Apache and Secure Remote Access (SSL) to Network Shares (MIPSel)

=Introduction= As many know, FTP is a very insecure method of transporting files. The main problem is the FTP usernames and passwords are transmitted in the "clear". There are a few better methods, like SFTP (SSH) or FTP over SSL, but these methods require that users have special client-software capable of using these methods. This may pose a problem for Linkstation users. If you have many users, chances are some are novice computer users and don't want to go through the hassel of using these "client software". Since http and secure socket layer (SSL) protocols are included in most modern browsers, a solution is to install an Apache http webserver to serve your files through a secure SSL connection.

Warning This method is very customizable and therefore requires some basic html coding skills.

=Prerequisites= In order to install Apache with SSL, we must first have to do a few thing.
 * Have OpenLink firmware and devtools installed.
 * Establish symbolic links to Busybox command sort.
 * Update Grep to version 2.5+. Reason: Apache will not compile, install, and run correctly.
 * Change the system path to prefer user binaries instead of root.
 * Remove outdate version of OpenSSL

Fix Sort
We first need to fix the "Sort" command. If this is not done, your programs will not compile correctly. We will fix sort by creating a symbolic link. ln -s /bin/busybox /bin/sort

Update Grep
Next step is to update grep. This step is complicated, so be careful. tar zxvf grep-2.5.NN.tar.gz
 * First, download grep from the GNU Project.
 * Extract the tarball and move to the new grep directory. The command is:

./configure mipsel make make install
 * Next, configure the makefile with this command:

DO NOT UNINSTALL OLD VERSION OF GREP!!!: Certain programs still depend on this version and you will possibly loose terminal access to the Linkstation if you do.

Change System Path
In order for the Apache install script to use our new version of Grep, we need to modify the system path. vi /etc/profile PATH="/bin:/sbin:...." to PATH="/usr/local/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11" grep --version The response should be version 2.5 or higher. vi /etc/init.d/utelnetd change line /sbin/utelnetd -l /bin/ bash to /sbin/utelnetd -l /bin/  login and reboot the Linkstation.
 * To do this:
 * Then change
 * Restart the Linkstation
 * After restart, check to see grep installed correctly.
 * Note: In order for the global path to be used via telnet, "/etc/init.d/utelnetd" must be edited by:

Remove Old OpenSSL
Enable Telnet Before Doing This Step!!! as OpenSSH may become disabled.

Openssl version 0.9.7e has a major security bug in it, to fix this problem, we need to update to the latest version of the 0.9.7 or 0.9.8 series. Preferably, we will want to install 0.9.8b. You will probably need to reinstall OpenSSH after doing this because OpenSSH depends on OpenSSL.

cd /usr rm -r c_rehash openssl /usr/include/openssl cd /usr/lib rm libcrypto.a libssl.a libcrypto.so.0.9.7 libssl.so.0.9.7
 * To remove the outdate version, remove the openssl files by:


 * If either "/usr/lib/engines" or "/usr/lib/pkgconfig" exist, then run:

cd /usr/lib/engines rm lib4758cca.so libaep.so libatalla.so libchil.so libcswift.so libgmp.so libnuron.so libsureware.so libubse.co cd /usr/lib/pkgconfig rm libcrypto.pc libssl.pc openssl.pc

find / -name openssl -xdev -exec rm -r {} \; find / -name ssl -xdev -exec rm -r {} \;
 * Then search for files/directories named openssl or ssl and delete. This will only remove files from the system disk and won't affect anything saved on /mnt/hda:

=Installing New OpenSSL= After all the prerequisites have been met, we a ready to start compiling and installing. tar zxvf openssl-0.9.8NN.tar.gz
 * Download latest OpenSSL from OpenSSL.org
 * Extract the tarball and move to the new openssl directory. The command is:

Compiling OpenSSL
Use ./config not ./configure ./config --prefix=/usr --openssldir=/etc/ssl no-sha512 shared
 * In order for Apache and OpenSSH to work properly, we must enable shared library support in OpenSSL.
 * We also need to disable sha512 support in OpenSSL because current version of Devtools contains an outdated version of GCC that has a problem compiling sha512 support. (Not much we can do about this currently if you're on a LS2 {gotta wait for kernel 2.6 to fully run correctly for LS2}, for LS1, upgrade the kernel to 2.6) You don't really need the large hash(Sha512) anyway.
 * Now to compile OpenSSL.

Make and Install
After the Makefile is made, we need to run "make depend" because we disabled sha512 support. So run the following commands to make and install OpenSSL. This Will Take A While,so get a cup of coffee and relax. make depend make make install

Reinstall OpenSSH
After OpenSSL is installed, reinstall OpenSSH, sorry, this means from recompile to as the openssl headers have changed.
 * Look here for help on reinstalling OpenSSH OpenSSH_%28including_daemon%29_for_the_PPC_LinkStation.

=Compiling and Installing Apache 2.2= First, we must download the Apache webserver "Unix Source" from The Apache HTTP Server Project. Setting up version 2.2 is shown below.

Before we start compiling, we must decide what modules we need. Apaches modules include mod-ssl, mod-php, mod-mysql, etc. There are two ways of installing Apache modules; either statically or dynamically (DSO). Here static means that the module is compiled with Apache as part of the Apache binary. This is done by using ./configure --enable-module_needed. ie. for mod-ssl, we use ./configure --enable-ssl

Dynamic means that the modules are compiled separately and are loaded by Apache.

Look at Apache Module Index for help on Apache Modules.
 * Note: Not every Apache module can be installed statically or dynamically (ie. Php 5 must be installed as DSO). Please carefully read module documentation to decide how each module should be installed.

Configuring the Makefile
tar zxvf httpd-2.2.3.tar.gz cd /absolute/path/to/apache/soure/directory The tar command will be slightly different depending on the Apache version you downloaded. ./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so You must enable-so in order to add DSO (Dynamic) module support. --with-ssl=/usr. ./configure --prefix=/usr/local/apache2 --enable-so --enable-cgi --enable-info \ --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic
 * After you have decided which modules to use, untar the downloaded Apache tarball and move to that directory
 * The basic configuration for this purpose should be:
 * If Apache complains when compiling that OpenSSL is not found, add
 * The configuration to get most use most of the common modules is

Make and Install
Compiling and installing Apache is just like any other compile-from-source program make make install

Something to Consider

 * Currently, php is the most common server-side language for Apache (It is also supported by the Apache Foundation as well). You may want to use php to create a script to remotely upload files to your network shares.
 * Note, if you decide that you want XML support, your LS will have a difficult time compiling the necessary libs. The workaround is to install the already compiled libxml packages.  Just untar from root libxml2-dev_2.6.26 and libxml2-2.6.26.
 * You can also use this neat script written by Mike Taylor to convert already compiled debian packages into tar.gz form. This is useful when installing libraries.  Go to deb2targz or download here

TODO: Change --prefix to /mnt/hda/opt/apache2 and edit wiki accordingly

=Configuring Apache=

Configuring httpd.conf
To setup Apache, we first must edit httpd.conf. The file is located in /usr/local/apache2/conf. You can edit this file in any text editor our use vi. We will be editing tags our groups of tags called "directives". Directives give apache directions on how to run certain things. vi /usr/local/apache2/conf/httpd.conf ServerRoot "/usr/local/apache2" or if Apache is not installed in /usr/local/apache2 to ServerRoot "/absolute/path/to/apache2_dir" Listen 80 ServerAdmin your_email_address ServerName your.domain.xxx:port This is very important to enter this correctly. "Port" is the number you entered in the above "listen" directive DocumentRoot "/your/www/directory" You can leave the as default or define a spefic location where you want your web pages to be. For example, if you chose /usr/local/apache2/htdocs/, Apache will serve this directory to the internet. Include conf/extra/httpd-ssl.conf This tells apache to look at httpd-ssl.conf for more directives.
 * First run:
 * Then change "ServerRoot" line to
 * Unsecure http usually runs on port 80, so we should usually leave this. If you change the port to something else, ie 8080, you will have to access your webserver by using "http://yourdomain.xxx:8080"
 * Edit "ServerAdmin" and "ServerName" with your information.
 * Edit "DocumentRoot"
 * Uncomment (remove # sign)

Configuring httpd-ssl.conf
Now open httpd-ssl.conf, default is located in /usr/local/apache2/conf/extra/. We are now creating what is known as a "virtual host". Apache is basically serving two directories. One through port 80 as unsecured http and the other through port 443 as secured. Note, when you type "https://anydomain.xxx", the browser automatically attempts to connect to the server at port 443. You will want to change the DocumentRoot here to a different directory than your unsecurred one. That way you don't accidentally server the "secure documents" through an unsecure connection.
 * Leave the "Listen" directive at 443.
 * Edit "DocumentRoot"

Example DocumentRoot "/usr/local/apache2/secure_folder" Do not have this directory on a network share for security reasons.

Certificate Paths
Before we leave the httpd-ssl.conf file, we need to make sure that the certificate paths are correct. The directives that you need to be concerned with for certificate paths are: SSLCertificateFile SSLCertificateKeyFile SSLCACertificateFile Uncomment these values if they are commented (#) It is okay to leave the values at default, but make sure you place the certs in those directories with the specified names (ie. ca.crt).
 * The SSLCertificateFile is your server certificate.
 * The SSLCertificateKeyFile is the RSA key used to encrypt your server certificate.
 * The SSLCACertificateFile is the Certificate-Authority certificate used to issue your server certificate.

Your Trusted Certificate Authority (where you bought your certificate, i.e. Versign) will tell you which are which

If you decide to make a self-signed certificates with OpenSSL, you will have to be careful to identify which file is which correctly.

Warning: If you change to default location of you Apache certificate directory, make sure you place it in a secure location (not in a Network Share or DocumentRoot directory) where others do not have write-access. This is especially important if you use a certificate key that is not password protected [in order to allow Apache to automatically startup without a password]. If a hacker obtains your key, he or she can then decrypt all of your communications.

Optimize Apache Memory Usage
Because Apache is a large program, we should optimize Apache's memory performance. We can do this by enabling the Apache "Server-pool management" configuration script. vi /usr/local/apache2/conf/httpd.conf Include conf/extra/httpd-mpm.conf vi /usr/local/apache2/conf/extra/httpd-mpm.conf  StartServers         1 MinSpareServers      1 MaxSpareServers      5 MaxClients          50 MaxRequestsPerChild  5000 
 * First run:
 * Uncomment (remove #)
 * Run:
 * Edit "IfModule mpm_prefork_module" directive to:

This will force Apache to run less spare servers. This setup will be okay for most Linkstation owners as the Linkstation should be used for "private" low-level services.

=Certificates= In order to use SSL, we must have a SSL certificate. For our purposes, we can either purchase one or create a self-signed certificate. A self-signed certificate is free and is usually used for testing purposes, but since most people will use the Linkstation to offer private services (i.e. family, friends), a self-signed certificate will suffice.

The downside to using a self-signed certificate is that an annoying message pop up saying something like "this certificate is not trusted" when users attempt to contact your secure server.

Trusted CA
These companies (i.e. Verisign)issue SSL certificates to people and companies. They are trusted by most modern browsers and therefore do not have the "this certificate is not trusted" message as self-signed certificates do. The downside is that they are often expensive.
 * Look at VeriSign or Cheap SSL Certificates to buy a certificate. There are many other companies, just use Google.

Self-signed Certificate
If you are interested in making an self-signed certificate with openssl. Please visit Creating a Self-signed SSL Certificate for a tutorial.

UPDATE:Please use openssl compiled for win32 such as Win32 Openssl from Shining Light Productions, for use with the above tutorial. Sorry for any problems--jonli447

Note: We will want to create a 1024 bit (128 byte) server and Certificate Authority keys rather than 4096 bit (512 byte) keys. We want to use 128 byte keys as these keys are the most secure AND compatible with current browsers.

TODO: Add minitutorial on self-signed certs as requested.

Installing the Certificates
Use following command to install your certicates into apache. cp /absolute/path/to/server.key /absolute/path/to/apache_certificate_directory/server.key cp /absolute/path/to/server.crt /absolute/path/to/apache_certificate_directory/server.crt cp /absolute/path/to/ca.crt /absolute/path/to/apache_certificate_directory/ca.crt


 * "/absolute/path/to/apache_certificate_directory" is the certificate path you specified in httpd-ssl.conf.

=Using htpasswd (basic html coding knowledge required)= Now that Apache is with SSL support, we are ready to password protect and serve our network shares.

To do this, we will first need to create our web pages. This is where basic html coding experience comes into play.

Design your index page (index.html) to heart's desire and place in your unsecured DocumentRoot (the DocumentRoot specified in httpd.conf). The important thing is that you will want to have a way to access your secured link (https).

For example, you may place a "login" button on your index page with a link to "https://yourdomain.xxx". Optionally, you can disable unsecured html and require users to type "https://yourdomain.xxx" to access their shares. To do so, comment out (add # to) the "Listen" Directive in httpd.conf.

htacess and htpasswd
You have two options for basic-authentication with apache.
 * First, you can create an .htaccess file.
 * Second, you can add a "Directory" directive to the config files (here would be httpd-ssl.conf).

Both mothods require the use of the apache's htpasswd binary (Apache's basic password protection sysytem). This file is locate in /usr/local/apache2/bin.

Using .htaccess is highly discouraged as Apache must run the script everytime it accesses a password-protected file. So the second method will be explained here.

Configure the "Directory Directive"
vi /usr/local/apache2/conf/extra/httpd-ssl.conf  Options Indexes FollowSymLinks Order Deny,Allow Allow from All AuthType Basic AuthName "Restricted Area" AuthUserFile /home/ domain  /.htpasswd AuthGroupFile /dev/null require user user_with_permission1 user_with_permission2 DO NOT make two of the same Directory Directives.
 * Open httpd-ssl.conf with the text editor again.
 * Somewhere in the file (doesn't really matter where, just not in the middle of any directives) add
 * If there is already  in httpd-ssl.conf, just make the proper changes and append the rest of the information.

Things to Edit
AuthUserFile /absolute/path/to/.htpasswd
 * "AuthName" can be whatever you want it to be. Just make sure you keep the Authname the same when you make this directive for the subdirectories. Otherwise, the user will have to type in their username and password each time they change directories.
 * "Domain" is your domain name without the TLD (.com .net). You don't actually have to put .htpasswd here, but you will want to make sure that it's not located in either DocumentRoot or their subdirectories. If you place .htpasswd somewhere else, change AuthUserFile to point to the absolute path of that directory.
 * "require user" specifies which users are allowed to access the directory. Note, these users are not the same as Linux users. We will be creating them when we create .htpasswd.

Using htpasswd
No we need to create the passwd file for the directory. To do this, run /usr/local/apache2/bin/htpasswd -b -c /absolute/path/to/.htpasswd user_with_permission1 user1_password
 * Make sure no-ones looking when you do this. -b flag take the passwrd from the command line rather than prompting for it. The prompt doesn't always work, so use -b flag.
 * The -c flag tells htpasswd to create a new passwd file. You will need to repeat the above step to add additional users. Just remove the -c flag from the command.

Symbolic Links
Now we need to place symlinks in your secure DocumentRoot pointing to /mnt/hda/ user1, <mnt/hda/ user2 and so forth.

ln -s /mnt/hda/ user1  /usr/local/apache2/secure_directory  user1 ln -s /mnt/hda/ user2  /usr/local/apache2/secure_directory  user1 ...
 * To do this run:


 * Do not place an index.html file in the secure DocumentRoot directory. The reason is the when someone contacts your Linkstation via "https://youdomain.xxx", they will be prompted to type their username/password.  After successful authentication, they will see the directories they're given permission to access.

Todo:
 * Give example of a page.

=Setting up Network Shares= In order to setup the network shares, we have to repeat the "Directory Directive" and "Using htpasswd" steps for each user directory.

"Directory Directive" Again
Directory" /absolute/path/to/secure_dir  /user_share" rather than using Directory"/mnt/hda/user_share"
 * When you make a "Directory Directive" for a user directory (network share), make sure set the directive with


 * /absolute/path/to/secure_dir is the same as the symlink you made earlier for each user directory.

require user user3  Options Indexes FollowSymLinks Order Deny,Allow Allow from All AuthType Basic AuthName "Restricted Area" AuthUserFile /home/domain/ .htpasswd2 AuthGroupFile /dev/null require user user3
 * Change "require user" to have only the user you want access. For example, if you want user3 to only have access to his or her directory. You would set the require user option to
 * Change the AuthUserFile to the absolute path to .htpasswd2 that you will create for each user (In the next step).
 * Here is an example of the proper directive:

"htpassd" Again

 * When making a .htpasswd file for a user folder, name the ".htpasswd" file to something like ".htpasswd2", and use the c-flag to create the new file. You can save the .htpasswd file in the same folder as the .htpasswd file for the secure DocumentRoot (i.e. /home/domain/).


 * Just like .htpasswd for the secure DocumentRoot, the c-flag tells htpasswd to create a new file. No c-flag tells htpasswd to append the specified user to the specified password file.


 * Note: If you have to directories that the same users are allowed to use, you don't need to create additional .htpasswd files. Just point AuthUserFile in the "Directory Directive" for the directory to where the .htpasswd that has both users is.


 * CONGRATS!!! If all went well, you should now have password protected/ secure user directories accessible via http.

=Final Configurations= /usr/local/apache2/bin/apachectl start cp /mnt/hda/apache2/bin/apachectl /etc/init.d/apachectl ln -s /etc/init.d/apachectl /etc/rc.d/rc2.d/S99apachectl ln -s /etc/init.d/apachectl /etc/rc.d/rc6.d/K92apachectl ln -s /etc/init.d/apachectl /etc/rc.d/rc0.d/K92apachectl
 * To manually starting up Apache, run
 * To allow apache to startup automatically on reboot, run
 * Make sure to disable FTP through webmin after this works. You will need to use OpenSSH and a SFTP client if you want to remotely upload files.
 * Disable Telnet if need be.

=Conclusion=
 * After all that work, you have installed Apache and have configured Apache to serve your network shares through a secure SSL connection.
 * This method is only meant to be a guide, you will still have to create you web pages and implement this method according to your needs.
 * This method only shows how to setup remote access to network shares in the form of downloads. Users will not be able to upload files to their shares through this method.  If users wish to upload files, they should use OpenSSH and a SFTP client (i.e. WinSCP) to upload their files.  Another options is to create an upload script via cgi or php.  There are many variants to how this can be accomplished, but the basic idea would be to add the script to your webpage and direct users to the script for uploading.

=Additional Resources=
 * Apache Software Foundation
 * Apache .htaccess Tutorial
 * Authentication, Authorization and Access Contro
 * Apache 2 and PHP 5
 * Protecting Your Pages Via Passwords
 * How to Access
 * .htaccess Tutorial
 * Using .htaccess Files with Apache
 * Using User Authentication
 * Creating a self-signed SSL certificate