Press "Enter" to skip to content

Posts published in “apache”

Apache SSL Redirect

Need to redirect all traffic to an Apache server from HTTP (Port 80) to HTTPS (port 443)?

Just add a redirect statement in your httpd.conf for that server.

[code]
<VirtualHost *:80>
DocumentRoot "/path/to/greyfuzz.com"
ServerName https://www.greyfuzz.com
ServerAlias greyfuzz.com
ErrorLog logs/greyfuzz-error.log
CustomLog logs/greyfuzz-access_log combined
Redirect / https://www.greyfuzz.com/
<Directory "/path/to/greyfuzz.com">
Your directory options
</Directory>
</VirtualHost>
[/code]

Line #7 above does the magic for you.

Be sure to include the trailing ‘/’ on the end of the domain being redirected,
without it you may get some untoward URLs that look like
https://www.greyfuzz.comindex.php instead of https://www.greyfuzz.com/index.php.

Note: Be certain your conf.d/ssl.conf (or equivalent) is already set up and HTTPS is working properly first.

Remove password from SSL Certificate

To remove the password or passphrase from your SSL certificate so that Apache will restart without hanging waiting for you to enter the password/passphrase,

In a couple of simple steps, but the first and most important

Make a backup copy of your key!!!
Actually make a couple and store them somewhere safe!

Then strip the key out with:
[code]
/usr/bin/openssl rsa -in /path/to/server.key -out /path/to/newservernopass.key
[/code]
(you may need to adjust the path to openssl for your server)

Copy the newservernopass.key file over your server.key file and restart apache, if all goes well, apache will just start up without prompting for the passphrase.

NOTE: Be sure permissions on your SSL key file are only as permissive as needed (for example apache:apache 400) without a passphrase the key *could* be used on another server that you did not intend if it was leaked out. So keep it secure!

Hide Apache version, OS, modules

There are a number of things that would be script kiddies and others looking to exploit your servers look for.  The easiest is often the version of the server software… knowing what version, OS, or perhaps the running modules present provides an easy target. They may still want to try, but don’t make it any easier!

A quick run with nmap reveals this info about apache:

before

As you can see this server is running Apache 2.4.6 on some flavor of Unix (We’ll cover this later), but OpenSSL 1.0.1e, and PHP 5.4.20.  This could prove extremely useful to someone looking for a hole to sneak in for any of this software.  This info can even be displayed in a web browser.

Look in your /etc/httpd/conf/httpd.conf (your path may vary depending on OS/Distribution) for lines beginning with ServerTokens and ServerSignature and set them to look like this:

[code language=”bash”]
ServerTokens Prod
ServerSignature Off
[/code]

If the line is preceeded with a hach or pound sign remove the #.

Now restart apache either with the service or apachectl

[code language=”bash”]service httpd restart[/code]

or

[code language=”bash”]apachectl restart[/code]

Alternatively you can use the following command to have apache verify the syntax in your httpd.conf file before restarting.

[code language=”bash”]apachectl configtest[/code]

Now let’s see what nmap reports for apache:

after

Much better!  Now, anyone looking in can see it’s an Apache webserver listening on port 80 and also listening for https/ssl on port 443.  But further research is required to know what the ServerOS is.. is it Unix, Linux, Windows??  No version numbers or modules are exposed.

There are other ways to try to expose this info, and will be covered here later.  But this is a good starting point.

Self signed SSL cert for Apache Tomcat

The simplest way I know of to create and self sign an SSL certificate for your Apache Tomcat server…  In two simple steps…………

Step 1 –  (the $JAVA_HOME environment variable should already be set in your tomcat user’s ~/.bash_profile or replace with the full path to keytool)

#  $JAVA_HOME/bin/keytool  -genkeypair  -validity 3650  -alias tomcat  -keyalg  RSA

password:  specify a password
name:  use the full <hostname> domain name
organizational unit:
organization:
city:
state:
country:
Select ‘y’ to confirm the details.

Press the ‘Enter’ key when asked for a password for the alias ‘tomcat’.

A keystore called .keystore (a hidden file) will be created (user’s home directory) which should be moved to <tomcat_home_dir>/conf/.

Step 2.
Uncomment the ‘SSL HTTP/1.1 Connector on port 8443’ section in <tomcat_home_dir>/conf/server.xml and add parameters so that it resembles the following:

<Connector   port=”8443”  protocol=”HTTP/1.1”  SSLEnabled=”true”  maxThreads=”150”  scheme=”https”  secure=”true”  enableLookups=”false”  disableUploadTimeout=”true”  acceptCount=”100”  clientAuth=”false”  sslProtocol=”TLS”  URIEncoding=”UTF-8”  keystorePass=”<password_from_Step1>”  keystoreFile=”<tomcat_home_dir>/conf/.keystore” />

Restart Tomcat and point your browser to https://hostname.your.domain.com:8443 to verify the cert.  Doesn’t get any simpler than that.

apache-Tomcat error on starting after changing the SSL Key / Keystore

apache-Tomcat error on starting after changing the SSL Key / Keystore

The keystore and SSL key must be the same as listed in ~/conf/server.xml

SEVERE: Error starting endpoint
java.io.IOException: Cannot recover key

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:527)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1095)
at org.apache.catalina.core.StandardService.start(StandardService.java:540)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Solution:

Fix via keytool on with passords on the command line, interactive passwd changing via CLI generates an error saying they must be different. 

keytool -keypasswd -alias your_alias -keypass old_passwd -new new_passwd -keystore ./keystore