not a normal step that we'd need on our web server it will be done by an external authority and what we do is we generate a request using standard x.509 as a input key we're going to use our CI Kido p.m. and we're going to output a file called CA certificate p.m. and I'm gonna say his certificate is going to be valid for three years thousand and ninety five dates this is actually the certificate authority is going to sign their own certificate and what have I done wrong a typo here I forgot a dot see a key dot Pam nope I see this error opening there's some error here so be careful if you do see an error you've probably got a typo like I did do and this is the preferred this is the success here it now asked for information about my certificate authority country name or country code Australia state and choose the one that's relevant for you see Cannes organization name this is for the certificate authority and essentially for the demo you can choose whatever you like or is a university organizational unit it's optional I'll give the value certificate authority but you could just press ENTER to skip that part this is important the common name especially in a later step normally it's a domain name so Oh make up one for seekers uni docu and made up email address I say made up because the gain is just internal to my VirtualBox Network I'm not going to be using this on the real internet so it doesn't matter you and that should be done and I now have the key pair the RSA key pair for the certificate authority and a self-signed certificate for the authority which is going to be needed later now we're still setting up this authority the next thing we need to do is set up some directories so that this Authority can sign the web server certificate and I'm going to quickly go and set up the directories I'm in my home directory just makes your CD home and the directory structure here is quite important if you get the directories wrong then you'll have problems later so the directory name comes from a configuration file you could change it but it's best just to follow these directory names I'm going to make a directory called demo CA and then I'm going to make a few directories under that called certs another one called crl and new sucks and these are needed all of them are needed for our certificate authority private and I need an empty file so I'm going to touch the file and then that directory called index dot txt and I need another file and it must contain the value 0 to sounds like some magic values but it's all necessary so in our certificate authority we'll have the necessary files set up to be able to sign and issue certificates for our website oh and I'll echo that into a serial file and I'm going to move the CA cert file that we previously created into the demo CA directory and move the CA key file our key pair into the demo CA private directory you need to go through those steps to prepare our certificate authority and the last step to prepare is to make a small change to a configuration there's a file which we're going to edit a pseudo using bi it's called user lid or USR LeTip SSL open SSL conf this is the configuration of open SSL and in there is some settings that we're just going to change we're looking for the settings which are to do with the ca policy and policy Manchester scroll through in fact this specifies the default settings for all those directories that we just created if you wanted to have different directories you would have to change this first look through scroll down for the ca policy for the CA policy and policy match the first three lines are saying when the certificate authority signs a web server certificate they must match in terms of country name state and organization name well I'm going to be a little bit more free and allow the state and the organisation name to be optional that's what I want to change the optional year saying that my certificate authority will only signed certificates which come from the same country but they can come from a different state and a different organization so it's changed those two to optional the rest you'll be okay and I'll save that now our certificate authority should be ready and we have the demo see a directory set up don't touch that when we sign certificates there'll be they will be automatically updated by OpenSSL so that was setting up the certificate authority which would normally be done externally you wouldn't need to do that the next steps are for the web server creating a key pair for the web server and a certificate request for the web server giving that certificate request to the authority and the authority will issue us a certificate and these are the steps that you would need normally need to do for your winter again for the web site and now we need to create a key pair for the server generate the keep public-key better same algorithm RSA same options in fact PK option RSA RSA key gen bits when we use the same length 2048 it doesn't have to be the same length at that SSE a and we'll use the same let's get the syntax right PK same option for the public key exponent to be this magic six Firefox resend this public here exponent by the name public everyone can know this so it doesn't matter if we if other people know it's this value 6 5 5 3 7 yeah everyone can use the same value it doesn't create any security issues and we're going to output that to a file and I'll call it my private key and I'm going to set up the server and give it a domain www.example.com so that's what I named the file so I remember this is the private key for a WWE example comm if I wanted to host multiple servers for multiple web sites on this one server I could generate multiple private keys for different domains and that's generated the private key now what we do is we generate a certificate signing request with open SSL a request for a new and the key that we're going to passing is the one we just created and we're going to output a certificate request for that same domain and call that extension dot CSR for certificate signing request this takes part of the private key ticular the public key and what takes the public key from the key pair and puts it into a format that we can do to the certificate authority which will then issue us our certificate and a pass for the similar information as when we did it for the certificate authority remember we set up the authority the sir that we need the same country name but not necessarily to the same state I and I'm gonna call my example company and I don't want a unit but this is important the common name must be your domain name you're going to use for your website I'm using a WWE example calm in your demo you can use another one but importantly when you set up your web server and Apache you must use the same one and let's say a webmaster and you don't put off home breaking another dress that's not important here it's asking do you want to have some extra protection on this no we don't just press ENTER we don't want a challenge password and I don't want an optional company name that generates this certificate request what we do now is we send that to the certificate authority they will do some validation check that it's actually us and then issue a certificate if all is okay in real life that would be say sent to an external CA or uploaded through the website of a CA and some checks would take place in our internal virtual network the CA is on our server so we don't actually have to send it we can directly access it when we become the certificate authority so that's what the web server needed to do now I'm going to switch hats and imagine I'm now the certificate authority what I do I take that certificate signing request and game using OpenSSL as a certificate authority I take that as an input and [Music] output a certificate my issue the certificate so this is the role of the certificate authority which we need just inside out via a network do we want to sign the certificate we should check that values and make sure it's valid yes I do and you want to commit this to your database which updates the demo CIA directory yes I do database updated that's good and the thing that we need here is this certificate file that's the one which is issued to our web server when I set up the web server and a bit more depth soon I'm going to also need the certificate authorities certificate which we actually before put inside demo it's the ace I'm going to copy that and I'm going to get a copy I'm going to rename it so I'm clear it's a certificate for our CA that is the CAE or certificate authority that signed how service it did get a little bit different it's the same it's a dot Pam file but and I refer to a dot C R T file just don't distinguish it when we set up a patchy we'll see where and that's it in terms of generating these certificates the next steps will be to set up Apache to use these certificates just before we proceed to make sure that everything's gone okay we'll use open SSL to verify as using the certificate on our certificate authority to verify the certificate of our website and this represent that the certificate is ok good if you get ok everything's can you can continue if you don't get ok then probably one of the steps you've done is is had a mistake prior to this just to summarize we were going to need in the next steps our certificate of our website and the certificate of our certificate authority and we'll use them when we setup Apache to support HTTPS so now let's configure Apache to support these and use these certificates so we need to put these certificates first the web service certificate in directories which are Patrick are going to read by default and in fact I need to do this as pseudo across the directories under EGC which is only writable by administrator and the subdirectory is SSL and under that there's a directory called serves for certificates so this is if you have multiple websites this is where you put the certificates of your web sites similar we need to also put the certificate of the CA LCL in that same directory and finally the private key of our web server under that etc' SSL private directory so those are the three files the certificate of our web server the certificate of our CA put them into the cert subdirectory and the private key of our web server into the private subdirectory they all need to buy Apache that private directory should be protected because a private key as the name suggests must be kept private even from other people in this computer and if we look in yes et Cie SSL the search directory is readable by all the private directory is not readable by all and it's decided that there's some protection its executable by this special group called SSL cert you may want to change that those permissions for the file you just put in there to be more protected but at this stage that's sufficient for what we need in our demo ok so we put the file so they'll be available to Apache now we need to configure Apache to use HTTPS go into configuration directory just clear that and we'll go into sites available and recall there are two configuration files one is for normal HTTP this default Kampf and another one if we want to use SSL or HTTPS on our webserver and it's this second one we need to configure or we need to modify so I'll open that up with my editor it has a default configuration we just need to change a few settings in there the first thing we'll do is we'll insert a server name and hours I'm not putting my domain name and the port number which is used by HTTP 443 so insert your server name if you've got a different domain name set up appropriately there the other settings are normally okay as default except we scroll down and notice the difference between this and the normal default kampf this one has a lot of SSL directives the SSL engine which is used in HTTPS is turned on and a lot of settings for SSL and these two are the ones really we want to change I'll just scroll down by default this configuration file refers to these template or fake snake oil certificates let's comment these out did the wrong thing then comment them out by inserting that - at the start we don't want them we're going to add our own three and again it's important to get these correct SSL certificate file is the first one and we're going to refer to our three files that we put into the EDC ssl directory you see SSL first one certs and web server certificate cert - WWWE komm p.m. double-check okay SSL certificate file there's no typos or spelling mistakes and it refers to that exact file if you have a mistake here most likely when you reload the Apache to to support HTTPS you will not work this is the most likely place that you'll make mistakes that's where I open next one certificate key file this refers to our private key and key prove King wwwz comm dot p.m. and the third one refers to our certificate authorities certificate CA certificate file et Cie SSL cert our see a CRT which is just the CRT and the p.m. exactly the same format here is just tradition that the server will refer to a dot CRT file so really there are we and the server name in this configuration file document root the logs are all the same the default values are sufficient comment out the two snake-oil directives and add in three directories directives the certificate file certificate key file and CA certificate file referring to our web server certificate our web server private key and our CA certificate and that's all the changes we need in this file escape and save and now what we do if we go back a directory remember there are mods modules available we need to enable one of those mods or modules and Apache has a command to do that and as a pseudo Apache to ian's enabled module and it's called ssl gives us some output saying we should restart apache for this to take effect but we'll do that in a moment there's a couple of other things first we need to enable that site default ssl so if we look inside sites enabled there's one site enabled the normal default icon for plain HTTP we want to as pseudo aperture to enable site default data SSL says to reload the configuration but if we look inside sites enabled now at least both of those sites if you wanted to add another website for a different domain then you could have a third configuration file or multiple configuration files and you would enable them as well now we want to reload this configuration Apache when we make changes the configuration they don't take effect until we reload them you can either read restart the whole server or simply reload and we can use system control to do that reload perhaps into if you want to restart the web server it's simply restart about you to in this case wouldn't matter it's preferable to reload because you don't interrupt existing connections or existing people accessing the server and hopefully that prints nothing and as an output if a print some error messages or some output most likely you've got some syntax errors in your default SSL top configuration now we want to test Apache should be up and running and I'll switch to my client let's just check I can access normal HTTP website yes I can get their cue to quit yes now I'll change the URL to say HTTPS and try and access using HTTPS let's see what happens links reports an error SSL error the certificate is not trusted and it doesn't show me all the message do you really want to continue and suggesting not oh well yeah I trust its certificate I'm what could be happening here is a man-in-the-middle attack and we'll see how to overcome this in the moment and what the problem is I'm gonna press yes to continue and now I have access to the web page and I'm using HTTPS you could confirm in other ways so HTTPS is working the web server is set up it's all ok but we do have this problem with our web browser when we try to access our WWE my comm the web browser reports an error saying I've received a certificate but I can't validate their city certificate I can't verify and that's because the browser is not configured to be aware of our certificate authority normally browsers are configured by default to be aware of common certificate authorities in a real network I would get my web server certificate issued by a common certificate authority and we wouldn't have this error we get this error because I created my own certificate authority so next we'll go through the steps for overcoming this error just to be clear that error is with the client is not any problem with the server setup we need to make the client the web browser in particular aware that our CA can be trusted and to do that we need to get the certificate from the CA on to the client and the certificate is on the server home the file we want is this one sir our CA da CRT we need that on the client and set up in a special way so back to the client what I'm going to do is copy that certificate from the server to my client and on the command line I can use SCP secure copy where I specify the IP address of the server 192 168 2 or 22 followed by the exact path where my certificate is stored and the name of that certificate be careful in your case your username is probably different so make sure you give yours as the correct path so that's whatever the value of this is on the server so we're saying securely copied from 192 168 2.22 the file slash home slash Steven slash cert LCA dot C and CRT and don't forget copy it to this directory on my client don't forget the dot there as needed ask me for the password for Steven at the server I type it in and it copies it and now I have this the CA certificate on my client computer now I need to set up my browser or more generally in my operating system so it's aware of that certificate and what we do we'll make a directory on the client this is specific to a bunch of Linux other systems would do this in a different manner create this directory under user share CA certificates called expert for some extra certificates copy our CA certificate into that directory and now we configure this CA certificates this this listing of all the CA certificates to read into the new one and to do that sudo D package reconfigure CA certificates which is the the software patch that keeps track of certificates of CAS we're adding a new one today and yes we would like to trust some new certificates and if tries and find some a lot are already selected the ones which are currently trusted by Ubuntu which come when the bundle is installed there's one at the top which is this extra one which is the one we want and I'll press spacebar to mark this that one tab to okay so that that one will be added to the trusted list that's updating and when your web browser including link starts it actually looks at that list so again we'll run links access our web server using HTTP and it immediately goes to the web page there's no error saying we don't trust the certificate so that's the the bay we want and we're complete with setup Apache web server on our one 92168 2.22 we've created a certificate for an authority and set up the authority we created a certificate for our web server and that was signed by the authority then we set up the configuration for Apache to refer to those certificates and the last step for the client was to get our operating system on the client to be aware of the certificate authority certificate so that there were no warnings or errors we now have HTTPS working you know internal network to finish off one more thing testing we can use links here to test open SSL is a quite powerful piece of software it has a way to test ESS how HTTPS connections we want to test and I'll just make that bigger there's the option of this s client connect to example.com port 443 so this is saying use open SSL to connect to some server and this gives details of that connection that secure connection and if we scroll up a bit we'll see that it shows us all the details about the certificate that was exchanged that is you it was a certificate of www example comm and it was issued by some certificate authority seekers University so we can see the details of the security exchange happening there the details of the certificate and the use of SSL will more accurately TLS in there so that's if you want to understand the protocol interactions with HTTPS then I ctrl C to quit that we've done a quick setup of Apache we haven't tried to explain too much about how certificates and RSA provide security that is probably too much or outside of the scope of what we're trying to do it just setting it up but it's really beneficial if you can learn about RSA certificates and their security value to really understand what we've done in each of those steps
Info
Channel: Steven Gordon
Views: 36,178
Rating: undefined out of 5
Keywords: Steven Gordon, CQUniversity, Security, Networking, Linux, Cairns, Apache, HTTPS
Id: bp22h1KTqyo
Channel Id: undefined
Length: 46min 37sec (2797 seconds)
Published: Wed Apr 11 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.