APACHE 2 WEB SERVER Configuration

Alcune domande

per poter comprendere bene Apache2 e poter configurare apache con https dobbiamo prima comprendere alcune cose legate ad apache

  1. Cosa sono i “moduli” in apache? Come si abilitano? Come si disabilitano?
    Il server web Apache è uno dei server web più popolari e potenti al mondo, grazie in parte alla sua facilità diamministrazione e flessibilità. Questa flessibilità deriva dal design modulare di Apache. I moduli consentono ad Apache di eseguire funzioni aggiuntive, come la riscrittura nativa degli URL per supportare la crittografia SSL.
    Per abilitare i moduli si utilizza il comando a2enmod e per disabilitarli si utilizza a2dismod
  2. Cosa contiene /etc/apache2 ? quali sono le direttive principali di apache2.conf?
    le direttive di configurazione di Apache sono sparse in più file, tutti situati in sottodirectory di /etc/apache2.
    apache2.conf è il file di configurazione primario e contiene le direttive di configurazione principali In Ubuntu e Debian, la maggior parte del file è per le definizioni globali e la configurazione del server predefinito e degli host virtuali viene gestita alla fine, utilizzando “Include …” La sezione globale conterrà parametri come
    TIMEOUT = indica il tempo di timeout nelle risposte
    KEEPALIVE = Questa opzione, se impostata su “On”, consentirà a ciascuna connessione di
    rimanere aperta per gestire più richieste dallo stesso client.
    Se è impostato su “Off”, ciascuna richiesta dovrà stabilire una nuova connessione, che può
    comportare un sovraccarico significativo a seconda della configurazione e della situazione
    del traffico.
    MAXKEEPALIVEREQUESTS= indica il numero di richieste massime che possono essere gestite
    da una connessione
    KEEPALIVETIMEOUT = Questa impostazione specifica per quanto tempo attendere la
    richiesta successiva dopo aver terminato l’ultima. Se viene raggiunta la soglia di timeout, la
    connessione morirà.
  3. Cosa indica la direttiva “DocumentRoot” di Apache2? Qual’è il suo valore?
    Questa direttiva imposta la directory da cui httpd servirà i file. Di default è “DocumentRoot “/usr/local/apache/htdocs”” ma il path può ovviamente essere modificato in base alle esigenze
  4. Directory “available” e “enabled”
    La dir “conf-available” contiene i file di configurazione per caricare i moduli e configurarli
    La dir “conf-enabled” detiene i collegamenti simbolici ai file in / etc / apache2 / conf-available. Quando un file di configurazione è collegato simbolicamente, verrà abilitato al successivo riavvio di Apache.
  5. Cosa sono le “per user web directory”? Come funzionano?
    Sui sistemi con più utenti, ogni utente può avere la possibilità di avere un sito Web nella propria directory home utilizzando la direttiva UserDir. I visitatori di un URL http://example.com/~username/ otterranno il contenuto dalla directory home dell’utente “nomeutente”, preso dalla sottodirectory specificata dalla direttiva UserDir.
    Di default l’accesso a queste directory non è abilitato.
  6. a2ensite, a2dissite, a2enmod, a2dismod, apache2ctl
    a2ensite è uno script che abilita il sito specificato (che contiene un blocco ) all’interno della configurazione di apache2. a2dissite invece disabilita un sito specificato, rimuovendo i link simbolici. apache2ctl è un front-end del server HTTP (HyperText Transfer Protocol) di Apache. È progettato per aiutare l’amministratore a controllare il funzionamento del demone Apache2 di Apache.

Configurazione HTTPS con apache2

TLS e il suo predecessore SSL, (secure sockets layer), sono protocolli Web utilizzati per avvolgere il traffico normale in un pacchetto protetto e crittografato.

1) Creazione certificato SSL

TLS / SSL funziona utilizzando una combinazione di un certificato pubblico e una chiave privata. La chiave SSL è tenuta segreta sul server e viene utilizzato per crittografare il contenuto inviato ai client. Il certificato SSL è condiviso pubblicamente con chiunque ne faccia richiesta. Può essere utilizzato per decodificare il contenuto firmato dalla chiave SSL associata.
Per creare la chiave basta eseguire il seguente comando

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apacheselfsigned.crt

in seguito bisogna creare i parametri Diffie-Hellman:

sudo openssl dhparam –out /etc/ssl/certs/dhparam.pem 2048

2) Configurare apache per l’utilizzo di SSL

per prima cosa bisogna modificare il file Virtual Hosts SSL:

sudo nano /etc/apache2/sites-available/defaultssl.conf
<IfModule mod_ssl.c>
 <VirtualHost _default_:443>
    ServerAdmin your_email@example.com
    ServerName server_domain_or_IP
    . . .
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
       BrowserMatch "MSIE [2-6]" \
       nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0
 </VirtualHost>
</IfModule>

Una buona pratica è anche quella di effettuare un redirect su HTTPS ogni qual volta un utente
visiti il sito in http.
Per permettere ciò basta modificare il file default.conf

sudo nano /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    . . .
    Redirect "/" "https://your_domain_or_IP/"
    . . .
</VirtualHost>

3) Abilitare le modifiche

Per abilitare il servizio con le modifiche basterà effettuare i seguenti comandi:

sudo a2ensite default-ssl
sudo a2enconf ssl-params

Per effettuare un controllo degli errori basterà scrivere:

sudo apache2ctl configtest

infine basta rivviare il servizio

sudo systemctl restart apache2

OpenVPN Configuration

Disclaimer

This guide is a piece of an old project (2017-2018), which means that some of its content may be OUTDATED. This does not imply that everything written down here is trash or not working.
If you have any troubles or if you have any improvements, leave a comment.

Introduction

OpenVPN is an open source program used to create secure point-to-point encrypted tunnels between two computers over an insecure network, typically the internet. Allow hosts to authenticate with each other by means of shared keys (Pre Shared Key), digital certificates or username/password credentials.
It operates on port 1194
OpenVPN offers two types of network interface using the TUN/TAP driver:

1) TUN:
it is able to simulate a point-to-point type network device and works with
IP-type packets. When we send data on these interfaces the VPN takes the original packet
and encapsulates it in another encrypted packet in which the starting and destination IP
they are no longer those of the tunnel, but those of the remote and local physical interfaces.
They require configuration of both server and client side routing routes because the
networks at the ends of the tunnel are different, but have the advantage of not being vehicular
broadcast traffic on the tunnel

2) TAP:

is able to simulate an Ethernet device and logically uses frames
Ethernet. When a client connects in bridged mode to a remote network it must
have an IP address that belongs to the remote network, as if it were connected
locally.

Configuration modes

  • OpenVPN can operate in two main modes:
  1. Site to Site
  2. Remote Access

Site – to – Site

In site-to-site mode, a single host can
establish multiple OpenVPN tunnels, each of them
it can be for separate sites. Even if all the
tunnels come from a single interface
physics, each tunnel is represented by a
different IP address of the tunnel interface e
operates independently.
It is a configuration used to connect
entire networks virtually to each other

Remote Access Mode

In Remote Access mode the client-server paradigm. Indeed, a host does will connect to the endpoint by establishing a secure connection to get access to network resources. each client has an independent tunnel that connect to the server

Authentication Methods

OpenVPN has two ways to authenticate:

  1. Static Key = A pre-shared key is generated and shared between the two peers
    OpenVPN before starting the tunnel. This static key contains 4 independent keys : HMAC-Send, HMAC-Receive, encryption and decryption. By default settings, in static key mode, both hosts will use the same key HMAC and the same encryption / decryption key.
  2. SSL/TLS = An SSL session with two-way authentication is established. If SSL/TLS authentication is successful, the key source material of encryption/decryption and HMAC is then randomly generated by the function RAND_bytes of OpenSSL and exchanged over the SSL/TLS connection. Both sides of the connection provide random source material. This mode does not ever use any bi-directional key, so each peer has its own HMAC-Send, HMAC-Receive, and its own encryption and decryption key.

Static Key Setting

The follow up steps are used to use a static key as auth method for the VPN:

1) Generate the Key

by using the command

openvpn --genkey --secret static.key

you will be generating a static key that must be available on both client and server so you have to transfer it with a secure channel (or physically with USB or with SCP)

2) Configuring Server

the server file is located at

/etc/openvpn/server.conf

and we want to configure it this way

local [ADDRESS WHERE WE WANT TO ACCEPT REQUESTS]
dev tun
proto udp
port 1194
ifconfig [IP TUNNEL SERVER] [IP TUNNEL CLIENT]
secret [GENERATED STATIC KEY PATH]
push "route [LOCAL SERVER SUBNET] [MASK]"
persist-tun
persist-key
cipher AES-256-CBC
verb 6
log [LOG FILE]

3) Activating and enabling the server

At this point you need to know that the service should be started with Systemd, so:

systemctl start openvpn@server.conf
systemctl enable openvpn@server.conf

4) Setting up the Client

the server conf file is located at

/etc/openvpn/client.conf

and here is the configuration file content as should be set

remote [REAL REMOTE SERVER ADDRESS]
dev tun
proto udp
ifconfig [IP TUNNEL CLIENT] [IP TUNNEL SERVER]
route [SERVER PRIVATE SUBNET][MASK] [SERVER IP TUNNEL]
secret [STATIC KEY PATH]
persist-tun
persist-key
cipher AES-256-CBC
verb 6
log [LOG FILE]

5) Starting the Client

as before,

systemctl start openvpn@client
systemctl enable openvpn@client

6) Heading

We need now to define the routes and there are 2 options:

  1. define routes on the hosts of the network behind the server so that to reach the
    client traffic is routed to the VPN server
  2. perform a SNAT operation on the server so that clients receive packets of the VPN client with source ip replaced by the server’s

SSL-TLS Configuration method

pre requirements

cd /etc/openvpn
mkdir easy-rsa
apt-get install easy-rsa
cp -R /usr/share/easy-rsa/* easy-rsa/
echo -n '1' > /proc/sys/net/ipv4/ip_forward

1) Vars setup

Edit the file: /etc/openvpn/easy-rsa/vars according to your organization

2) Environment variables setup

cd easy-rsa/
mkdir keys
touch keys/index.txt
echo 01 > keys/serial
. ./vars ( in raspbian stretch this command will fail because it won't find “openssl.cnf”. Just create a symlink from the file openssl_1.0.0.cnf → ln -s openssl-1.0.0.cnf openssl.cnf )
./clean-all

3) Certification Authority

Execute the follwing command inside the easy-rsa folder to create the CA

./build-ca

This command will generate public key (ca.crt) and private key (ca.key)

4) Generating Diffie Hellman parameters

./build-dh

Note: Diffie hellman is a cryptographic protocol that allows two entities to establish a shared and secret key using an insecure (public) communication channel without the need for the two parties have exchanged information or met previously.”

5) Generate Server keys

./build-key-server server

6) Generate keys for each client

./build-key-server clientname

7) Key Copying

Copy the keys needed by the client(ca.crt, clientname.crt, clientname.key) into the directory
/etc/openvpn/easy-rsa/keys/
Following, a table summarizing all the keys and certificates with their purpose and usage

8) Server Configuration

The conf file is the same as before but this time the configuration is as follows:

local [INDIRIZZO SU CUI SI ACCETTANO CONNESSIONI]
port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt QUI VENGONO SPECIFICATE
key /etc/openvpn/easy-rsa/keys/server.key TUTTE LE CHIAVI E LE DIR
dh /etc/openvpn/easy-rsa/keys/dh[n].pem

server 172.28.0.0 255.255.255.0 [TUNNEL NETWORK SUBNET][MASK]
(This directive establishes that the machine will work in
 server mode and will acquire the first IP of the subnet. To the
 clients will be assigned other network addresses.)

ifconfig-pool-persist ipp.txt
(file where to record the correspondence between client and IP
 virtual assigned.)

push "route [SUBNET LOCAL NETWORK SERVER][MASK]"
(allows clients to reach other networks behind the server,
 obviously to make the communication bidirectional
 networks will need to be able to route to them in turn
 the address pool of the VPN)

client-config-dir /etc/openvpn/ccd
comp-lzo
cipher [CIPHER SET]
log [LOG FILES]

9) Activating Services

openvpn --config server.conf
systemctl start openvpn@server.conf
systemctl enable openvpn@server.conf

10) Configuring Client

Clients
dev tun
port 1194
udp protocol
remote [REAL IP OF THE ROUTER]

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/client1.crt 
key /etc/openvpn/easy-rsa/keys/client1.key 

nobind
persist-key
persist-tun
cipher [CIPHER SET]

11) Starting and enabling services

systemctl start openvpn@clientname
systemctl enable openvpn@clientname

12) Routing and NATting

To allow traffic on the TUN interface
- IPTABLES -A INPUT -i tun0 -j ACCEPT
- IPTABLES -A FORWARD -i tun0 -j ACCEPT
- IPTABLES -A OUTPUT -o tun0 -j ACCEPT

To allow forwarding only to the VPN
- IPTABLES -A FORWARD -i tun0 -o eth0 -s [SOURCE] -j ACCEPT
- IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j
 ACCEPT

To perform SNAT
- IPTABLES -t nat -A POSTROUTING -s [TUNNEL SOURCE] -o eth0 -j
 SNAT --to-source [SERVER'S IP IN LAN]