CSC 175 Post-Installation Linux Assignment. Due in one Week. Setting up a Secure Web Server on Your Linux "Box" You will find on our web page a link to the "underground web". This and subsequent links are only accessible from within our "secret" network. The only exception is thincrust, which is accessible from outside as https://96.57.41.74:19043 In order to join the underground web, you need to set up a secure web server. Any Linux distribution worth its bits will include a copy of Apache, which is by far the most popular server on the Internet. If you just type "service httpd start", you will be running a regular (unencrypted) web server. Goto http://youripaddress from a web broswer and you'll see a web page. To change the web page, create a index.html file inside the directory /var/www/html/ and make it readable (chmod og+r). But a regular web server is not very interesting. To protect your users from all the nasty people out there, you need the "https" protocol, which runs http under the "secure socket layer" (that's right, yet another layer of abstraction!) Security is provided in two forms. First, data is encrypted so nobody can see your packets using something like wireshark/ethereal. Secondly, you can obtain a certificate of authenticity from an authorized source. These security measures rely on the RSA public key encryption system, which requires you to first generate an encryption key. We will explore the theoretical side of ssl and RSA later in the course. For now, do the following: 1. Generate an encryption key (actually, if you know how RSA works, you'll be generating a pair of keys, one public, one private): Goto the directory /etc/httpd/conf issue the command: openssl genrsa -rand file1:file2:file3 -out server.key 1024 here, file1, file2 and file3 should be replaced by the full path names of 3 randomly chosen files. It doesn't matter what these files are, but the larger the better. These files will be used to generate the random key. do chmod og-r server.key so nobody but the root can read it. 2.Create a authentication certificate request file: openssl req -new -key server.key -out server.csr You'll be asked a set of self-explanatory questions. The last few are optional and need not be answered (do not enter a "challenge password"). 3. Obtain a certificate of authentication. Normally, you'll need to contact one of the authorized certificate providers such as http://www.verisign.com (funny that this site is not itself secured). However, since you're a nobody they'll never give you one (sorry). Thus you'll have to make do with a "self-signed" certificate: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt This will give you a .crt file, which is your certificate, good for 365 days. When viewing the website, you'll get a warning from your web browser that the certificate can't be authenticated, which of course is what happens with self-signed certificates. 4. Edit the file /etc/httpd/conf/httpd.conf as follows: (make a backup copy first in case you mess up) a. Comment out or delete the line that says "Listen 80". 80 is the default TCP port for regular http service, which you will nolonger provide. The secure http port is 443 (this is enabled in the ssl.conf file, so don't worry about specifying it). b. Uncomment and edit the "ServerName" line so that it says ServerName 10.1.0.whatever:443 c. Find the line that says UserDir disable And comment out or delete it. Near this line, there's line that says: UserDir public_html Make sure this line is NOT commented. This lines means that any user who has a public_html directory in their home directory will immediately have a homepage on your server. Their address will be https://yourhost/~username 5. Edit the file /etc/httpd/conf.d/ssl.conf as follows: Find the line that starts with "SSLCertificateFile", delete/comment it out, and add the line: SSLCertificateFile /etc/httpd/conf/server.crt That is, you should use the certificate that you just created. Also find the line starts with "SSLCertificateKeyFile", delete it, and add the line SSLCertificateKeyFile /etc/httpd/conf/server.key These settings tells the web server to use the certificate and key you just generated. 6. Start your web server: service httpd start 7. Verify that it's working. Create an index.html in /var/www/html/ that serves a picture of your favorite food (or whatever you think best represents your group's aspirations). View it from another machine in the lab as https://yourip. the "s" in https makes it use the ssh protocol.