Alright, I just couldn’t take the guilt. I can’t abide Subversion and Apache being set up without defaulting to https and a TLS encrypted connection. We’ll remedy this below.
Install The Required Packages
On the CentOS server, login as root and type the following in the terminal to install packages:- yum install mod_ssl openssl
Use OpenSSL to Generate a Self-Signed Certificate
Navigate to the certificate store by heading to:- cd /etc/pki/ca
- openssl genrsa -out ca.key 2048
- openssl req -new -key ca.key -out ca.csr
- 2-digit country code (e.g. US)
- State or Province full name (e.g. Maryland)
- Locality / City (e.g. Baltimore)
- Organization Name (e.g. Microsoft or Sean Killeen)
- Org Unit Name / Section (e.g. Subversion Test)
- Common Name (your new hostname, eg scm.seankilleen)
- Email Address (e.g. SeanKilleen@gmail.com)
- A challenge password
- An optional company name
- openssl x509 –req –days 365 –in ca.csr –signkey ca.key –out ca.crt
- cp ca.crt /etc/pki/tls/certs
- cp ca.key /etc/pki/tls/private/ca.key
- cp ca.cr /etc/pli/tls/private/ca.csr
Modify Apache’s Configuration to offer SSL
Open the file for editing:- gedit +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/ca.crtA few lines after that, you’ll edit the SSLCertificateKeyFile:
SSLCertificateKeyFile /etc/pki/tls/private/ca.keySave the file and close it.
Next, restart apache – from the console:
- /etc/init.d/httpd restart
To do this, we need to edit the apache configuration file.
- gedit /etc/httpd/conf/httpd.conf
Paste the following lines at the bottom of the file:
NameVirtualHost *:80Now point your browser to https://[your ip or host name] and you’ll see that the site loads under an http connection. NOTE: you may get an error about the certificate, but this is because it does not come from a CA and thus is not “trusted” by your computer. The encryption is still TLS 1.0 256-bit encryption.
NameVirtualHost *:443
<VirtualHost *:80>
<Directory /var/www>
AllowOverride All
</Directory>
DocumentRoot /var/www
ServerName localhost
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /var/www>
AllowOverride All
</Directory>
DocumentRoot /var/www
ServerName localhost
</VirtualHost>
Enforce SSL/TLS Only (Redirect http to https)
I put this in a separate section because I wanted the additions to be compartmentalized.To use mod_rewrite to redirect any http requests to https, change the VirtualHost *:80 to the following:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<Directory /var/www>
AllowOverride All
</Directory>
DocumentRoot /var/www
ServerName localhost
</VirtualHost>
Configure the Firewall to Allow Port 443 Connections
On the console:- iptables –A INPUT –p tcp –dport 443 –j ACCEPT
- /sbin/service iptables save
- iptables –L –v
Success!
Feedback Welcome!
I'd love to hear any comments on this series. Find it useful? Think there's a better way to implement the technique or something I should have mentioned? Please drop a line in the comments to help me improve the series!
References
- http://wiki.centos.org/HowTos/Https
- http://dev.antoinesolutions.com/subversion/how-to-configure-subversion-on-centos-redhat-linux
- http://www.electrictoolbox.com/changing-hostname-centos/
